NT/Samba-NIS

[Geoff Silver]

Greetings,
	I've spent several days going though the list archives, online
Samba docs, e-mailing LUGs, and searching Google, and I've come to a
sticking point.  I'm not a member of this list, but this seemed like the
perfect place for this question, since no one else has been able to offer
much help.  If anyone can help and would be kind enough to include my
address in any group replies, that would be extremely appreciated.  Here's
my scenario:
	I work for a communications company of about 6000 people near
Washington, D.C., USA.  In order to save money and move the company away
from Windows, I'm working on migrating the file and print servers in the
company from NT to Linux & Samba.  I've already proven that printing can
be done (although the help desk isn't thrilled about visiting workstations
to install NT workstation print drivers, they have agreed to do it until
Samba 2.2 is released in final).  
	The problem we're encountering is with our file servers.  While
the Linux servers don't need to allow logins, they do need account
information so that we can create home directories and set permissions.
I'm leaning towards running an NIS domain parallel to the NT
domain.  Since Samba will do the authentication off the domain
controllers, the NIS domain will just be a centralized user/group
mechanism.  The problem is how to keep them in sync.
	I've considered using Jeremy's pwdump.exe to dump the user
accounts on the PDC, and then scripting the NT 'net group /DOMAIN' command
to get all the groups, and the 'net group <groupname> /DOMAIN' to get all
the users in each group.  If I wrap the entire mess in a Perl script, I
could dump it to a text file, then SMB-mount a share on the NIS master,
copy the file over, and unmount the share.  If I did this every 15 or so
minutes, then I could set a cron job to run every minute, looking for a
new file in the share.  If the file exists, I could kick off a cron job to
add/delete/modify users/groups based on the differences.  The major
downsides to this are that a) the database could be 15 or 20 minutes out
of date, b) this could put a significant load on the PDC, c) the NT admins
probably won't like me installing Perl on their production PDC, and
d) I'll have to write all sorts of Perl scripts to do this.
	I've had a couple other ideas, but I'm not sure if they're even
possible (or any better).  I had considered making the NIS master a Samba
BDC to the NT domain.  In that case, there might not be a need for a file
transfer, since the BDC and NIS master are one-and-the-same.  But, how
stable is the BDC code, and how does the Samba BDC store all the account
information?  Is it in a text file that I can easily script Perl to make
changes? or is it in a database format that will be difficult to work
with?  Again, stability on the BDC side is very important, because the
future of Linux in our company depends on us producing a stable, cheaper
solution than NT.  If the Samba BDC code is unstable, and needs to be
restarted frequently (or corrupts the database, etc), then its certainly
not going to work.  Is this evena viable solution?
	I had also read some stuff in the archives about WinBind, but I'm
not sure what state that is in.  If I had a plug-in that would talk with
the NT domain controllers for user/group names, I wouldn't need to run
NIS, since Samba can already authenticate.  
	I'd certainly appreciate any help anyone can offer.  Of course,
we're trying to integrate this into a production network, so the solution
has to be stable and (hopefully) easy to maintain.  Running Samba as the
PDC (or trying to use /etc/smbpasswd for authentication) isn't an option.
Again, please e-mail me seperately, or include my address in any
replies.  Thanks for your time and assistance!


-- 
Geoff Silver
Systems Architect, WinStar Communications 
gsilver at winstar.com
(703) 889-1053