[CentOS] CentOS fileserver migrating to ZFS appliance

John R Pierce pierce at hogranch.com
Sat Nov 26 01:10:08 UTC 2011


On 11/25/11 4:50 PM, Alan McKay wrote:
> Hmmm, I probably know what the answer will be, but I could always ask
> the hospital to let me connect it to the domain.   Though that could
> present security risks that I don't want to deal with.

yes, that is the answer, and actually, no, there's no security risks.  
your server will just be using the domain to authenticate windows users, 
and they'll see it as a 'single signon' same as any other "windows" 
server.   other authentication, like local unix administration, NFS 
users will proceed the same as before.

to 'join the domain', the windows domain admins will just need to create 
a computer account for your server, and then it 'joins' the domain, this 
involves an automated private key exchange sequence... it can be done 
several different ways, at the whims of your windows domain admins.   
one method, a domain admin needs to enter his domain credentials 
(domainname\username, password) once into your server, and it joins (the 
admin credentials are only used once and not saved).   the other method, 
they precreate the computer account on the domain, and you then join 
your host and it exchanges those keys previously mentioned.

this establishes a limited 'trust' relation, where basically your server 
trusts the domain server(s) to do windows user authentication, and the 
domain servers allow your windows server to do this.   nothing else.   
its actually all quite well thought out, based on Kerberos and LDAP.

-- 
john r pierce                            N 37, W 122
santa cruz ca                         mid-left coast




More information about the CentOS mailing list