[lug] Unix / NT Authentication?

Nate Duehr nate at natetech.com
Tue Oct 17 00:22:51 MDT 2000

Well, I have an interesting project ahead, and just thought I'd cross-post
to the two smartest groups of people I've had the pleasure of interacting
with here in Denver on Linux.

(Are you buttered up enough yet?  :)  )

The project is ...
  Getting Linux and Solaris both to authenticate users off an NT domain.

Cough, gasp...

Well, okay... as one of our guys put it:  "It's one of the 'Holy Grails' of
IT!  Centralized Authentication of Users!"

Oh yeah, one other interesting criteria:  Something in the network has to
provide site-by-site TACACS+ authentication for routers nationwide.

Another "nice" thing (in other words, it's implied by management) would be
some rudimentary redundancy for the whole shebang... one authentication
server going down (no jokes about NT here... I know, I know...) shouldn't
wipe out the ability for people to do their jobs.

So obviously I'm looking at a lot of possibilities:

- Cisco appears to have a product that would ascend to the heights of
Holiness in this whole mess, ACS... but a perusal of BugTraq and
SecurityFocus shows that it's full o' holes.  Or it has been, anyway.
- RADIUS as a protocol for this whole mess appears too limited, but with the
proliferation of small ISP's out there, it seems to be readily available in
various flavors and feature-sets.
- LDAP can provide a central repository, but OpenLDAP appears to be an
erector set of parts without much framework to start with.  Commercial LDAP
stuff is an option...
- Kerberos looks like an administrative nightmare for a small staff who's
server farm is outgrowing their hiring, but maybe useful.  M$'s tweaking of
Kerberos in Win2K doesn't help my heartburn about that one, either.  That's
war's not over yet...
- TACACS+ has the functionality needed to lock down particular users to
particular commands in Cisco gear (their protocol, their functionality...
that's fine), but there doesn't appear to be many good ways to get it to
play nicely with the rest of the authentication protocols out there.  Or
perhaps I'm wrong.

So I'm here just wondering if perhaps in my reading so far that I've missed
the obvious silver bullet somewhere, and if so... doing due-dilligence to
ask those more experienced and smarter than I.  (Learned from old telco
guys, what can I say...?  I think they beat it into me!)

Anyone have something they :
1. Found interesting to set up.
2. Find relatively efficient to administer?
3. Didn't cost more than Fort Knox?


What's the phrase?  "IT Projects: Fast, Cheap, On-Time -- pick any two?"


More information about the LUG mailing list