[lug] Unix / NT Authentication?

Nate Duehr nate at natetech.com
Wed Oct 18 03:32:05 MDT 2000

Thanks to the many who replied.  Sounds like I'm going to be out on the
bleeding edge on this one.  I'll get the little piece of tissue paper ready
for the razor burn -- and hope it goes no deeper than that.  :)

Kyle... Agreed LDAP's not tested well enough yet in large environments, but
we're not *that* big yet, so I'll just get fired if it doesn't work!  :)
Hee hee...  I'll let you know how it goes!  Okay, not really.

Ian & Sue... Looked into pam_smb and pam_ntdom -- supposedly from docs at
each homepage, pam_smb is buggy if machines that don't have reverse lookups
hit your box (requires a recompile of login to avoid a bug in pam_smb...
does that somehow seem wrong to anyone else here?  hands? ... it segfaults)
and ntdom is orphaned due to too many root exploits found in the code!

All... thanks for the world view for both HP and Sun, and the other various
ideas.  I'll check out the commercial stuff I hadn't seen yet.  Sounds like
all are headed in the same direction anyway -- haven't got enough data to
decide whether that's a Good Thing(TM) or a Bad Thing(TM) yet.


And thanks for the reminders about avialability issues when tying this many
systems together.  I'm starting to wonder if I'm guaranteeing myself massive
outages.  Perhaps a re-think of some of the scope of this is needed and some
docs written to show pros/cons of linking all the systems FIRST before
designing a way to do it.  Which systems blow up customers?  Which systems
just tick us off, but customers are unaffected?  I *must* think harder about
big picture before doing anything rash.

I guess tomorrow morning we'll fire up Napkin-CAD 1.0 over breakfast at the
restaurant next door to the office with the Unix geeks and figure out what
to try, if anything.  If what we do is even remotely interesting (and not
patched together with bubble gum, bailing wire, and bash scripts), I'll try
to post it to the lists.

Thanks again all, and thanks to those who may reply later as well...


> From: Ian Hall-Beyer <manuka at nerdherd.net>
> Reply-To: lug at lug.boulder.co.us
> Date: Tue, 17 Oct 2000 07:35:28 -0600 (MDT)
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] Unix / NT Authentication?
> On Tue, 17 Oct 2000, Nate Duehr wrote:
>> Getting Linux and Solaris both to authenticate users off an NT domain.
>> Well, okay... as one of our guys put it:  "It's one of the 'Holy Grails' of
>> IT!  Centralized Authentication of Users!"
> A couple options. One is to use NT as the domain controller and use PAM
> modules that auth against it. Never seen it in action, but I've heard it's
> out there. 
> Alternately, there is a commercial NIS client for windows (Sun used to
> sell one up until 1998 or so called Solstice NFS client - It's since been
> EOLed and Sun is recommending a similar product from another vendor). I
> will post the URL to the product I know about later today when I get to
> work. 
> -Ian
> --
> <cosmo> wow, this is kinda nifty. the win98 protocol stack is
> like a chinese finger puzzle, twist and turn in the right places,
> and it pops right off   --Seen on EFNet IRC
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list