Franco "Sensei" wrote:
...and the interaction is what I'd like. Loggin into windows should be something a la pam_krb5afs + ldap, without AD. Somehow, active directory makes remote users possible, no mapping at all since no local account is needed on the local machine. Is it possible to create something I'm describing? They do it (with AD kerberos as you pointed, but it's always kerberos), we can do it (probably). How to retrieve where the profile is located, is a matter of ldap, so we could be able to use ldap is some way, so they do with AD.
I'm not telling that it is possible here and now with the tools we have (kfw and openafs client), but I'm asking if you think it would be possible and/or useful.
Obviously it is possible because NT4 Domain Controllers exists, Samba exists, and Active Directory exists.
Build a replacement for any of those which incorporate all of the integrated functions in the undocumented ways Microsoft does things and you will have what you want. This is what Luke Howard did with XAD.
Effectively you still have Active Directory, it just isn't purchased from microsoft. Is it worth my while to do this? No.
Why not? Because all of my clients will continue to use Microsoft for
the support and because you never know when you will run into an undocumented edge case which is going to take down your business.
I am going to test XAD at some point to evaluate whether I think it is worth recommending for small non-critical environments. However, it is still going to be several weeks before I will have time to think about it.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
