[Samba] winbind capabilities

[Jim Kusznir]

Hi all:

I'm looking for a solution to integrate 150+ existing linux sysems into
an Active Directory (Win Server 2003) domain.  These systems are
currently using NIS for directory/authenitication services, and all
users (2000+) have existing UIDs/GIDs that need to be maintained (due to
being spread out all over the place; we don't think we could do any kind
of controlled migration of this data, etc).  Our directory schema
already has the msSFU30 schema added.

I've done extensive research, and it seems my options are:

1) implement services for unix on a windows server
2) use straight LDAP auth (LDAP NSS, LDAP pam)
3) use LDAP in NSS and kerb in pam
4) use LDAP in NSS and winbind in pam

>From what I undrestand, there is no feesable way of implementing winbind
in NSS and maintaining existing UID/GID mappings.

#1 doesn't really work for us (we want to ditch NIS for a number of
reasons and we can't adequately secure NIS running under SFU).
#2 doesn't really work due to security constraints and strikes me as a
BadThing in general.

My first real question to the list is what does #4 get me over #3?

Some other requirements for our environment:
We need group membership to work (e.g, have users as members of groups
on the unix side)
We also need a mechanism for restricting login on workstations to a
specific list of users (on workstation a, only users b,c, and d can log
in, on workstation b, members of group alpha can log in, etc). 
Currently we implement this through netgroups on NIS.  The
implementation is not important as long as it "does the job".

In the perfect world, all these services would be provided in a way
where our helpdesk staff could create/maintain accounts and workstation
access lists using only Active Directory Users and Computers or other
windows managment tools.  This is not a requirement, just a preference.

Now into the truely unkown relm:
We are investagating means for offering strong protection on our network
shares.  By this, I mean enforcing permissions to the point where if a
user has not logged into that station with a username and password, then
they do not get to access any remote files belonging to that username. 
For example, user A logs into a workstation.  She can access all her
files on our network filer and other network shares.  Then this user
su's to root, and then to user B.  While we can't stop her from
obtaining user B's credentials for local file access, she has not
authenticated as user B, and thus doesn't have a ticket for user B,
etc.  If she tries to do anything requring user B's credentials on the
network (i.e, delete user B's files from his home directory), she will
be unable to do so (permission denied).

By default, windows gives this protection.  Their kerberos ticket
authorizes all netowrk shares, and logging on as "local administrator"
or any other local user will not authorize them to access any network
resources without authenticating as a domain user.

We would like to implement something like this on our linux stations. 
We don't really know how to; we're in the brainstorming phase.  One
possibility I had was mount their home directory via CIFS; another was
NFSv4 with kerberos.

Does anyone have any suggestions?  Are there any cool ways to do this
with samba/winbind/samba tools?

Thanks in advance!
--Jim Kusznir
Unix System Admin
Washington State University, School of EECS