SUMMARY: using Active Directory with Solaris
From: Corbett Waddingham (cwaddingham_at_nationalclearing.com)
Date: 04/07/04
- Previous message: Daniel Muscat: "ULTRA 10 with 3 120GB hard disk"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 6 Apr 2004 15:44:12 -0700 To: "Sunmanagers (E-mail)" <Sunmanagers@sunmanagers.org>
Hello all,
Sometime ago, I posed a question about how to get Solaris to work with Active
Directory. After several false starts, I finally found the answer: Microsoft's
Services for UNIX (SFU). SFU is a software suite which extends the Active
Directory schema, allowing various services to run out of AD for UNIX servers,
including (wait for it....) NIS. So far, it's working fairly well, with some
limitations. Here's a list of the gotchas I've encountered so far:
1) If you have an existing AD tree, you have to modify each individual user to
use SFU by opening their properties, choosing the "UNIX Attributes" tag, and
adding their UNIX account information (UID, GID, home, shell, and NIS domain).
Needless to say, this is tedious in large organizations. I'm lucky, I only
have about 100 users, I can't imagine someone with 10,000 going through this
willingly.
2) Once the UNIX attributes have been set, you have to reset the password of
the user before you can sync their account up in NIS. Presumably because AD
stores passwords in a one way encryption, which is neither crypt nor MD5.
3) If you have/want multiple NIS domains, you'll have to have multiple NT
domains. Each NT domain gets mapped to a single NIS domain, which must be the
same name, which requires one PDC for each domain. You can, however, control
multiple domains through one AD forest, so the administration isn't too bad,
as long as you have extra machines for this purpose.
4) Not all of the common features of NIS are easily supported, but they are
all there. The passwd map is controlled through the user management GUI,
however all other maps (netgroup, hosts, ethers, etc.) must be edited on the
command line. Potentially a problem for organizations which want to
standardize on one management tool. It should be possible to extend the AD
schema to include these other maps, however I have not yet gotten to that.
5) The master NIS server *must* be the AD server. There is a tool for
migrating an existing master db into the AD server, but so far as I can tell,
this is only useful if you have an existing NIS network, with no existing AD
servers.
6) I encountered some problems getting the master to talk to the slaves
properly. I found you have to make sure, when you list the slave servers in
the SFU console, to supply their FQDN. Just using the hostname by itself lead
to inconsistent communication.
It was surprisingly easy to install and configure SFU, and since it was using
NIS it was trivial to set up on the Solaris servers. Unfortunately, SFU
doesn't support NIS+, so for those organizations requiring that, this isn't
the answer. But for a smallish shop like mine with a need to standardize
usernames and passwords on both the NT and UNIX sides of the house, it was the
answer.
r/
Corbett Waddingham
Senior Systems Administrator
National Clearing Corp.
310-385-2257 phone
310-385-2225 fax
cwaddingham@nationalclearing.com
E-MAIL DISCLAIMER
Notice Regarding Entry of Orders: Please do not transmit orders regarding your
account(s) by e-mail. National Clearing Corp. will not accept orders
transmitted by e-mail, and National Clearing Corp. will not be responsible for
carrying out such orders.
Notice Regarding Privacy and Confidentiality: National Clearing Corp. reserves
the right to monitor and review the content of all e-mail communications sent
and/or received by its employees.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
- Previous message: Daniel Muscat: "ULTRA 10 with 3 120GB hard disk"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
