Hi, just my couple of cents:
AD and Linux authentication works quite well, that means for authentication only, you can use kerborse to authenitcate users that you have on your AD. however, its quite important to know, that user id mapping will be done via winbind (or maybe a mapping file), and as discussed, file permissions in unix like fs are defined by the user and group id. so that could result in different machine having a different user ID for the same user (very bad). you would still need to find a way to handle your autofs and other maps which do not exist on ad (as far as I'm aware). there is however a UNIX services for AD (which is somehow a NIS implementation) but I'm not really sure if its active and or working. an alternative is to use openldap and AD (if ms environment is really important for you) and than to create the same user names in both environment, and sync the passwords (I'm not sure whats the tool name, but one exists - just google for it). of course this could be extended to delete the accounts when you remove them from ad etc (using scripts). the last option - which is the best in my eyes for a small environment, would be to use openldap (with replica) and on top using samba for the windows users and native ldap for the rest. if your environment is bigger, consider using the fedora/redhat directory server or sunone. Ohad On Dec 26, 2007 4:02 AM, Ariel Biener <[EMAIL PROTECTED]> wrote: > On Tuesday, 25 בDecember 2007 21:54, Shachar Shemesh wrote: > > There is one thing that everyone in this discussion seem to have missed > > so far, and that is that AD *is* LDAP. > > > > Ariel Biener wrote: > > > Well, I wouldn't chose any of the above in the way it is described. I > > > believe that MS AD is the best tool to use for Windows environment, > LDAP > > > is the best tool for a Linux environment > > > > Assuming that is the case (open to discussions), then open an AD server > > and use it as an LDAP server for the non-Windows machines. > > Sorry, despite MSs claim that their directory server is an implementation > of > LDAPv3, I find it often missing, non-standard and minimalist for such > a claim. Given the choice (and I was actually given this choice when I had > to chose which directory server to go for @TAU), I left AD to do what it > is good at, that is, management and authentication in a windows > based environment, and I used a directory that is the most proven, oldest, > and most extensible in the industry. It's called eDirectory. Sun's > directory > server is also an option. That are also others, which are not bad. MS is > definetly not there, they came in late and have quite some catching up > to do. > > --Ariel > -- > Ariel Biener > e-mail: [EMAIL PROTECTED] > PGP: > http://www.tau.ac.il/~ariel/pgp.html<http://www.tau.ac.il/%7Eariel/pgp.html> > > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] > >
