Windows 2000 Directory Support While Keeping Unix? 155
"Although our group has historically been able to control it's own authentication and name services, our agency, together with some other affiliated entities, has begun to develop plans for the deployment of W2K and Active Directory, agency-wide, and we are beginning to hear noises about the possiblity of it being implemented in a configuration that would move that control outside of our group for the first time. Given that we are the only dyed-in-the-wool Unix shop anywhere in sight, we're not counting on Unix-specific concerns carrying much weight in this discussion. FWIW, "Unix" in this case is mostly Solaris/SPARC, with a growing Linux and BSD flavor, both also on SPARC as well as x86.
Now, to get to the point, I have the following serious questions to which informed answers would be tremendously useful right about now:
- It is my impression, which may be incorrect, that (a) a W2K workstation using Active Directory services cannot directly access old, NT4-style SMB shares, and (b) neither Samba (at least any stable releases thereof) nor any commercial SMB-on-Unix implementations (not that I'd be at all happy to ditch Samba) is able to export Unix filesystems via the new, W2K-style protocol, or at least not in any way that would provide "seamless integration" with W2K clients that also needed to access AD/W2K-based resources. From these impressions I would conclude that AD-infected W2K workstations cannot be made to access Unix-native filesystems via SMB. Is this correct? If there are inaccuracies in this, or if it's "not really that simple", I'd love to know the details.
- It is unclear as yet whether we would somehow be forced to use AD/W2K-based name and authentication services for our Unix machines. Potentially, for authentication we could use the vanilla Kerberos interface in AD. However, for name and directory services to work fully, we are likely to need to be able to store RFC 2307-compiant data in the AD LDAP. So, leaving aside the question of whether we would even be allowed to store the RFC 2307 data in the agency's AD, are these things possible or practical?
- One concern we have about AD is the liklihood that we may have to use a subtree of the central AD for our group. In this event, we expect that some sorts of access and control are likely to propigate down from the top of the tree, and that we may ultimately not be able to have the final say over who has what permissions with respect to the resources supported by our group. Not to be territorial, but this raises some sigificant security concerns in that some of the data we process is quite sensitive (e.g. respondant-level survey data -- can you say "privacy concern"?) and the auditors will want to see assurances that access and distribution are properly controlled within our group. Is this a legitimate concern about a centrally-controlled AD? Are there some AD configurations that are less troublesome than others in this regard?
- Does anyone know of any other potential killer incompatibilities between AD/W2K and Unix that should be put on the table as we discuss our "requirements" (ha) with the central IT people who are trying to do this?
- Has anyone gone (is anyone going) through this who would be willing to share experiences?
For everyone who will no doubt respond to this by identifying all the better solutions that may exist, I'd love to do something like that -- we had been investigating doing something with Kerberos and OpenLDAP before this came up -- but the point is that the direction here is likely to be totally beyond our control, and we may wind up stuck with the task of finding some way to salvage whatever we can of fifteen years of investment in a Unix-based solution. I'm just trying to understand the pitfalls a bit better before all this is set in stone.
Here are three previous /. items that seem most relevent, so you know that you don't have to point me to these."
Re:bloody macroshaft (Score:1)
Kerberos and LDAP (Score:3)
Re:bloody macroshaft (Score:1)
You fail to realize that that's as inevitable as death in most organizations.
--
A couple of things (Score:5)
1. There's no reason why a workstation participating in an Active Directory domain shouldn't be able to access older style NT or Samba shares. There are a few departments where I work that have (stupidly) deployed Active Directory, but it hasn't affected their access to our NT 4 file server. Well, except that they have no idea what they're doing, so that gets them sometimes :)
2. Using Kerberos in Win2k should work, as long as any Unix Kerb5 servers are slaves to the 2k server. From my reading, any attempt to use the AD LDAP for anything else is doomed to failure. Microsoft is supporting heterogeneous environments only to the extent that it moves people to their software, so they won't make it easy to maintain support of Unix systems.
3. If you're given your own Organizational Unit within the active directory, you can choose to block inheritance of permissions and policies and whatnot, and maintain a certain level of autonomy.
5. We've been going through the preliminary planning of rolling out AD in our mixed environment(NT, Solaris, Netware), and while it's been ugly, it doesn't seem hopeless. Services for Unix 2 promises a lot (password sync among them), and if it can deliver, then integration becomes that much easier. Just keep in mind that any Microsoft solution is offerred with the intention of burying your Unix boxes.
Re:bloody macroshaft (Score:3)
Win2K is a fine gaming platform. Multiprocessor support and DirectX for games that don't run in an OpenGL mode. It has no other good uses. There is a better alternative for every other task you might want to do with a computer.
Aww..do I have to? (Score:3)
Pitfalls in SMB... (Score:2)
Re:Kerberos and LDAP (Score:4)
See http://slashdot.org/articles/00/06/28/0042228.shtm l [slashhttp] for recent SlashDot discussion.
I don't know the details but their are problems (Score:4)
It is a great article seperate from problems with win2k.
Leknor
http://Leknor.com [leknor.com]
Re:A couple of things (Score:1)
Why are you not deploying NDS into unix and NT?
Re:A couple of things (Score:2)
If you can get yourself a child domain then you're even more autonomous that just having an organizational unit.
Re:A couple of things (Score:2)
-jeff
Re:I don't know the details but their are problems (Score:2)
Leknor
http://Leknor.com [leknor.com]
Novell has some links (Score:3)
An older one [novell.com].
Some old benchmarks [slashdot.org].
BTW sales of Win2K have been abysmal. A fact you don't hear much about, but which lies behind some of Microsoft's actions. (Trying to squeeze more revenue from existing streams.) Go out and look for yourself for some links on that (unfortunately not well enough publicized) story.
Cheers,
Ben
The only solution is to educate management (Score:5)
And therein lies the problem. Management need to be made forcefully aware that the agency is not a Windows only shop, and that proposing Windows only solutions like this is a road to ruin. Sure, you may only be a minority, but they need to know that you cannot integrate with their solution without (at the very least) significant work. The need to know what the impact of alienating your department will be on the agency as a whole. Like it or not, management are stupid. Sure there are a few exceptions, but on the whole, it's a good approximation. I once worked at a company where management decreed that all corporate email should be handled by exchange and outlook. Only after buying the servers, and doing an initial roll out to some PCs did they realise that 30% of the desktops ran SunOS or Solaris on Sparc hardware... Management don't understand technological issues like these, and they need to have them explained.
Re:A couple of things (Score:1)
3. If you're given your own Organizational Unit within the active directory, you can choose to block inheritance of permissions and policies and whatnot, and maintain a certain level of autonomy.
And the higher level administrator can also choose to override your block. That still gives them complete authority on the permissions and policies. Just be aware of that.
NDS? (Score:1)
Re:ignore it... (Score:2)
Paper title (Score:2)
G.H.
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea,
which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege."
-- A Thinking Man's Creed for Crypto
Re:ignore it... (Score:1)
Some thoughts, notes... (Score:3)
There is interesting technology in Active Directory. It is an interesting project to attempt to provide these services without requiring the use of a Windows 2000 server infrastructure. I can't say I'm doing an awful lot to help in this regard presently, but I've made some notes, and you can check them out at http://www.padl.com/~lukeh/XAD/whit e_paper.html [padl.com]. The SAMBA people are probably most active on this front.
To answer some of your questions: I believe W2K can access old SMB-style shares. After all, it wouldn't make sense for it not to work with NT 4 shares. I expect the "new" SMB is wrapped in the Kerberos SSPI (wire-compatible with the Kerberos GSS-API mechanism). Regarding storing RFC 2307 information AD, good luck. Microsoft have made some modifications to the schema in order to support various "features" of Active Directory, such as the lack of support for multi-valued naming attributes, auxiliary classes not being listed as values of the objectClass attribute, some attribute type conflicts with RFC 2307, etc. Microsoft have an "embraced and extended" version that ships with Services for UNIX, but this isn't plug-and-play with existing RFC 2307 clients unless they support on-the-fly attribute mapping.
If you have no control, you have a problem anyway (Score:1)
Disclaimer: I don't know much about Active Directory other than that Micros~1 claims it can speak LDAP.
My point is that if you don't have any control over a 'central' Directory Server, you have a problem no matter what the type or brand of the server.software.
I assume that AD gives the administrator control over the schema. If AD doesn't support an RFC2307-compatible schema, the administrator can always implement it for you.
Re:bloody macroshaft (Score:1)
The SIMS: I get no Sound.
Half-Life: OpenGL isn't to good (I think it's a Driver Issue). So I use DX; and sometimes my Screen goes black and there's no way to recover except to kill hl.exe
And lastly some Apps Can't handle the Multi-user aspect, and refuse to run (eg, Palm Desktop).
Re:A couple of things (Score:2)
Like I needed any more reasons not to use it..
Re:The only solution is to educate management (Score:1)
AD native or compatible ... (Score:4)
What I DO KNOW is that the active directory can be run in 2 modes: native and mixed. In native mode it will of course deny anything that is not active directory compatible. In mixed mode it's supposed to let you work with older NT stations and servers/domain controllers. (Of course there are some features that require native mode to help force you a bit more towards it and once you're in native mode you can't go back to mixed either
About authentication, you'll have to check whether your Kerberos implementation is compatible to the one Microsoft is using and you'll also have to see whether your systems support the SVC records inside DNS. (Here are some RFCs that they refer to: RR records RFC2052, Dynamic DNS update RFC2136/RFC2137)
As for accessing data that is in the AD you'll have to figure out how to do it via LDAP I suppose.
Hope the above helps a bit. Unfortunately I'm no expert in these matters.
Re:Novell has some links (Score:1)
I'm not surprised about the poor sales; the bug list and stability problem reports have preceded the marketing efforts in most big shops. M$ has yet to demonstrate (not TALK ABOUT but DEMONSTRATE) a real good reason for any of their big clients (I work for one) to "upgrade."
So here we still sit with probably (at least in my little hole) 15 NT4 servers and six HPUX machines. And a dozen or so NT4 workstations. And IT won't let management buy W2K to install on the NT4 boxes...probably one of their best decisions to date. 'Nuff said.
Re:The only solution is to educate management (Score:1)
W2K with Samba (Score:2)
This is my vote, too (Score:2)
You've got to get ahold of the techies yourself--don't let management be the conduit for technical decisions. You still have to explain the issues to management so that they can mandate the discussion take place--but when the discussion happens managements only role should be as arbiter.
--
Re:I got a cold (Score:3)
Insightful?!
Did you read what bob was asking? Let me snip the bit so it's easy for you: "...we had been investigating doing something with Kerberos and OpenLDAP before this came up -- but the point is that the direction here is likely to be totally beyond our control.."
So, um, OpenLDAP is great and all, but he's talking about SOMEONE ELSE deploying AD and he has to adapt to it.
Re:A couple of things (Score:2)
Re:bloody macroshaft (Score:1)
Not had your coffee yet? (Score:1)
Re:ignore it... (Score:1)
Someone above him has decided that w2k is the way to go and he wants to be able to keep his unices while connecting to the active directory.
So if it's NFS or something else that isn't AD compatible, it's not usable.
Re:A couple of things (Score:1)
How to deal with the goverment (Score:5)
The goverment works like a large bolder rolling down the hill. You can't stop it but you can change its direction if you push it at the right time and place.
Years ago I used this while working for DISA (DIMA's parent, they control the IT for the AF, as well as the Army, Navy etc in theory). DISA had decided that GOSIP email was the one true way and nothing was going to change that. Ok fine. Its a messed up version of X400 based on some of the worst code I have ever seen. I attended lots of meetings where lots was discussed but nothing was ever done. At the time I managed a large email system that involved some 87,000 users over 12 main systems. It was the largest system of its kind in the goverment. From what I had learned while working at SCS, I did the only reasonable thing which was to ask a Col if I could make a change to the propsed migration document. I changed one line to allow both X.400 migration system as well as SMTP migration. That got included in the main document, which became the long term plan and now thanks to cut and past into other docs, fully allows SMTP as valid part of the GOSSIP systems.
One edit and I killed X.400. Not bad for goverment work.
Re:bloody macroshaft (Score:1)
My screen goes black on the menu - never in the game.
I should've specified that, Yes the screen goes black on the Menu. On occasion, It happens If It fails to connect to a server. It never happens in-game.
W2K Pro is compatible with Samba (Score:3)
I am the administrator for a computer science lab that has workstations that dual-boot Windows 2000 Professional and RedHat Linux 6.2. I run two servers in the lab: Win 2000 Server and RedHat Linux 6.1. The Linux server exports its home directories via both NFS and Samba. The Windows 2000 Professional workstations are able to connect to Samba shares on the Linux server without any difficulties.
The Windows 2000 Professional workstations are also able to connect to shares on NT 4 servers.
Hope this helps.
Re:bloody macroshaft - probably OT (Score:1)
You're telling me? I'm still waiting for 4 Speaker output on the Trident 4DWave NX (from Hoontech)which I had under NT4.
I may break down and buy a SB Live if this doesn't get fixed very soon.
Give 'em enough rope (Score:2)
My own (possibly inappropriate) response would be to counsel against a blind W2K roll-out. If your group is autonomous, there's probably a reason, and it should stay that way.
Next, allow them to deploy W2K. Watch in horror as your group implodes, losing valuable apps, churning out incorrect data, etc.
Wait a little longer, until your group is nothing more than a flaming wreck.
Then call in Congress!
I tell you, there's nothing Congress likes more than the opportunity to investigate/gang-rape government agencies. Ideally, your management will have themselves raked over coals in front of some subcommittee, with a Senator screaming at them. You'll never hear about W2K again, provided that your group can survive this long in a dysfunctional state.
Of course, this all assumes that you're willing to destroy your own agency/group. It also assumes that your group is actually doing something valuable, but not TOO valuable.
And, as always, I could be wrong.
Re:The only solution is to educate management (Score:2)
Surprise (Score:1)
Re:bloody macroshaft - probably OT (Score:1)
This all is due to the fact that Creative doesn't LISTEN to Microsoft when it comes to driver specs for Win2k. Dumbasses.........
Re:AD native or compatible ... (Score:1)
"In native mode it will of course deny anything that is not active directory compatible. In mixed mode it's supposed to let you work with older NT stations and servers/domain controllers. (Of course there are some features that require native mode to help force you a bit more towards it and once you're in native mode you can't go back to mixed either ;)"
Thanks, this is where I keep getting crossed signals. I am assuming some sort of native-mode roll-out, largely because many of the arguments I hear in favor of a W2K/AD implementation are things that only work in native mode. So if it turns out that we do face a native-mode implementation, what does this say about the ability for having workstations mount both W2K and Samba shares?
Some experience (Score:1)
Hey Captain TunnelVision, (Score:2)
B) You forgot to finish off your sentence so allow me to do the honour: "It has no other good uses [for a person like me who is blinded by zealotry].
I have a GNU/Linux box and a win2k box running side by side on my desktop. I use the GNU/Linux box for all server type things/webdev/coding etc, and I use the win2k box for graphics work in 3DSMax, Photoshop and Illustrator. Both machines do a fantastic job and I really can't complain.
I suggest you redirect some of that boundless energy you seem to have for analyzing all Microsofts faults and apply it to a worthy open source project.
Re:AD native or compatible ... (Score:1)
Re:Aww..do I have to? (Score:1)
Re:This is my vote, too (Score:1)
Trust the man, he does not have a chance. I've worked for state (3 years) and federal agencies (census work), and in industries regulated by federal agencies (2 years). State could be bad, but federal is out of control.
Re:How to deal with the goverment (Score:1)
Remember, this is the same group who also wanted ALL programming done in ADA for about five years. If it's good enough to fly a missle, it's good enough to handle an accounting system.
This is also the same group that mandated POSIX (UNIX and X-Windows) for all desktop systems. In hindsight, this might not have been too bad. At the time, however, the industry was moving in a decidely different direction.
The US Govt, and DoD in particular, has a long history of heading down the wrong path with IT solutions.
This doesn't help much, but.... (Score:1)
Axel
Re:A couple of things (Score:4)
What I do is delegate authority to an Organizational Role, add the OU admin and the other higher-level admins to the OrgRole, and then grant the NDS rights to the OrgRole. The key thing here is to create the OrgRole above the OU in question so that you can't be blocked out.
Blocking higher level admins is a nice ability, but unless you have 100% trust in your downstream admins you can end up causing more problems than solutions. When I took NDS classes, the instructor spent a good deal of time recounting examples from the consulting side of the education company's business of when this had gone sorely wrong -- high level OUs with hundreds of users and other objects left unmanagable.
What lots of big organizations that want autonomy do is create seperate trees. The downside to doing this is that there's no way to create trust relationships between trees, which I think is a failing (along with the inability to make OUs a member of a group..).
-NDS user
Re:bloody macroshaft - probably OT (Score:1)
I'm curious though, Which Card would you recommend? All I want is 4 speaker output, and Linux and Win2k compatability.
I know it's supported in the 2.4.0-test kernels, but I have yet to try the 4Dwave under linux.
Re:Kerberos and LDAP (Score:1)
"Me fail English? That's umpossible!" - Ralf Wiggum
(not a spelling nazi, just a Simpsons fan)
Re:I don't know the details but their are problems (Score:3)
Thanks. BTW, since posting the initial question above, I found another interesting item at the Computer & Communications Industry Association [ccianet.org]: Microsoft Windows 2000: Blueprint for Domination [ccianet.org].
Re:The only solution is to educate management (Score:2)
Indeed. That's something that I forgot to say. Put your objections to management in writing. That way, you know that management are aware of the problems with their chosen route, and furthermore, you can prove it. If you have an email system that supports delivery notification, use that -- and don't forget to cc a copy to an external address too. I've seen email systems that conveniently managed to "lose" potentially damaging messages...
SMB shares are backwards compatible (Score:2)
As far as the AD goes, we tried to get Linux to talk with our Win2K domain controller and access the AD, but alas it never did work. Win2k's ldap implementation is standard, everything seemed to work according to spec, *except* the wierd kerbros authentication. So if we could have gotten the win2k ldap server to let us authenticate and connect we could have done anything we wanted to, but it never happened.
Hope that helps a bit.
Re:Amazing (Score:1)
Slashdot.org is unfortunately home to more IT ignorance than just about any other site on the internet. Haven't figured out why I read it. I guess perhaps it makes me realize just how much I do know.
My varied experiences... (Score:1)
Now the real fun begins, and when you set this up, make sure you document it so you get it right every time. First, create a user on the PDC. In a mixed UNIX/Windows enviorment, keeping home directories and profiles on a SAMBA enabled server is best, because you can export them via SAMBA or NFS.
Anything that supports PAM can authinticate agnist the PDC. (Even a w2k controller as long as it's running in mixed mode.) Create UNIX accounts like this: adduser --disabled-password username. What's the point of setting a local password, you're not going to use it anyway...
Now your PAM module. pam-smb-auth works well for the basics. (Shell logins etc) but doesn't do much besides ask the PDC for a yes or no. pan-ntdom is based on pam-smb-auth but is extended for NT domains. (It can usderstand some of the domain security and such.) User security = DOMAIN for samba and you shouldn't have to worry about accessing SAMBA shares and PAM modules for samba.
w2k access SAMBA shares just fine. I had an issue with updating the romain profiles, time on the file server was not in-sync with time on the client.
Hope that helps a little...
Re:The only solution is to educate management (Score:1)
Well, we're doing what we can in this regard, but it is always a balancing act. The most important thing is to make sure that one has facts to present -- suspicions and FUD won't do it.
Re:bloody macroshaft - probably OT (Score:1)
"management are stupid" (Score:1)
Besides all you have to do to stop a rollout to win2k is put a total cost of ownership in front of of them for the 1st year... at 250-400 a desk most CFOs will laugh crazily and then say no.
---
Solaris/FreeBSD/Openstep/NeXTSTEP/Linux/ultrix/OS
Re:A couple of things (Score:1)
Re:Alone? (Score:1)
Re:This doesn't help much, but.... (Score:1)
NIS pales in comparison to *anything*. The fleas on a dead goat would implement a better directory service than NIS. It's more sucky than a very sucky thing.
It should have been brutally killed a long time ago, as should NFS.
Bastards.
Re:bloody macroshaft - probably OT (Score:1)
Re:A couple of things (Score:4)
Whatever: the point is you want everything in a directory, and you want everything in a single directory.
However lets say, there is some kind of realy top secret group, or project or something - new products or a security force, or internal affairs in a police department. Now, you've set up NDS either physcialy, or logicly, but either way there are things that are defined in a higher level that you want to flow down. Everybody gets Netscape in ZEN, everybody in bldg 17 gets access to some printer. However, since this paricular group is anal about security, they want there own container admin, and dont want higher level admin's inhereting rights. Your buliding admin can still define ZEN profiles, and printers (and groupwise routing rules, and......) but they dont have access to the sensitive information in that container.
So you can have it both ways, a single direcrory, with inhereted profiles for (whatever), and a secure container.
NDS has been around for 7 years. Its proven to work, and proven to work with insanly large trees. ADS is brand spanking new, unproven, and built on flaky grounds (it runs on JET - the DB backend desigined for Access). ADS runs on Windows. NDS runs on Netware, NT, win2k, solaris, linux, AIX, OS/390, and Tru64.
NDS - ADS comparision [novell.com] ADS runs on Windows. NDS runs on Netware, NT, win2k, solaris, linux, AIX, OS/390, and Tru64.
Re:Novell has some links (Score:2)
BTW sales of Win2K have been abysmal. A fact you don't hear much about, but which lies behind some of Microsoft's actions. (Trying to squeeze more revenue from existing streams...
Unfortunatly many of the millitary installations, AFAIK, are still going to be switching to Win2K. On a postiive note, I have also heard rumors floating about of certain "forces" pressing to get a more secure OS installed that will also run on the older systems...anyone dare to guess what OS that may be? (wink, wink; nudge nudge)
Unix Services for Windows (Score:1)
Currently we have W2k workstations running in a NT environment, and recently put a NFS gateway on the NT server to map NT shares to NFS mounts. Most of my users don't event know there are updating web pages on a UNIX webserver. In the end they don't care.
Although I have a love/hate relationship with MS, their recent attempts to intergrate with UNIX environments is well done. Have you see IE5 for Solaris & HP-UX?
Security should be a concern with ADS (Score:3)
Although it reads a little bit like a pro-Netware column, the article at: http://www.novell.com/competiti ve/nds/security.html [novell.com] gives specific steps (with pictures) on how to exploit ADS to gain access to sensitive information in a branch below you.
Hope it helps.
"Although I am no longer needed, I am still tolerated. I am deprecated." -.DM.
Just Brainstorming... (Score:1)
Well, you _could_ damn the uberserver... (Score:1)
Consider laying hand on as much information as you possibly can (without being noticed) about the AD uberserver, any backups/slaves to it, and also nodes close to the AD root in other (-: rival?
After the luvverly Microsoft intranet has been raped silly a few times (do any of those agencies have MS-SQL installed?), they might not be so happy about making it universal.
Then might be a good time to point out that your Unix network has not only never been raped, it's never been seriously proposed to, and offer to share your expertise amongst those poor unfortunates with the legacy operating system infection.
If you're sure of your security, be careful to also include some numbers for your own systems in the leaked info, so that the absence is not noted. It would also make the subsequent baptism-of-fire somewhat more even-handed.
Re:A couple of things (Score:1)
Anyway, we don't hear from too many people actually running AD to find out what works and what doesn't. We're going to test it out, if anything to salvage a little manageability out of the random NT stuff around here that's done up Workgroup style (I dislike the domain model enough to not use it all).
Re:Security should be a concern with ADS (Score:1)
Re:How to deal with the goverment (Score:1)
Re:W2K with Samba (Score:1)
Re:W2K Pro is compatible with Samba (Score:2)
Cisco is porting AD to UNIX (Score:1)
Money (Score:1)
Actually seeing how much money their actions and/or policies piss away may even give a bureaucrat pause.
Then again, they may try to ignore it.
If they do, you can keep bringing it up and hope that someone cares about waste in government, though that may wear on you.
Fight the good fight,
Troy
Re:Kerberos and LDAP (Score:1)
"Me fail English? That's umpossible!" - Ralph Wiggum
(not a spelling nazi, just a Simpsons fan)
name services (Score:1)
Re:The only solution is to educate government (Score:2)
This whole things sounds like a good example of why we should encourage our government to require its own use of open standards and open data formats.
I don't like my tax money wasted on excessive PC support costs and data trapped within Office files.
A directory story (Score:2)
Re:Linux threatened by progress, read all about it (Score:1)
Maybe something interesting (Score:1)
-mj
Re:How to deal with the goverment (Score:1)
Try another directory services (Score:1)
What more, AD is really a pain at larger distances and with high amounts of objects in single directory. You should really try to consider someone who is not a newbie to directory services like MS and who has not reasons to leverage only their own platform by their products.
Linux ADSI + Add-in for NT Workstation to use AD (Score:3)
From the MS ADSI website [microsoft.com]
Getting and Using ADSI Providers
The standard Active Directory Service Interfaces objects, or providers, are found within multiple namespaces, typically directory services for various network operating systems. Providers enable communication between the server or client. ADSI 2.5 includes providers for:
And the real solution to the problem is getting someone to write an ADSI provider for Linux. So if you are inclined, HERES THE DEVELOPER KIT [microsoft.com].
Or, Download someone else's provider HERE [newmail.ru] or HERE [swsoft.mipt.ru]
How to integrate Win2K AD with your MIT KDC (Score:2)
I found the 4 places in MIT's KDC where I needed to create an 'exit' (principal create, update, delete, passwd-change). At these points I call out to an external program (I wanted to modify the KDC itself as little as possible). The external program encrypts a command like
createprincipalpassword
and sends it to a daemon running on the Win2K Domain controller. This daemon does a lookup to our X.500 server to get the 'name/addr/etc' stuff and then uses Win2K calls to add the user into Win2K AD.
The user is prohibited from changing their Win2K password, they must either change it in Unix, or on a SSL-web page -- both of these update Kerberos which reflects the change back into Win2K -- also they can use a 'win2k kpasswd client' too (but that could be improved).
Samba? Really, use MS Services for Unix 2 (Score:2)
With Services for Unix 2 on an NT box, you can map all your unix users to your NT accounts (and vice versa) as well as map groups. It's a little quirky getting used to its ins and outs (Such as not being able to mount ANY directory which is not world-readable, you must mount a parent and then the security mappings take effect).
It uses NFS for its file transfer, which is _way_ more efficient, as well as easier to configure and organize across a span of servers. NIS + NT PDC using MS-SFU2 = rather respectable cross-platform accessibility, worlds ahead of what samba can('t) do.
sheesh... (Score:2)
Re:The only solution is to educate management (Score:2)
Tell them that unix is cruical for business in your department. Windows will be fine in other places, but "the right stuff for the executives isn' the right stuff for you"
Just as you don't make the truck drivers switch to the same trendy car the boss use - because that don't make sense (it would be a nasty loss, the big trucks are their moneymaking tool.) And unix is your tool to get the job done. Standardizing the *office* on w2k may make sense, but not this "special operation."
Windows 2000 *IS* the problem ... (Score:2)
Windows 2000 is designed to market a Windows server-dependency. The IEEE Computer Society's latest August 2000 (Vol. 33, No. 8) Computer magazine featured an article called Windows 2000: A Threat to Internet Diversity and Open Standards? (PDF available to members here [computer.org]).
A such, you need to adopt a Windows server-free network. This includes holding off on Windows 2000 until either Samba supports its interfaces (will take some reverse engineering) or someone finds a way to have it use NIS/NIS+ for authentication -- e.g., NISGINA [ei.tum.de] does for NT 4.0. At my company, Theseus Logic [theseus.com], we use NISGINA instead of Samba TNG (just use regular Samba 2.0.7) to deal with authentication of NT 4.0 systems.
-- Bryan "TheBS" Smith
Re:bloody macroshaft - probably OT (Score:2)
Re:A couple of things (Score:2)
You may be the last person on this planet to undertand that every community is a community precisely because they share some common ideals.
Get it now?
A Dick and a Bush .. You know somebody's gonna get screwed.
Re:Linux threatened by progress, read all about it (Score:2)
It died when MS gained a monopoly. Now inferior products are forced on unsuspecting people by stupid PHBs who read too many MS whitepapers.
A Dick and a Bush .. You know somebody's gonna get screwed.
Re:AD native or compatible ... (Score:2)
Several things happen when you change to native mode:
Domain controllers no longer support NTLM replication.
The domain controller that is emulating the PDC operations master can not synchronize data with a Windows NT BDC.
Windows NT domain controllers can not be added to the domain. (You can of course add new Windows 2000 domain controllers.)
Users and computers using previous versions of Windows begin to benefit from the transitive trusts of Active Directory and (with the proper authorization) can access resources anywhere in the forest. Although previous versions of Windows do not support the Kerberos V5 protocol, the pass-through authentication provided by the domain controllers allows users and computers to be authenticated in any domain in the forest. This enables users or computers to access resources in any domain in the forest for which they have the appropriate permissions.
Other than the enhanced access to any other domains in the forest, clients will not be aware of any changes in the domain.
Note that the only implication is that you can't use NT4-style domain controllers in your domain. That means Samba should still work fine as long as the DCs are Windows 2000.
Losing battle, sorry to say (Score:2)
In the Air Force, they call it Joint Technical Architecture - and while it inlcudes unix today, it won't tomorrow.
In the Navy, they call it IT2000... it just as well should be called Windows2000.
DISA - Defense Information Service Agency - has a brilliant idea... make everyone fall under a single defense information infrastructure common operating environment - DII-COE - put all of our fscking eggs in one basket - which is held by Redomond.
http://diicoe.disa.mil/coe/
In short - i have seen all Mac communities, all NeXT communites, all SGI communities, and all Sun communities get their perfectly good computers tossed out, sent to DRMO (where you can get insane deals on hardware... buckets of Sun UltaSparcs for $50 a bushell, etc.).. all of them... packed up and shipped out for shitty fscking Compaq and Dell servers that give us nothing but the shits.
What people fail to realize is that in a lt of these kinds of communites, the people coming up now EXPECT computers to crash, to hang up, to fsck you over at any old time.. its old hat, and it doesn't bother them.
And - i promise i'm NOT going Mulder on you - but i am convinced, beyond a shadow of a doubt that there is a good reason for it.
Someone is living in redmond, and they don't work for Bill.. and the only way to assure that there are backdoors, ways in, and holes in security are to use this software, shit or not. I have seen grown up adults literally piss and moan that I couldn't demand a certain kind of projector, computer, or other piece of hardware because i didn't have a reason.. because we cannot "sole-source" our purchases.
5 seconds later, the only option we have which is directed by the same officers and contractors full of MSCE pukes is that we throw out PERFECTLY GOOD hardware and software - and bring in shitty Windows boxen.
I had a DNS server at a base that i had been told has been up for 4 years before i got there.. and in 3 years there, never crashed once. It was a Sparc classic. The Win-based Compaq POS that replaced the Sparc went down once a week.. and had to be restarted every night.. it was a checklist item to restart the Exchange and DNS servers.
In any case... i would say that it woudl behoove you to not fuck around with UNIX any more.. i promise that your ass is NOT going to win.. you ARE going to get overruled, and you ARE going to get fired for not going with the program if you continue to bitch and moan.
It WILL NOT matter that real work falls on the floor.. it WILL NOT matter that you have to keep fucking with the new machines every day.. and it will NOT BOTHER your higher ups or the workerbees.. so long as they finally get Outlook 2000 and MS Word... which is all they really want.
I pity you.. and i will pray for you. I pray for all of our souls.. i'm just glad i'm not going to be CIO of my location in 2 weeks... and that i'm off to other things.
oh well.
damn.. that's fucking depressing.
The start of an uphill battle (Score:2)
To answer your questions,
1. this is true, when win2k workstations are using AD, they lose the ability to access old NT4 and other SMB shares. Even with
3. if at all possible, try to get your own OU and child domain, and you can isolate yourself from many stupid AD administration decisions. Make it clear that a move to AD means that all groups will have to maintain their own servers, rather than just one big central server where a screwup will take everyone down. This will allow for some degree of survivability during AD outages, which will be numerous during the first few years of rollout. Then you can propose a unix based AD/LDAP server for your group.
4. make your requirements that the win2k group accept working with lesser functionality for now, i.e. mixed mode AD, until such time as M$ opens their AD implementation so that every system can profit from those features. Propose running the AD servers on unix (does anyone have any good references?), which will guarantee a level playing field for everyone for now. The "benefits" of moving to win2k are not all that great if it locks everyone into win2k, with the expected increase in licensing fees that M$ does once a company or group makes the fatal switch. It has been well documented before, go find some horror stories in the press or on the web.
5. Only for large amounts of money. I'm not really an AD expert, I'm just supporting some guys who are learning it. In my spare time, I'm studying the security implications of putting all your eggs in one basket, especially when that basket runs on windoze. When AD becomes more widespread, and more critical data and functions are protected by AD, then the hackers will discover many exploits. Can you imagine what would happen to your group if your sole security server were cracked? Every machine would be instantly compromised and the infocriminals would have free reign on all systems without so much as another password prompt to keep them out.
Your best bet is to find some AD server which run on unix, certainly cisco has one that runs on solaris (as part of another product), and propose it to be the main server. And dig up a bunch of horror stories from the URLs already posted here and do your own web search. Trust me, the time you spend now helping steer this disaster in a slightly better direction will help you in the long run.
the AC