Where are the 'Modern' Directory Services? 504
MarcQuadra asks: "I've been a Linux user since 1998, and I admin Mac OS X machines at work, but I have yet to find a distribution that comes out-of-the-box with modern directory services. Sure, there are guides to kerberize and set up OpenLDAP, but before I can start pushing Linux as an alternative at work I'll need a few things. Are there any distributions out there that can auto-mount SMB shares as home directories without heavy modification? How about a distro that's based on OpenLDAP and can easily be configured with LDAP-enabled SAMBA and Kerberos? Am I missing something, or is this not a priority with the community at-large?"
Gee... (Score:5, Insightful)
Re:Gee... (Score:2, Interesting)
WTF is so wrong with something that's easy to use and administer?
Does it threaten your manhood or something?
Why _SHOULDN'T_ an opensource directory system make the hard things easy and the impossible things routine? The fact that OpenLDAP can be a bear to build and maintain is a usability bug that needs redress.
Listen, if you want to live in a MS world, keep expecting more from people than they give a damn about living up to. That's _REALLY_ productiv
Re:Gee... (Score:2)
Re:Gee... (Score:2)
I added you and you didn't update your sig - I was so crushed that I made you (neutral) again.
Now you're in for it - I'm going to make you a Friend
Re:Gee... (Score:2)
Re:Gee... (Score:4, Interesting)
(I'm not using users' domain homedirs on the box I've got that setup on, as my primary desire was to use Apache basic auth to the existing AD infrastructure, but other than that it works rather well so far.)
Re:Gee... (Score:4, Informative)
There is no reason a distro couldn't smoothly tie them together with some simple curses/graphical configuration tools. The question is a good one.
Re:Gee... (Score:5, Interesting)
Well I guess if you never used it, you would probably think this.
AD goes so far beyond a type of LDAP or authenication system it would be like saying Linux is nothing more than a rip off of 1969 *nix and doesn't do anymore.
(And no I don't believe that about Linux.)
Geesh...
Re:This is not informative you crackhead mods. (Score:4, Informative)
Kerberos + LDAP alone can't manage group policies. Being able to manage workstation configurations (including new software installs) in this way is the killer feature of AD imo.
Then theres the GUI tools for managing it all, last time I looked Linux only had directoryadministrator which was a basic GUI for adding/removing groups and users.
This stuff could probably be done with a *nix solution but none do it out of the box. Afaik samba acting as domain controller can't apply group policies, although theoretically it should be possible to hack up some login scripts to emulate this functionality. To get it all running and have GUI control of the entire lot would involve a lot of programming and certainly cost more than a few win2k3 licenses.
(I'd love to be proven wrong if software does exist to do all these please point it out)
Re:This is not informative you crackhead mods. (Score:4, Interesting)
During the last two years, I've been hacking on a generalized system for managing an LDAPized system, including all sysadmin tasks like home-dir-creation etc, for my employer. The system is GPL:ed and available from http://grimoire.takeit.se (the webdemo doesn't work ATM, sorry).
The aim of the system is to carry out any sysadmin task on any host in the system, and combine those tasks into more complex ones, even if executed on different machines, and then control access to tasks in a very fine-grained way (a bit similar to Novell:s trustees, in that you have inheritance down the tree).
ATM, the system can handle users, groups (it can let users create their own groups in a controllable fashion), machine accounts and printer ques interacting with Samba, OpenLDAP, Courier, Postfix, CUPS, pam/nss-ldap and some other tools. It is however in beta-stage...
Re:Gee... (Score:5, Insightful)
I help run what is probably one of the largest AD implementations in the country, if not the world. Your perception of AD is true only under certain lamebrained implementations. It IS possible to totally ignore the AD heirarchy and go for a "flat" NT4-style domain structure, but people who set those up should be severely beaten about the face and ears, and never allowed near a server again. If your ADs are like that, get a new job.
Re:Gee... (Score:5, Funny)
Some things just boggle the mind.
Here's the e-mail! (Score:4, Funny)
Scott Gordon [sgordon@vaco.com]
RE: Inquiry about Dice Job Number ADMEM
Thanks very much for your inquiry. We've filled this position today with someone of 12+ total years of experience.
Good luck in your job search!
------------
My response to that:
Alas, how is this possible? Active directory was first included with Windows 2000. The "2000" means the year, 2000. Being 2005 now, that means it's only been available for five years.
While I'm not trying to argue with you here, I thought I might let you know so you could fix the job description as it's inaccurate.
I consider myself very good at my trade, and I wouldn't apply for a job when the company can't get the job requirements correct - you know you're in for trouble when the boss apparently knows nothing about the technology; not even enough to realize 2000 means the year 2000. If you're a recruiting firm, you may attract more skilled people if you have an accurate description.
Fortunately I'm not looking for a job as I am already employed. Sometimes I look to see how the market is looking.
Good luck!
-------------
His response:
Joseph,
If you are not searching for a job, then it should not matter.
I appreciate your concern for my job description but it is unnecessary.
Perhaps you should apply your editing skills to your own employment and further yourself in your current company. What task are you not completing while surfing the internet looking for jobs? Does your employer - Future Foundations - know that you are spending company time, money and bandwidth looking for another job? Perhaps, they should know Mr.. Jamieson?
Again, we've filled this opening and the position is no longer available.
Regards,
------------------
Now, "Future Foundations" is just my own e-mail domain name. Like many other people around here, I host my own e-mail so I keep my address no matter what ISP I use. How does this guy think he's going to scare an IT person by calling out their e-mail domain name?
I think he's a small recruiting shop, maybe even just him, as he claims to be CEO or something but also writes these job descriptions. Figures.
But these are the unprofessional people that us professionals have to deal with to get a job these days. It sucks.
Re:Flatness (Score:3, Interesting)
Domains form security boundaries. Unless you want everybody who is in domain admins or who may need domain admins the ability to completely screwup your schema and enterprise configuration then you should have as a minimum a place-holder root.
A placeholder root also allows different security policies for different users. This is the most annoying weakness of AD: user accounts get the security policy of the domain controllers, and not of the u
Re:Gee... (Score:2, Interesting)
I'm a Windows admin. I won't pretend to know enough about OpenLDAP or Apple's OpenDirectory to comment on either. That said, Active Directory has done everything I've ever wanted it to do since rolling it out in August 2001. 36,000 users, about 3,000 computers, hundreds of facilities, s
Re:Gee... (Score:3, Interesting)
AD isn't special. It, like so many other "innovations" from MS, is simply a rip-off off LDAP and NDS. OH, but you get the added bonus of having to have twice as many servers to implement it.
Re:Gee... (Score:5, Interesting)
i'm guessing the difference is that setting up AD server and AD-based single-sign-on doesn't make you want to gouge out your eyes with a shrimp fork (compared to linux at least).
i say i'm guessing because i'm 100% linux at home and work, and i'll never lay a hand on a windows box if i can avoid it; but the theme of this Ask /. is dead-on.
Linux needs *easy*, *default*, *out of the box* ldap-based authentication. i should be able to install a distro, select "ldap auth", and then have everything automagically authenticate against it - shell, apache, samba, IMAP, etc etc etc. same on workstations - select "ldap auth", specify the ldap server, and you're done.
i don't know any distros that offer this ease of use - correct me if i'm wrong. (i run debian sarge and sid).
Re:Gee... (Score:3, Informative)
RH/Fedora has been doing that at install time for ages - apparently [redhat.com] 6.1 or so. How well it works might be another matter - I've never had cause to use it, but it'd be worth a look for any
Re:Gee... (Score:3, Insightful)
So, you *complained* that someone wasn't doing something for you for free, and people were dismissive - and you were surprised?
Here's a tip for you: don't complain. When you complain you come off as a whiny brat. If something you need doesn't exist, either ask someone *nicely* if it could be included (or when they're planning to implement it.)
Most networking setup doesn't require knowledge of C or C++
Re:Gee... (Score:5, Informative)
Like many others here, I have participated in several migrations away from NDS in favor of AD. Each instance has been a big win for the people I worked for.
That being said, I have recently installed a trial of the last release of SuSE LINUX Enterprise Server (the first since Novell acquisition) and I have to say that this product's successors/siblings are going to balance things in the DS arena again. I never had anything against Novell, but they stagnated while they tried to fend off and interoperate the beast simultaneously and MS gained almost all of their infrastructure ground almost solely at Novell's expense while they were floundering without a plan.
The recent SuSE and Ximian acquisitions are going to pay great dividends both for Novell and for the community in the long run. I am excited to see what they do, but for goodness sake, don't applaud the last five years of NDS. That's like claiming the last three Rocky films were the best.
Re:Gee... (Score:3, Insightful)
Netware (Score:4, Informative)
Re:Netware (Score:5, Informative)
Of course the poster probably meant "open source directory services". Sorry, eDir is a pay-at-the-door shop.
TW
Re:eDirectory and charging (Score:4, Informative)
So the directory side of things is not 'pay-at-the-door'
Usual disclaimers.
Re:eDirectory and charging (Score:5, Informative)
I've been testing it on RHEL ES 3 for a couple of weeks now and so far no complaints. Never thought I would say this but....... thanks Novell!
Excellent documentation [novell.com] too.
i got your directory right here (Score:2, Funny)
Google.com -- let your fingers do the walking
SLES (Score:4, Interesting)
I might be wrong though - I'm still waiting for my copy...
Re:SLES (Score:5, Informative)
Configuring Samba for LDAP and populating the LDAP server with the proper entries.
Putting the dhcp server configuration in LDAP.
Custom scripts for Samba to add/remove machines and users in LDAP via Samba.
Configuring Bind to use LDAP as a backend.
I'm pretty impressed. I love RedHat/Fedora, but those distros don't have anything like SuSE has for bootstrapping the LDAP configuration. Maybe RedHat will get more serious about it once they release the GPL'd version of iPlanet Directory Server.
Personally, I can't wait until Samba 4 comes out that will bring this all together (Kerb, LDAP, AD) with it's own LDAP server.
Re:SLES (Score:3, Interesting)
Unfortunately, SLES 9 comes with OpenLDAP 2.2.6 (fairly old), and has problems when access using GSSAPI
Re:SuSe... (Score:2)
However, I don't know why NLES would include a YaST module for OpenLDAP, when Novell sells its own directory service called eDirectory.
Re:SuSe... (Score:2)
The community is YOU! (Score:5, Funny)
The YourOwn (tm) Linux distribution is based on OpenLDAP and all the other out-of-the-box features you're looking for.
It can be downloaded from YourOwnBox.org [127.0.0.1].
Re:The community is YOU! (Score:5, Funny)
Re:The community is YOU! (Score:5, Funny)
Re:The community is YOU! (Score:4, Funny)
I'm really happy with YourOwn linux, it's served us well, and I cant imagine us moving to another distribution anytime soon. The reality is, it's served us so well, we've actually taken on the task of sponsoring the developers producing it, and have kept them on retainer ever since. This distribution has served us so well, I fully expect it'll be deployed on well over 1000 boxes by the end of the year.
Solaris? (Score:5, Interesting)
pfft (Score:4, Funny)
Active Directory or NDS (Score:2, Interesting)
Linux instead of OS X? (Score:2, Interesting)
Re:Linux instead of OS X? (Score:2)
Re:Linux instead of OS X? (Score:3, Insightful)
You want Mac OS X Server. Trust me on this.
Novell eDirectory (Score:5, Informative)
Novell eDirectory has been available for many years running on Linux (as well as other platforms). Novell now own SUSE so I'd expect closer and tighter integration moving forward.
Take a look at some of the new integrations coming in Novell Open Enterprise Server built on SLES 9 server.
Disclaimer - I'm a Novell person
Re:Novell eDirectory (Score:5, Informative)
Karma whore links below:
http://www.novell.com/products/openenterprisese
http://www.novell.com/products/edirectory/
http://www.novell.com/zenworks
Re:Novell eDirectory (Score:3, Insightful)
OS X can (10.3.7 that is) (Score:3, Interesting)
It takes 3 shellcommands and inserting your favorite validation-server to hook up an osx-client on an AD-server, SMB-shares included (not DFS though, as far as I know)
Re:OS X can (10.3.7 that is) (Score:2)
... Except that he's not looking for AD, he's looking for the AD equivilent on Linux. Though he didn't say it, he's probably also looking for open source, which AD is most definately not.
TW
Solution here!! (Score:3, Informative)
http://www.infodiv.unimelb.edu.au/lansg/osx/os-x3
I have nothing to add to the article.
Re:OS X can (10.3.7 that is) (Score:3, Interesting)
I'm just concerned that Linux will have a lot of trouble getting into the mid-sized and small shops because it doesn't interoperate well out-of-the-box, to connect a Linux box to an AD is a total pain in the arse, ser
In fact... (Score:5, Funny)
Have you heard of this company called "Novell"? (Score:4, Interesting)
There's this company called Novell that has this product called, variously, "NetWare Directory Services", "Novell Directory Services", "eDirectory", and "Nsure/exteNd/Nterprise/Ngage".
Okay, so maybe their marketing department has sucked big donkey dongs for like the last ten years and that's why you've never heard of them.
But rumor has it they purchased this outfit called SuSE, and that all their stuff has been ported to the Linux kernel, and they also purchased this other outfit, called Ximian, so that all their stuff would play nice with .NET, and...
Well, you get the picture.
Re:Have you heard of this company called "Novell"? (Score:2)
Wasn't that the silly little cellphone/game platform that nobody bought?
LDAP is critical to Linux's survival now. (Score:5, Insightful)
LDAP is Linux's ultimate ability that permiates everything Linux can do and makes the many peices of Linux whole. Only the greatest of Linux Users cann use LDAP.
The thing is, its too damn hard, too damn difficult, and there is not enough documentation and configuration too;s for LDAP out there. I've spent three years on LDAP - I know.
Re:LDAP is critical to Linux's survival now. (Score:2)
It's incredible, really.
Mod parent up. (Score:2)
But OpenLDAP is improving. I am still not happy with it, but it is largely designed to be a good toolkit for building a directory services architecture than it is such an architecture itself.
This being said, it should not be that hard to set up Linux to do these things.
Re:LDAP is critical to Linux's survival now. (Score:4, Informative)
I made the following changes on my linux box:
Step 1:
Edit
add "ldap" to the passwd, shadow, and group lines.
add "nisplus" to automount line
Step 2:
Edit
Set host and base DN
Step 3:
There is no step 3!
Re:LDAP is critical to Linux's survival now. (Score:3, Interesting)
Re:LDAP is critical to Linux's survival now. (Score:3, Interesting)
Re:LDAP is critical to Linux's survival now. (Score:3)
No.
$ rpm -qf
nss_ldap-232-1
Fedora uses nss_ldap. If the server supports TLS, the client will automatically use it.. no setup required on the client-side.
Re:LDAP is critical to Linux's survival now. (Score:2)
Re:LDAP is critical to Linux's survival now. (Score:3, Interesting)
What would be the default realm? What is the LDAP domain?
ask me during setup.
Will the root user be stored in the LDAP directory or not? What kerberos principles will be created by default? Will your mail alias information be stored in LDAP or not? What do you do if the LDAP server can not be contacted? How will you handle applications that do not talk to LDAP, PAM or Kerberos? Do you really want a DNS server running on every host you install this distro on?
*i don't
Re:LDAP is critical to Linux's survival now. (Score:5, Interesting)
I have since created an LDAP admin tool that doesn't have a strange obsession with DN's, doesn't make you specify UIDNumbers, and generally tries not to suck.
It is also (to my knowledge) the only LDAP admin tool that will manage your Kerberos principals alongside your LDAP users (if you're into that sort of thing). Anyhow, enough of my blathering, check it out: (http://edsadmin.sf.net).
The next step of my Grand Vision is EDSRealmAssistant, which currently auto-configures samba+ldap, and will in the future do the whole LDAP+SAMBA+KRB5+DNS+DHCP shebang that everyone wants but is too lazy to set up
-Mark
Re:LDAP is critical to Linux's survival now. (Score:3, Informative)
Some of us have been working on that sort of thing for years. We master data from our tool [utexas.edu] into NIS, DNS, LDAP, SAMBA, and DHCP, and I suspect lots of places have various home grown tools to do likewise. Any large place will need things of this kind, anyway.
EDSAdmin looks very nice, though. Nice job!
Re:LDAP is critical to Linux's survival now. (Score:3, Informative)
-Mark
Re:LDAP is critical to Linux's survival now. (Score:3, Interesting)
That's because LDAP sucks, hardcore. I don't mean that the developers of things like OpenLDAP suck, what I mean is that the specification and the protocols and whatnot suck. LDAP shares with it's predecessor X.500 the very serious flaw of over-generalization. They picked a very broad design that attempts to do everything for everyone, which means every little thing in LDAP has to be subclassable, extensible, flexible, etc. Then you have all these schemas that try to tie down common usages, but different
Re:LDAP is critical to Linux's survival now. (Score:2)
Re:LDAP is critical to Linux's survival now. (Score:5, Informative)
Most LDAP directories are used to keep track of people; therefore there is an InternetOrgPerson type which (if I remember rightly) has the following attributes by default:
- CommonName (i.e., userID)
- Full name
- Password (can be stored with both Windows and Unix encryption,
or in plaintext)
- Telephone number(s)
- Mailing address(es)
- JPEG photo
- e-mail address
- user ID #
- home directory (?), shell (?) (these might be in some other type)
However, LDAP types are extensible, so you could create a new type to represent employees, inventory, or even projects, or you could extend an existing type. For instance, you might want to add some of the following to InternetOrgPerson (if they're not already there):- GPG public key
- instant-messaging ID
- ID badge number
It's even possible to use an SQL or legacy-system database as a backend for OpenLDAP with some custom coding, although I'm sure a lot of people who use it don't bother.So that's what's in the directory. You might still ask, "what is it used for?"
Firstly, Windows, Netware, Solaris and Linux can all be told to get their login information from an LDAP directory. This means that (if it works) someone only needs one account in an organization, that their Windows password is automatically the same as their Unix password, etc. It does not mean that they need to use the same home directory on all systems; but home directories can be automatically created by login scripts. NIS+ was a Unix-only way to distribute just the information found in /etc/passwd; LDAP
is cross-platform.
Secondly, some E-mail clients (specifically Netscape, its derivatives, and Outlook; I don't have experience to speak for others) can treat an LDAP directory as an extension of the address-book. That sure beats running down the hall and referring to a printed list every time you want to e-mail someone or call them on the phone and only remember their name.
Of course, if your "organization" is one person working on ten computers in a family-member's basement, LDAP probably isn't worth the effort.
Re:LDAP is critical to Linux's survival now. (Score:3, Informative)
NDS is Best (Score:5, Interesting)
But for professional use on networks of any real size, I really try to push my customers to NDS. Say what you want about Novell, but I have yet to find a beter DS that Novell's.
Try Suse (Score:4, Informative)
OS X Server has it built in... Open Directory (Score:5, Interesting)
I have to be missing something here.
Re:OS X Server has it built in... Open Directory (Score:2)
Re:OS X Server has it built in... Open Directory (Score:4, Insightful)
They are wrong. Explain this to them. That's part of your job.
Also, there's perfectly good x86 hardware in there now, I'd rather use itr than pay Apple for new metal.
Given that this "perfectly good x86 hardware" is absolutely incapable of doing what you want it to do without a massive investment of time and effort, it seems obvious to me that it's not "perfectly good" at all, is it?
Run the numbers. You will find that buying an Xserve will cost you much less than trying to make your jury-rigged solution work.
Re:OS X Server has it built in... Open Directory (Score:3, Interesting)
I recently installed an XServe. If I ever got mod points, I'd give them to the above post. Not only is the OS superb, the hardware is _very_ impressive. It even has blinkenlights [apple.com]! Tell *that* to the guys who only want x86 hardware... I only wish I'd found an image of one running, those lights really are slick-looking ;-).
But really, if you're looking for a good LDAP implementation
AFAIK (Score:2)
Small demand (Score:4, Insightful)
Only fairly large shops NEED that and they only need to set it up once. The existing howtos appear to be addressing that need well enough that it has not become a big enough itch for anyone to scratch. Again, because once you know enough about it to write the wizards to make setting it all up easy, you have your site done and will probably will never need to do it again. So until a distro vendor sees it as a big enough selling feature to undertake the work I doubt it will happen.
Port Apple OpenDirectory or similar to Linux (Score:2)
Here's what I think we need as far as enterprise linux directory services go:
1. Standardize on a sasl repository with hooks into Kerberos for maintaing and authenticating all passwords (md5, nt hashes, sendmail auth mechanisms)
2. Tightly i
Using *nix as a Primary Domain Controller (Score:5, Informative)
I don't yet run Kerberos, as I wouldn't gain much from it. There aren't enough Kerberized apps & MS's approach to "embracing and extinguishing" Kerberos has left *nix implementations largely incompatible with MS's implementation. I run OpenLDAP solely over SSL. SMB traffic is limited to out intranet (basically one room) & we are a small shop, so Kerberos isn't a priority. We will later add it.
Home directories are all on the server. Samba is configured to allow windows to mount them & windows is configured to use them as the "My Documents" directories.
I have setup Kerberised SAMBA, OpenLDAP, and SSH at my previous employer. It isn't difficult.
Novell's eDirectory is nice if your ethics & wallet can afford it. OS X also has a decent implementation.
The "modern" approach is to do something OTHER than SMB, but that requires a MS-free zone.
Re:Using *nix as a Primary Domain Controller (Score:2)
Interesting. I've been using package managers for years on everything from SunOS to SCO to dozens of Linux flavors. RPM is actually a pretty good package management system, better in most cases than package managers for the big systems. It is somewhat lacking in roll-back ability, something that Solari
Re:Using *nix as a Primary Domain Controller (Score:3, Interesting)
It's widely known what the contents of that extra packet is these days, actually. Luke Howard's XAD [padl.com] takes advantage of it, and the Samba guys are coding with it as well.
I'm a bit confused? (Score:4, Interesting)
So, I push an auto.master using NIS. Works peachy. I've never tried it -- but I think that using an SMB share as a home directory would be as simple as changing the automount specification? This doesn't work?
As to NIS: its what I use, and RH9 is happy with it.
However, RH9 does offer "NIS", "LDAP", "Kerberos 5", "SMB" authentication schemes on installation.
Note that autofs uses
What are you trying to do?
Ratboy
Re:I'm a bit confused? (Score:5, Interesting)
Worked really slick. Single sign-on for all machines, Linux and Windows.
I have the Word doc write up of how we did it around here someplace. I'd be willing to share if you are interested.
As others have mentioned, and I'll confirm, that there is an automounter that comes with the distro that can mount smb file shares on windows machines in the network. I've got this working at home right now.
Re:I'm a bit confused? (Score:3)
Please do!
Re:I'm a bit confused? (Score:5, Informative)
ISODE - X.500 server - been available since 1992 (Score:5, Informative)
(available at http://opendce.hands.com)
except of course nobody _noticed_ because in 1992, things like free software didn't really exist.
and, of course, X.500 was "far too complicated".
now, of course, everyone is whining that "oo, wouldn't it be nice if only LDAP could do X" and if you look at X.500 you find it _can_ do X.
repeat for any value of X...
Re:ISODE - X.500 server - been available since 199 (Score:3, Interesting)
At about that time I was writing X.500 based applications using ISODE.
In my estimation, X.500 failed to take off for five reasons. The first was that it was overly complex. The protocol was certainly complex. While ISODE made things easier, building applications was still too complicated.
The second is that X.500 was a resource pig, both on the client and the server.
The third is that there were too many optional features in the protocol. N
XAD - available from padl.com (Score:2)
which isn't free, because it's based on FreeDCE, which is BSD-licensed, and therefore it's not a requirement for the source code to be made available.
but it utilises and brings together all of the pieces of the puzzle that you're looking for, in a way that no free software project yet does...
Similar Question (Score:3, Interesting)
I'm talking of the same installation disks, but at the very onset, instead of just asking (or perhaps more than just asking) if I want a Desktop, Server or workstation install, it include sub-options like:
Server:
[] Directory Services Server
[] Network File Server
[] User $HOME directory (or some other friendly name)
[] Print Services Server
Workstation:
In other words, the very things one would need and in the order one would install for a small- to medium-sized enterprise.
SLES and yast2 (Score:3, Informative)
See 21.8.5. LDAP Server Configuration with YaST
I'm still waiting... (Score:3, Funny)
The Hurderos Project (Score:3, Informative)
Although the project is in its infancy, it has really good ideas for integrating identity management, authn, and authz.
http://www.hurderos.org [hurderos.org]
only needs a wizard... (Score:3, Interesting)
RHEL4 does that just fine (Score:3, Informative)
sounds to me like... (Score:3, Informative)
1) A Linux desktop distribution which can automount $HOME directories (from a central server?) on normal workstations with a fair amount of ease (in terms of configuration).
Answer: There's nothing that I know of that can do this "out of the box" so to speak, but it should be fairly trivial to do.
I'll make note that mounting a share on a Windows server to a Linux desktop seems to often result in the share mount dying - it's kind of messy without using automount, and I've not personally used automount much.
I can't speak for kerebos auth itself, as I'm not too familiar with that element...
Other than that, though, it should be relatively trivial to set automount up to mount a samba share using credentials provided by OpenLDAP or what have you. As you can mount SMB shares via fstab, it's not really an issue to jump up one step and use automount. I am, of course, assuming you'll be making a single "desktop deployment" image and not doing the antiquated thing and manually configuring each machine - that would be just dumb.
2) A Linux server distribution with OpenLDAP + Samba + Kerberos set up, out of the box, so that all you'd have to do would be populate the OpenLDAP server with username/password combinations.
There's nothing that does this which I'm aware of. That's why a company should hire competent people; maybe that's partially why no distro has done it - it's hard, and the distro people don't want to piss off the competent admins by making their skillset "outdated". But that's just a guess.
Another guess is that it's simply not a widely deployed combination. The organization I work for now has (only) several thousand NetPCs deployed in the field, and it's just an NT4 domain login with LDAP on the backend. Groupwise is used on the client side to tie into LDAP directly.
It's probably out there...but not documented well (Score:3, Interesting)
However, for those who know little or nothing of X.500 and are just looking for simple directory services, this makes the LDAP documentation pretty much worthless or extremely annoying, depending on just how tenacious you are.
I don't mean to pick on the various LDAP projects. This kind of thing happens all over the place with free enterprise software.
mkautosmb (Score:4, Informative)
It browses your LAN and creates automount config files for them, yee hah!
I had to edit it to do "autofs --version" when checking which version of autofs you have, and to make it write out "cifs" instead of "smbfs" to ge around a current smbfs/win2003-server compatability problem.
Either that or look at smb4k, but it suffers from the same smbfs problem I mentioned.
Sam
Re:Slashdot certainly thinks so. (Score:3, Interesting)
Re:Slashdot certainly thinks so. (Score:2)
Hacked Solution (Score:4, Informative)
Re:Kerberize?!? (Score:2)
Kerberized apps are quite nice. I'm still waiting for a "real" kerberos plugin for Firefox.
Re:Sure, WinXp (Score:3, Insightful)
The thing in contention here is "demand". Now, OK, frex; IE has 90% of the market, Firefox less than 10%. A conventional view says that IE is in considerable more demand than Firefox (or Opera). Now, allright, I can accept that, but I don't agree with it. The bottom line is that no one (or very few) actually want IE but they have it and don't want another browser enough to learn