> We have an established NIS world directory structure but we are in the > process of moving portions to LDAP/Active Directory(AD).(Please no > attacks these decisions are well outside my area of control). We have > attempted to use the Samba WINDBIND package to provide domain > authentication. There is an issue with the local implementation issue > with domain trust relationships but when bypassing that issue > for now it > seems to work. The question is how do we integrate the NIS > information > into the mix?
Consider using pam_krb5 and using Kerberos and Hesiod instead of NIS. It's not going to be perfect given MS's mutation of the Kerberos protocols, but it's likely to be more friendly than trying to synchronize NIS and AD. There are also OpenLDAP modules that allow you to store Kerberos principal ids in LDAP, which is much closer to the AD model than NIS. This would be backward compatible with your existing external hosts as well; once you have this working with Linux, doing it with Solaris or AIX is about the same problem. Be aware that a standard Kerberos install will probably get some errors trying to authenticate against a MS Kerberos server. Your AD admins will need to pester MS tech support to get the version of the MS Kerberos server that does not emit protocol violations (or at least can be convinced not to spew undocumented garbage on a selected range of interfaces), but that would allow normal MIT Kerberized logins to work. Wrt to winbind, probably not really workable yet. The Samba 3.x release does some significant restructuring of how authentication works, and winbindd is getting a lot of attention in that chunk of code. The kerberos stuff is very stable on Linux (and other platforms) and will scale much better. -- db
