From: Stephen Joyce (stephen@physics.unc.edu)
Date: Thu Apr 08 2004 - 01:18:08 EDT
On Tue, 6 Apr 2004, Corbett Waddingham wrote:
> 1) If you have an existing AD tree, you have to modify each individual user to
> use SFU by opening their properties, choosing the "UNIX Attributes" tag, and
> adding their UNIX account information (UID, GID, home, shell, and NIS domain).
> Needless to say, this is tedious in large organizations. I'm lucky, I only
> have about 100 users, I can't imagine someone with 10,000 going through this
> willingly.
I'd never recommend that anyone use a MS product if there is a viable
alternative, but in the event you have no choice about support Windows,
here's a friendly heads-up for those of you who try to keep Active
Directory and unix accounts in sync (account creation, deletion,
attributes, etc) and prefer not to click (or just like the idea of managing
AD from unix).
After attempting, unsuccessfully, to beat Microsoft's AD unix tool into
submission, I found the opensource adtool-1.2, http://c128.org/adtool , and
it seems to work well for this task.
I did read about the ADSI trusted-PC approaches for syncing AD to an
external user database, however I wanted something more direct and easier
to manage.
With it, I was able to create ~250 accounts in AD, placing them in the
correct OUs, setting all the proper attributes, and setting random
passwords, from a unix script in ~5 minutes.
I happen to use the krb5 name mapping attribute and a trust relationship
between AD and an MIT kdc, so that windows users do not need to know their
real windows passwords, but use the kerberos password instead, however
that is not necessary.. this tool should make it simple to keep the windows
password in sync with another password, be it afs, krb5, nis, ldap, etc,
with just a little scripting.
This tool does have a few prereqs, namely openldap (with ssl support) and
configuring your Win2K DC to talk ldaps, but it's doable for anyone who's
ever compiled unix applications before.
I just thought I'd mention this tool because I found it useful for beating
AD into submission--to create lots of users without wearing out my clicking
finger or worrying about typos.
Hope this helps.
Cheers,
Stephen
-- Stephen Joyce Systems Administrator P A N I C Physics & Astronomy Department Physics & Astronomy University of North Carolina at Chapel Hill Network Infrastructure voice: (919) 962-7214 and Computing fax: (919) 962-0480 http://www.panic.unc.edu Don't anthropomorphize computers. They hate that. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:28:25 EDT