On Thu, Jul 17, 2008 at 02:49:41PM +0200, Serge Dussud wrote: > along the same lines, nsswitch.conf(4) states in NOTES section: > > ..... > The use of both nis and nisplus as sources for the same > database is strongly discouraged since both the name ser- > vices are expected to store similar information and the > lookups on the database may yield different results depend- > ing on which name service is operational at the time of the > request. The same applies for using ldap along with nis or > nisplus. > .... > > These sentences probably need to mention ad repository somehow as well.
Only when nss_ldap is configured with schema mapping to use AD is there any possibility for conflict with nss_ad (specifically, for getpwuid() and getgrgid() calls). We could add: "When using ldap with schema mapping against an Active Directory domain and the ad backend it is strongly recommended that ldap come first, then ad." > > > > IMO, it is important to understand this and ensure that users > > of nss_ad are correctly informed. > > need for Solaris Admin guide update with this case ? We'll probably add a mention of nss_ad to the ID mapping guide and to the name services guide. > Also, I understand that Windows logons are out of scope. However: > > - I don't see it mentioned in the provided man pages and this shall be > somewhere in the public documentation IMO (man pages and/or Admin guide) IIRC that was my fault for not dropping those manpages in place. > - it's said in the case that 'sp_pwdp will be "*NP*"' ? will this > prevent Windows logons or does our PAM stack/modules need to take this > into account ? e.g., what if one answers the login prompt with > myuser at addomain, which presumably would get resolved by > getpwnam/getspnam ? what's the expected behavior ? That you cannot login since no password for myuser at addomain can be validated (assuming you don't have /etc/passwd entries for myuser at addomain...). Nico --
