Whose kerb and LDAP? [Was: Re: Samba as BDC in windows domain?]

David Lee t.d.lee at durham.ac.uk
Wed Jun 12 02:31:18 GMT 2002

On Tue, 11 Jun 2002, Steve Langasek wrote:

> On Tue, Jun 11, 2002 at 05:05:35PM +0100, David Lee wrote:
> [...]
> > Now...  we are contemplating a migration to Active Directory ("AD") of
> > these accounts: some 20,000 or them.  (Gives me, as a UNIX person, the
> > shudders, but that's another story...!)  One reason is so that the id/pw
> > pair can be a real Windows authentication, so they can do real Windozy
> > things.  We are very keen to preserve the "single authentication" model.
> > Our plan is to set up accounts for all users in AD.  We would then use
> > UNIX password-aging mechanisms to "persuade" all users to change their
> > password "at leisure, in their own time".  But behind the scenes we would
> > be using the UNIX PAM module from Microsoft's SFU to copy (synchronise)
> > these password changes out from UNIX into AD.  (We'll also be using SFU's
> > corresponding "ssod" daemon for a small number of real-AD folk who might
> > want to maintain synchronisation from AD towards UNIX.)
> FWIW, what I'm hearing from the Kerberos world is that it's possible to
> store all of your actual accounts in a traditional Unix KDC, creating a
> trust relationship with your AD server, and still get most of the
> "Windozy" things out of the mix.  There's also a PAM module called
> pam_krb5_migrate that can help with this as well, though I've never
> tested it in a Solaris environment.  It does at least require an
> MIT-like KDC (Solaris probably qualifies) with matching client libraries
> (kadm5clnt).
> Synchronizing passwords via PAM has always been hairy.  Migrating to a
> single unified backend such as Kerberos and using that for /all/
> systems, Windows and Unix, is a much more promising long-term solution.

Thanks, Steve.

One thing that didn't come across in my message is that the "synchronising
password" thing is being envisaged only as a temporary (about a year)
thing, not a permanent feature.  Currently, authentication is solely UNIX
(NIS).  Ultimately it will be solely AD.  But we have some 20,000 to
migrate from NIS-authentication to AD-authentication.  Naturally we want
this to be as seamless as reasonably possible, both from their user
viewpoint, and our own administrative viewpoint, especially as we'll be
having real AD users very, very soon.  Hence our exploring the SFU PAM
module (and "ssod") to synch up the passwords as much as possible during
this interim period.

We also gave much thought to trying to provide an independent solution
(e.g. OpenLDAP and something kerberos-y) for authenticating (etc.) from
both our existing 20,000 NIS environment and the imminent, emerging and
growing AD environment.

But the Windows/PC folk were worried (and I think I share this) about the
ability of AD to interwork (be implemented by?) third party LDAP/Kerberos.
In *theory*, AD is supposed to be compliant with LDAP and Kerberos, isn't
it?  But we had nagging doubts about the Microsoft *reality* of this, and
were very concerned that we could end up spending vast amounts of time,
energy and worry, including user frustration etc., chasing the "well it
depends what you mean by compliant" grey areas.  (Yes, we been sucked into
the pragmatic realities of selling our soul to Seattle.)

Am I digressing from Samba here?  At first sight, yes.  But we'll need
Samba to interoperate with this (although concurrent with all this is a
phasing out of the majority of, not all, Samba file-serving as we migrate
to NetApp). 


:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 374 2882                  U.K.                  :

More information about the samba-technical mailing list