From: Adams, Jonathan K. [C] (Jonathan.K.Adams@nga.mil)
Date: Tue May 24 2005 - 06:04:33 EDT
Hi all,
Okay, heres the situation:
Right now I have a old environment... NIS+ + PCNFS + Windows 2000 AD +
Reflection which is used for users to map directories on EMC storage from
their windows accounts, using their unix permissions/ids
NIS+ has to go in favor of LDAP
At one point I was leaning toward a SEAM/LDAP configuration with the
Kerberos authentication happening between windows and solaris, but this
seemed like more trouble than i needed, couldnt figure out a way to copy
users' unix passwords from NIS+, shadow, or LDAP into Kerberos, and there
are a few accounts... more than i care to enter by hand
I have configured LDAP authentication (I couldnt figure out the NIS+ gateway
to save my life btw), imported the relevant data moved my newest client
hardware to it for authentication, and all is great... but as soon as i
take away the nis+ the windows side will break badly....
My Solution: (I was thinking) would be to create a Samba PDC and Windows
domain on the unix boxes using the ldap data, (thus linking the unix ids
directly to a windows username) then to create a cross domain trust and let
the users on the windows side use unix file resources as though they were
windows... (their primary home directories are on the unix side for example,
but reflection allows them to map it as a drive)
how far I have gotten:
downloaded the berkeley db and openldap packages from sun, installed them on
my LDAP box for testing (Solaris 9, Sun One DS 5.1) built Samba with LDAP
support (alot easier than I heard it would be by the way), took a look at
the tmp file created by the smbldap populate script and rolled my own LDIF,
making small changes: I store my users in ou=people,dc=...
configured the smb.conf and started it up... my Domain was visible...
created trust accounts on both sides and after much trouble, and running
smbpasswd with D 256 I could see it didnt like the fact that my user objects
were missing several attributes... went into the samba schema and added them
(using the openldap schema to determine the data types) - as an aside, if I
can do this, why cant the Samba developers??? why even give us a
Netscape/SunOne Schema when its missing like 8 or 9 of the schema items
Samba needs to run fully?
anyways... after making the changes, the windows side is able to establish
trust and can see my shares kinda... but heres the weird part... the unix
side cannot establish a trust, and on the windows side (Event Log), after
the trust is established, the X-domain trust user (XYZ$) immediately logs
off.... it looks like it should work, but it definitely does _not_. I know
I have made a (or some) mistake(s)... and if anyone has something like this
working and has a recipe beyond the obvious google-able resource, it would
be greatly appreciated....
I know this is long and rambling, but Ive invested about 19 hrs in this and
dont want to leave out anything important.
-----------------------------------------------
Jon Adams
Unix Web Engineer
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:30:45 EDT