Slashdot Mirror
Windows 2000 Directory Support While Keeping Unix?
"Although our group has historically been able to control it's own authentication and name services, our agency, together with some other affiliated entities, has begun to develop plans for the deployment of W2K and Active Directory, agency-wide, and we are beginning to hear noises about the possiblity of it being implemented in a configuration that would move that control outside of our group for the first time. Given that we are the only dyed-in-the-wool Unix shop anywhere in sight, we're not counting on Unix-specific concerns carrying much weight in this discussion. FWIW, "Unix" in this case is mostly Solaris/SPARC, with a growing Linux and BSD flavor, both also on SPARC as well as x86.
Now, to get to the point, I have the following serious questions to which informed answers would be tremendously useful right about now:
- It is my impression, which may be incorrect, that (a) a W2K workstation using Active Directory services cannot directly access old, NT4-style SMB shares, and (b) neither Samba (at least any stable releases thereof) nor any commercial SMB-on-Unix implementations (not that I'd be at all happy to ditch Samba) is able to export Unix filesystems via the new, W2K-style protocol, or at least not in any way that would provide "seamless integration" with W2K clients that also needed to access AD/W2K-based resources. From these impressions I would conclude that AD-infected W2K workstations cannot be made to access Unix-native filesystems via SMB. Is this correct? If there are inaccuracies in this, or if it's "not really that simple", I'd love to know the details.
- It is unclear as yet whether we would somehow be forced to use AD/W2K-based name and authentication services for our Unix machines. Potentially, for authentication we could use the vanilla Kerberos interface in AD. However, for name and directory services to work fully, we are likely to need to be able to store RFC 2307-compiant data in the AD LDAP. So, leaving aside the question of whether we would even be allowed to store the RFC 2307 data in the agency's AD, are these things possible or practical?
- One concern we have about AD is the liklihood that we may have to use a subtree of the central AD for our group. In this event, we expect that some sorts of access and control are likely to propigate down from the top of the tree, and that we may ultimately not be able to have the final say over who has what permissions with respect to the resources supported by our group. Not to be territorial, but this raises some sigificant security concerns in that some of the data we process is quite sensitive (e.g. respondant-level survey data -- can you say "privacy concern"?) and the auditors will want to see assurances that access and distribution are properly controlled within our group. Is this a legitimate concern about a centrally-controlled AD? Are there some AD configurations that are less troublesome than others in this regard?
- Does anyone know of any other potential killer incompatibilities between AD/W2K and Unix that should be put on the table as we discuss our "requirements" (ha) with the central IT people who are trying to do this?
- Has anyone gone (is anyone going) through this who would be willing to share experiences?
For everyone who will no doubt respond to this by identifying all the better solutions that may exist, I'd love to do something like that -- we had been investigating doing something with Kerberos and OpenLDAP before this came up -- but the point is that the direction here is likely to be totally beyond our control, and we may wind up stuck with the task of finding some way to salvage whatever we can of fifteen years of investment in a Unix-based solution. I'm just trying to understand the pitfalls a bit better before all this is set in stone.
Here are three previous /. items that seem most relevent, so you know that you don't have to point me to these."
remember, this will only be a problem IF you upgrade to Win2000.
Have you seen Ironstayn vs Supergovernment yet?
Atleast to my understanding, the Microsoft's implementation of Kerberos is uncompatible in a such way that the Directory service is only available while running W2K Kerberos server. W2K is able to authenticate from UNIX Kerberos server, but I've heard a claim that UNIX clients will be unable to authenticate from W2K Kerberos. None of this I have tried out myself, not willing to touch W2K with even a long, very, very long stick.
You fail to realize that that's as inevitable as death in most organizations.
--
1. There's no reason why a workstation participating in an Active Directory domain shouldn't be able to access older style NT or Samba shares. There are a few departments where I work that have (stupidly) deployed Active Directory, but it hasn't affected their access to our NT 4 file server. Well, except that they have no idea what they're doing, so that gets them sometimes :)
2. Using Kerberos in Win2k should work, as long as any Unix Kerb5 servers are slaves to the 2k server. From my reading, any attempt to use the AD LDAP for anything else is doomed to failure. Microsoft is supporting heterogeneous environments only to the extent that it moves people to their software, so they won't make it easy to maintain support of Unix systems.
3. If you're given your own Organizational Unit within the active directory, you can choose to block inheritance of permissions and policies and whatnot, and maintain a certain level of autonomy.
5. We've been going through the preliminary planning of rolling out AD in our mixed environment(NT, Solaris, Netware), and while it's been ugly, it doesn't seem hopeless. Services for Unix 2 promises a lot (password sync among them), and if it can deliver, then integration becomes that much easier. Just keep in mind that any Microsoft solution is offerred with the intention of burying your Unix boxes.
You fail to realize that that's as inevitable as death in most organizations.
...And as pleasant a thought.
Win2K is a fine gaming platform. Multiprocessor support and DirectX for games that don't run in an OpenGL mode. It has no other good uses. There is a better alternative for every other task you might want to do with a computer.
The only way to truly satisfy yourself is to setup a test environment. (To /.ers: please don't go on about "satisfying yourself" too much)
pi=sigma{n:0-infinity}[(1/16)^n][(4/(8n+1))-(2/(8n +4))-(1/ (8n+5))-(1/(8n+6))]
I've been using Win2K and Samba. They work fine together, with one hitch: Samba seems to have difficulty resolving names of connecting machines. If you can provide a method of name resolution, such as DNS or a simple /etc/hosts file, then this problem goes away.
Good luck.
It is a great article seperate from problems with win2k.
Leknor
http://Leknor.com
Leknor
http://Leknor.com
"So many idiots, so few comets"
An old one.
An older one.
Some old benchmarks.
BTW sales of Win2K have been abysmal. A fact you don't hear much about, but which lies behind some of Microsoft's actions. (Trying to squeeze more revenue from existing streams.) Go out and look for yourself for some links on that (unfortunately not well enough publicized) story.
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
And therein lies the problem. Management need to be made forcefully aware that the agency is not a Windows only shop, and that proposing Windows only solutions like this is a road to ruin. Sure, you may only be a minority, but they need to know that you cannot integrate with their solution without (at the very least) significant work. The need to know what the impact of alienating your department will be on the agency as a whole. Like it or not, management are stupid. Sure there are a few exceptions, but on the whole, it's a good approximation. I once worked at a company where management decreed that all corporate email should be handled by exchange and outlook. Only after buying the servers, and doing an initial roll out to some PCs did they realise that 30% of the desktops ran SunOS or Solaris on Sparc hardware... Management don't understand technological issues like these, and they need to have them explained.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
Is there no chance of convincing management to go to NDS rather than AD? Novell seem to be *much* happier to support all OS configurations + combinations out there (can't think why :) )
nosig
I think you totally missed his point. He doesn't (or won't) have the option of just 'ignoring it'. That's the entire problem. It's going to be mandated by a bunch of federal PHBs and if he's not prepared now rather than later his network could well be screwed. I recently came from a similar type of institution he's working in and I can tell you that what makes sense from a technical point of view never enters the minds of the ones who decide to mandate a solution based on the latest print ad microsloth put in their copy of PC magazine. Luckily I left that place, and am now entrenching Unix in a start-up company. And loving every minute of it.
There is a paper that describes MS AD service called "Implementing Directory Enabled Networks Using Windows 2000 Technology". It lives at http://www.microsoft.com/windows2000/library/techn ologies/communications/denuse.asp. I hope this helps.
G.H.
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea,
which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege."
-- A Thinking Man's Creed for Crypto
Just wait till some crappy band steals your nic.
yeah i realised i completely missed the point once i hit the submit button, and saw the whole article... d'oh.
Malike Bamiyi wanted my assistance.
There is interesting technology in Active Directory. It is an interesting project to attempt to provide these services without requiring the use of a Windows 2000 server infrastructure. I can't say I'm doing an awful lot to help in this regard presently, but I've made some notes, and you can check them out at http://www.padl.com/~lukeh/XAD/whit e_paper.html. The SAMBA people are probably most active on this front.
To answer some of your questions: I believe W2K can access old SMB-style shares. After all, it wouldn't make sense for it not to work with NT 4 shares. I expect the "new" SMB is wrapped in the Kerberos SSPI (wire-compatible with the Kerberos GSS-API mechanism). Regarding storing RFC 2307 information AD, good luck. Microsoft have made some modifications to the schema in order to support various "features" of Active Directory, such as the lack of support for multi-valued naming attributes, auxiliary classes not being listed as values of the objectClass attribute, some attribute type conflicts with RFC 2307, etc. Microsoft have an "embraced and extended" version that ships with Services for UNIX, but this isn't plug-and-play with existing RFC 2307 clients unless they support on-the-fly attribute mapping.
Disclaimer: I don't know much about Active Directory other than that Micros~1 claims it can speak LDAP.
My point is that if you don't have any control over a 'central' Directory Server, you have a problem no matter what the type or brand of the server.software.
I assume that AD gives the administrator control over the schema. If AD doesn't support an RFC2307-compatible schema, the administrator can always implement it for you.
DirectX is somewhat buggy, Some games behave Strangly on Win2k.
The SIMS: I get no Sound.
Half-Life: OpenGL isn't to good (I think it's a Driver Issue). So I use DX; and sometimes my Screen goes black and there's no way to recover except to kill hl.exe
And lastly some Apps Can't handle the Multi-user aspect, and refuse to run (eg, Palm Desktop).
Do not read this
I don't know about the issue of AD networked stations not being able to access NT4 style shares but I see no reason why they shouldn't
;)
What I DO KNOW is that the active directory can be run in 2 modes: native and mixed. In native mode it will of course deny anything that is not active directory compatible. In mixed mode it's supposed to let you work with older NT stations and servers/domain controllers. (Of course there are some features that require native mode to help force you a bit more towards it and once you're in native mode you can't go back to mixed either
About authentication, you'll have to check whether your Kerberos implementation is compatible to the one Microsoft is using and you'll also have to see whether your systems support the SVC records inside DNS. (Here are some RFCs that they refer to: RR records RFC2052, Dynamic DNS update RFC2136/RFC2137)
As for accessing data that is in the AD you'll have to figure out how to do it via LDAP I suppose.
Hope the above helps a bit. Unfortunately I'm no expert in these matters.
I'm using W2K on one machine to access shares on a Linux system running Samba. It works just fine.
Above all do NOT allow this to happen: Techies/consultants that are advising the rollout tell management "switch to Win2k". Management tells other departments "switch to Win2k". Other deptartments tell management "we can't". Management tells techies "they won't". Techies tell management "force them".
You've got to get ahold of the techies yourself--don't let management be the conduit for technical decisions. You still have to explain the issues to management so that they can mandate the discussion take place--but when the discussion happens managements only role should be as arbiter.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
cough*OpenLDAP*cough*
Insightful?!
Did you read what bob was asking? Let me snip the bit so it's easy for you: "...we had been investigating doing something with Kerberos and OpenLDAP before this came up -- but the point is that the direction here is likely to be totally beyond our control.."
So, um, OpenLDAP is great and all, but he's talking about SOMEONE ELSE deploying AD and he has to adapt to it.
My screen goes black on the menu - never in the game.
--Giving to trolls for the benefit of us all
They're QUESTIONS, not points.
The current Slashdot moderation system is made by gay communists!
If you read his question you will see that it is not on *his* table.
Someone above him has decided that w2k is the way to go and he wants to be able to keep his unices while connecting to the active directory.
So if it's NFS or something else that isn't AD compatible, it's not usable.
/.Mattsson - My native language is not English, so please don't whine over linguistic errors. (That's lame anyway...)
I've worked for way too many goverment groups in the past and the best advice was from a water engineer at the soil conservation survice.
The goverment works like a large bolder rolling down the hill. You can't stop it but you can change its direction if you push it at the right time and place.
Years ago I used this while working for DISA (DIMA's parent, they control the IT for the AF, as well as the Army, Navy etc in theory). DISA had decided that GOSIP email was the one true way and nothing was going to change that. Ok fine. Its a messed up version of X400 based on some of the worst code I have ever seen. I attended lots of meetings where lots was discussed but nothing was ever done. At the time I managed a large email system that involved some 87,000 users over 12 main systems. It was the largest system of its kind in the goverment. From what I had learned while working at SCS, I did the only reasonable thing which was to ask a Col if I could make a change to the propsed migration document. I changed one line to allow both X.400 migration system as well as SMTP migration. That got included in the main document, which became the long term plan and now thanks to cut and past into other docs, fully allows SMTP as valid part of the GOSSIP systems.
One edit and I killed X.400. Not bad for goverment work.
My screen goes black on the menu - never in the game.
I should've specified that, Yes the screen goes black on the Menu. On occasion, It happens If It fails to connect to a server. It never happens in-game.
Do not read this
To address issue #1:
I am the administrator for a computer science lab that has workstations that dual-boot Windows 2000 Professional and RedHat Linux 6.2. I run two servers in the lab: Win 2000 Server and RedHat Linux 6.1. The Linux server exports its home directories via both NFS and Samba. The Windows 2000 Professional workstations are able to connect to Samba shares on the Linux server without any difficulties.
The Windows 2000 Professional workstations are also able to connect to shares on NT 4 servers.
Hope this helps.
Soundcard drivers are not up to snuff yet.
You're telling me? I'm still waiting for 4 Speaker output on the Trident 4DWave NX (from Hoontech)which I had under NT4.
I may break down and buy a SB Live if this doesn't get fixed very soon.
Do not read this
My own (possibly inappropriate) response would be to counsel against a blind W2K roll-out. If your group is autonomous, there's probably a reason, and it should stay that way.
Next, allow them to deploy W2K. Watch in horror as your group implodes, losing valuable apps, churning out incorrect data, etc.
Wait a little longer, until your group is nothing more than a flaming wreck.
Then call in Congress!
I tell you, there's nothing Congress likes more than the opportunity to investigate/gang-rape government agencies. Ideally, your management will have themselves raked over coals in front of some subcommittee, with a Senator screaming at them. You'll never hear about W2K again, provided that your group can survive this long in a dysfunctional state.
Of course, this all assumes that you're willing to destroy your own agency/group. It also assumes that your group is actually doing something valuable, but not TOO valuable.
And, as always, I could be wrong.
I have no
In this day and age it surprises me that any corporation is switching from a UNIX to w2k. I've seen and heard of a lot of companies trashing their windows servers to replace them with Linux machines running the same services. Tell them you'll use Star Office but all of the Word documents they send you have to be in Word 98 format. :)
"It's here, but no one wants it." - The Sugar Speaker
SBLive's have problems in Win2k as well. The DirectSound and EAX don't work very well, if at all. And if you have an SMP machine, just don't even bother. Blue screens abound.
This all is due to the fact that Creative doesn't LISTEN to Microsoft when it comes to driver specs for Win2k. Dumbasses.........
I've set up several W2k servers and workstations and have not had any problems with NT 4.0 shares being seen on the W2k server/workstation. Unfortunately I haven't had enough experience with Unix to answer the rest of the question. I'm not sure what your company is using the MS platform for other than word and peoplesoft as you said. Is e-mail going to come from an Exchange Server? If so, your company could set up Outlook Web Access and you can use your internet browser to check your e-mail. As far as getting documents back and forth, if they are just word documents, you could just save them HTML or RTF format. Or maybe just wait for that version of MS Office for Linux :) As far as peoplesoft I have no idea, never used it.
A) Win2k is not a gaming platform... if you want to play games, install WinMe. Many titles have problems under Win2k.
B) You forgot to finish off your sentence so allow me to do the honour: "It has no other good uses [for a person like me who is blinded by zealotry].
I have a GNU/Linux box and a win2k box running side by side on my desktop. I use the GNU/Linux box for all server type things/webdev/coding etc, and I use the win2k box for graphics work in 3DSMax, Photoshop and Illustrator. Both machines do a fantastic job and I really can't complain.
I suggest you redirect some of that boundless energy you seem to have for analyzing all Microsofts faults and apply it to a worthy open source project.
- Toby
Axel
Axel
mhm23x3, alt.fan.karl-malden.nose
Wow! I didn't know that! I have an SMP rig Thanks for the heads up.
I'm curious though, Which Card would you recommend? All I want is 4 speaker output, and Linux and Win2k compatability.
I know it's supported in the 2.4.0-test kernels, but I have yet to try the 4Dwave under linux.
Do not read this
I don't know too much about talking with the AD from Linux, but I DO know that Win2K's SMB shares are exactly the same as NT4's whih are the same as Samba's etc. So for example I have had NO problems mounting a Win2K fileshare with smbmount at my work. We have a samba fileserver setup that everyone in our company uses and they have no clue that it is really running on Linux. As you may conclude from that samba has no problems authenticating Win2K user accounts against Win2K domain controllers... meaning if you just needed to authenticate users against a Win2K domain (for login purposes or other) use *could* setup a script to try smbmounting something on the domain with their login/pass and see if it worked. I'm sure you can conclude many other things from this.
As far as the AD goes, we tried to get Linux to talk with our Win2K domain controller and access the AD, but alas it never did work. Win2k's ldap implementation is standard, everything seemed to work according to spec, *except* the wierd kerbros authentication. So if we could have gotten the win2k ldap server to let us authenticate and connect we could have done anything we wanted to, but it never happened.
Hope that helps a bit.
It is amazing isn't it?
:)
Slashdot.org is unfortunately home to more IT ignorance than just about any other site on the internet. Haven't figured out why I read it. I guess perhaps it makes me realize just how much I do know.
First off, you're better off with a NT domain controller than a SAMBA PDC. A pentium 200 PDC can authinticate about 40 users a minute.
Now the real fun begins, and when you set this up, make sure you document it so you get it right every time. First, create a user on the PDC. In a mixed UNIX/Windows enviorment, keeping home directories and profiles on a SAMBA enabled server is best, because you can export them via SAMBA or NFS.
Anything that supports PAM can authinticate agnist the PDC. (Even a w2k controller as long as it's running in mixed mode.) Create UNIX accounts like this: adduser --disabled-password username. What's the point of setting a local password, you're not going to use it anyway...
Now your PAM module. pam-smb-auth works well for the basics. (Shell logins etc) but doesn't do much besides ask the PDC for a yes or no. pan-ntdom is based on pam-smb-auth but is extended for NT domains. (It can usderstand some of the domain security and such.) User security = DOMAIN for samba and you shouldn't have to worry about accessing SAMBA shares and PAM modules for samba.
w2k access SAMBA shares just fine. I had an issue with updating the romain profiles, time on the file server was not in-sync with time on the client.
Hope that helps a little...
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - Albert Einstein
Dude, get a SB16. It's not a new card, it doesn't have the bells and whistles, but you know, the damn thing works everywhere, under every O/S I've ever tried. Can't help you with the 4 speaker output.
"We apologize for the inconvenience."
Then you are at a "stupid" company. Just because some senior level VP doesn't get the 0 day tech knowledge doesn't make them stupid. It makes them a bit less informed... if you are in a tech position that suggest company technologies it is your job to make sure the constant flood of good things they hear about WONDERTECH-X11 is balanced by some good real world knowledge. Its not higher-ups jobs to know why win2k doesn't interop well. Its usually their job to look pretty in a meeting with other suits and take care of that tedious meeting crap "we" don't care about.
F /...
Besides all you have to do to stop a rollout to win2k is put a total cost of ownership in front of of them for the 1st year... at 250-400 a desk most CFOs will laugh crazily and then say no.
---
Solaris/FreeBSD/Openstep/NeXTSTEP/Linux/ultrix/OS
--- I do not moderate.
I'm using an SB Live under Win2k professional on a dual proc box (ABit BP6) and its been running for several months now. The EAX stuff works great in Everquest. Never had a blue screen yet. This is with the newest drivers.
My shop has been running a mixed UNIX, Windows environment for years.
Currently we have W2k workstations running in a NT environment, and recently put a NFS gateway on the NT server to map NT shares to NFS mounts. Most of my users don't event know there are updating web pages on a UNIX webserver. In the end they don't care.
Although I have a love/hate relationship with MS, their recent attempts to intergrate with UNIX environments is well done. Have you see IE5 for Solaris & HP-UX?
Although it reads a little bit like a pro-Netware column, the article at: http://www.novell.com/competiti ve/nds/security.html gives specific steps (with pictures) on how to exploit ADS to gain access to sensitive information in a branch below you.
Hope it helps.
"Although I am no longer needed, I am still tolerated. I am deprecated." -.DM.
So you get your copy of W2K, and you run it under Linux using VMWare. Then you get M$'s AD development kit and write some custom sockets stuff to talk between the W2K and Linux sides of the internal bridged network...
One viagra in the morning before work; I just know I'm gonna be screwed
Far be it from me to suggest a set-up, but...
:-) agencies, and sort of... anonymously publishing it in places.
Consider laying hand on as much information as you possibly can (without being noticed) about the AD uberserver, any backups/slaves to it, and also nodes close to the AD root in other (-: rival?
After the luvverly Microsoft intranet has been raped silly a few times (do any of those agencies have MS-SQL installed?), they might not be so happy about making it universal.
Then might be a good time to point out that your Unix network has not only never been raped, it's never been seriously proposed to, and offer to share your expertise amongst those poor unfortunates with the legacy operating system infection.
If you're sure of your security, be careful to also include some numbers for your own systems in the leaked info, so that the absence is not noted. It would also make the subsequent baptism-of-fire somewhat more even-handed.
Got time? Spend some of it coding or testing
I read on a Wrox book, i think "Linux Professional Deployment" that Cisco is porting AD to UNIX. Maybe you can check at cisco website for info. After all, AD is LDAP, right?
If money is not a free flowing and unfettered thing in your organization, and your investment is a mighty one, perhaps you can prepare dueling cost estimates when you have more information.
Actually seeing how much money their actions and/or policies piss away may even give a bureaucrat pause.
Then again, they may try to ignore it.
If they do, you can keep bringing it up and hope that someone cares about waste in government, though that may wear on you.
Fight the good fight,
Troy
...yellow number five, yellow number five, yellow number five...
You can use Win2K with several DNS implementations including NT4, BIND 8.2, BIND 8.1.2, and BIND 4.9.7. However, you will not have the same functionality as with Win2K DNS. For example, with the BIND implementations, you will not get the WINS record support (which doesn't seem to be a big deal in your situation). To compare and contrast functionality of the different DNS's with W2K, go here ->http://www.microsoft.com/WINDOWS2000/library/res ources/reskit/samplechapters/cncf/cncf_i mp_bdvd.asp
this is a left handed sig
This whole things sounds like a good example of why we should encourage our government to require its own use of open standards and open data formats.
I don't like my tax money wasted on excessive PC support costs and data trapped within Office files.
Having been the IS manager for a large organisation looking after 3.5k users, across 50 sites using 64k wan links and having Win95 and Winnt w/s vouch for the benefits of directory technology for the efficient management of the whole infrastructure. This may not have gone down well with all the distributed IT functions, but my job was to deliver applications and systems access to users with the minimal amount of cockups, and at minimal cost to the company. Generally, the five man team managed to do everything required without moving their butts off their seats - suited them, suited the users, and suited the accountants. While I developed this solution with my team and the vendors, my company (a large US based outsourcer) was, in parallel, developing an NT/AD based solution. My _development_ cost, including licenses, salaries etc was $200k (approx)., my companies budget was reputedly $10m. Obviously I never stood a chance. The new network went in with a blaze of publicity, along with increased staffing, increased wan links, and new (enourmous) servers at each location. I left before it became clear that the cost savings promised from this solution were, frankly b.s. The moral of this story is: If someone senior to you in the organisation has staked enough money and his/her reputation on something, what they want is likely to come to pass. I believe if you buy into it enough, you'll get all the help you need to deliver service to your users. The downside is that you may not be able to deliver service the way you _want_ to do it, and it may not be the best. P.S. The directory technology used originally was NDS, and it worked on (nearly) all the platforms we wanted it to (apart from VMS!). I wouldn't attempt to build a large-scale / distributed network with anything else.
When the technology is a kludged together imitation of NDS that can *%** up your network it is a threat. I beta test stuff all the time, but I won't let AD on my production network until I've done extensive testing and MS has released at least two patches for it (eg admitted what is wrong with it). And 2k is still inferior to netware 4.11, let alone netware 5. (2k workstation is OK)
It's nota my planet, monkey-boy - Dr Lizardo.
Well, I don't know if this has ever been submitted to /. but the eu-commission wants to examine the behaviour of MS in connection to their server software (NT, 2000....). A german summary is available at http://www.heise.de/newsticker/data/jk-03.08.00-00 2/. It says that most computers are connected through servers in a network. For that to work, interoperability is required but that is only possible if the OS at the client and at the server can communicate. Since Windows is the dominating client OS, and MS isn't publishing enough Interface information for windows, more and more firms are forced to use NT, etc. The reason for this examination is a letter of complaint from Sun, which says that MS refused to tell Sun basic informations about windows.
-mj
What more, AD is really a pain at larger distances and with high amounts of objects in single directory. You should really try to consider someone who is not a newbie to directory services like MS and who has not reasons to leverage only their own platform by their products.
If programs would be read like poetry, most programmers would be Vogons.
Okay, starting with number one. Windows 2000 workstations can access samba file shares, even if they are in full native mode. In other words, windows 2000 workstations are still able to perform netbios over IP communications, even if they are completely active directory integrated, and rely on DNS dynamic update for Active Directory Authentication. As always though, if you want your win2k workstations to talk to a samba server on a different ethernet segment, (separated by a router) you are going to have to implement a WINS server. Now for another part of the equation... To the best of my research into the topic, you will not be able to(as of yet) replace your active directory servers with Unix servers... Yet. Several things need to be in place for that to happen, one of which I am uncertain of, is dynamic update support for a Unix DNS machine. If Unix currently has such a beast, I'd be interested in knowing this. If you simply want to be able to access samba shares, you are okay though. I'll post more later as time permits.
Russian Russian Russian RussianDollSig DollSig DollSig DollSig
I hear you, brother. I worked for five years developing and mantaining a integrated network/customer support system that was the result of decades of experience and supported thousands of nodes and customers. Then my company got bought, and we were told it was going to be replaced in less than six months. I took one look at the beta four months later, after being shut out of the spec, design, and development loop, and decided I didn't want to be in the STATE when they tried to push it down the user's throats. Politely put, the new system would increase the workload tremendously and customer support would suffer. I now work for a tiny firm running no Micro$oft software, and life is good again.
http://james.nontrivial.org
I think GOSIP is recommended for use, not required, but let them explain their need for exceptions.
Or tell them to go away, as you're too busy trying meet GOSIP standards so your GOSIP network can then talk to their GOSIP network.
There is no meritocracy in this case; the royalty issued a proclamation.
Some of you need to read the security books on w2k and understand that is support two types of authentication: Kerberos5 and NTLM. NTLM is what NT4.x is using now. Most roleouts of w2k will be mixed mode for backwards compatability reasons. We have over 10,000 Client 9x computers and so we can't just touch every desktop with 2000 just yet. It will take time and untill all desktops/member servewrs/domain controllers are w2k we will be using mixed mode authentication. I suspect we will always be running in mixed mode because I have a few samba servers running on the network.
1. There doesn't seem to be a way for a Win2K workstation that is using AD to access shares on an NT4 machine. It is possible to use NT4 and Win2K, but you have to use the "older" domain model - you won't get the "benefits" (such as they are) of Windows 2000. Samba doesn't appear to handle AD yet - they're working on full NT4 compatibility. It will work with Windows 2000 in "compatibility mode" where it uses the "old style" domain and SMB structures. In general AD seems to break compatibility (or severely limit compatibility) with just about everything except Win2K.
2. I'm not sure - I *think* it's possible, but I haven't gotten that deep into Win2K. I'm not sure how well the MS implementation of LDAP, DNS, etc work either.
3. There seems to be several security vulnerabilities w/ AD. Check the web (and the other posts here on slashdot) for more information. Considering how new and how limited Win2K has been in its roll-out security is a very valid concern. Historically it seems to take MS 2-3 tries (or more) w/ any new product before they get the gaping holes patched.
4. Most of the articles I've read indicate that while it is possible to use Win2K w/ Unix (with the Unix systems relying on the Win2K system for DNS, LDAP, etc) it can be a major pain. MS did not go out of their way to ensure compatibility. What support there is seems to be more of a "token" support to "tide you over" until you replace all that nasty Unix stuff w/ profit producing Win2K. Whether or not Win2K works (or works for you) is beside the point. :> BTW - that's profit producing for MS, not you.
5. Thankfully, I'm not. :> I've worked w/ consulting/service&support firms the past couple of years, so I'm generally on the other side of the table as the one reccomending painful and expensive changes. :> Fortunately I'm not doing that anymore. Instead I'm looking for a nice quiet admin job where I can have all the headaches you're having. I think there's something wrong w/ me.
ObTagLine: The more you run over the 'possum, the flatter it gets.
The Win2000 implementation is not true kerberoes. The assholes once again are doing something nonstandard. they are utilizing several fields in a way that does not conform to the existing kerberos implementations. Also once you crack an Active Directory Structure you have full access to the entire domain. For a scientific governement entity your organization is pretty narrow minded. An implementation of DFS or AFS would be a HELL of a lot better than what they are doing. I suggest looking into AFS www.transarc.com And.. the code is going to go Open!
You ALSO need to allow anonymous LDAP/SAM lookup access in AD. This can be done on a per-container and per-object basis if you wish.
The general rule is: if you must run Windows 2000 clients and services with Kerberos authentication then your KDCs had better AD.
The whole [technical] point of Microsoft's profile-in-Kerberos tickets extension is to allow them to deny anonymous lookups. This is because the servers you connect to won't need to lookup your user profile data if it's provided in the Kerberos ticket.
Of course, MS's extension stinks for a number of reasons.
I suggest you search the krb-protocol and ietf-krb-wg mailing list archives. (Most posters cross-post to both lists. I don't know where there might be archives for the IETF list).
There was a thread in those lists, earlier this summer, about this whole issue.
My opinion is that MS is right to want to make it possible to deny anonymous lookups that previously had to be allowed. I think they're approach is wrong. I have proposed more than one alternative on the krb-protocol list.
Unfortunately, there is much too much interest in whining about MS' extension and not enough interest in putting forward a better alternative. Yes, MS is abusing the good will of those who dreamed up and made Kerberos possible; I know. I hope we don't degenerate into yet another debate about MS/antitrust/etc.
Another problem is that there is a strong aversion to mixing any authorization features with an authentication protocol. This is quite understandable, though I submit that with SSO systems there is an authorization issue: how to, practically, control delegation of impersonation OR, in other words, how do you authorize remote services to act on your behalf to other services while not giving those services the rights to impersonate you completely.
Nick
From the MS ADSI website
Getting and Using ADSI Providers
The standard Active Directory Service Interfaces objects, or providers, are found within multiple namespaces, typically directory services for various network operating systems. Providers enable communication between the server or client. ADSI 2.5 includes providers for:
And the real solution to the problem is getting someone to write an ADSI provider for Linux. So if you are inclined, HERES THE DEVELOPER KIT.
Or, Download someone else's provider HERE or HERE
I found the 4 places in MIT's KDC where I needed to create an 'exit' (principal create, update, delete, passwd-change). At these points I call out to an external program (I wanted to modify the KDC itself as little as possible). The external program encrypts a command like
createprincipalpassword
and sends it to a daemon running on the Win2K Domain controller. This daemon does a lookup to our X.500 server to get the 'name/addr/etc' stuff and then uses Win2K calls to add the user into Win2K AD.
The user is prohibited from changing their Win2K password, they must either change it in Unix, or on a SSL-web page -- both of these update Kerberos which reflects the change back into Win2K -- also they can use a 'win2k kpasswd client' too (but that could be improved).
Shut up, be happy. The conveniences you demanded are now mandatory. -- Jello Biafra
Now really, no matter how tweaked or hacked or configured you get samba, it's really not secure worth jack. Beyond that, it (SMB) is a horribly inefficient transfer protocol.
With Services for Unix 2 on an NT box, you can map all your unix users to your NT accounts (and vice versa) as well as map groups. It's a little quirky getting used to its ins and outs (Such as not being able to mount ANY directory which is not world-readable, you must mount a parent and then the security mappings take effect).
It uses NFS for its file transfer, which is _way_ more efficient, as well as easier to configure and organize across a span of servers. NIS + NT PDC using MS-SFU2 = rather respectable cross-platform accessibility, worlds ahead of what samba can('t) do.
.... um, i lost you after "0110100001101001".
CONGRATULATIONS!
You have discovered the primary goal of Active Directory:
Eradicate Unix.
if it ain't broke, then fix it 'till it is!
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
This is from experience, kiddies, not rumors or documentation. 1) Yes, NT 4 servers and workstations can talk to Win2K servers and workstations (and vice versa) regardless of what mode (native or compatible) the AD is in. NetBIOS is very difficult - if not impossible - to disable on both. NOTE: I have had difficulty connecting to an NT 4 server outside of my domain (no trust relationships in effect either) using My Network Places in Win2K. It likes to report that the resource is not available. Same with using Start > Run. But the net command works very well. This is not a problem when accessing machines in your domain. 2) MS modified its Kerberos implementation so that it relies on a documented, but formerly unused field. It eventually owned up to that, releasing the full specification (members of the SAMBA project may correct me on that one if they disagree), but slapped an obnoxious click-wrap NDA on it. They eventually released a less restricted, but less informative document to the same effect. Either way, no non-Win2K product is currently able to fully integrate into AD. 3) The latest versions of BIND, when properly configured do claim to support dynamic DNS, and Win2K's DNS server can be configured to support non-Windows dynamic DNS. 4) There is very little you can do to prevent administrators from gaining access. It's sort of like trying to prevent root from gaining access to a user's home directory. Slap whatever permissions you want on it, eventually they can override it. Thus, you need to have consistent, documented policies on what can be accessed by Administrators, and when and how. Bringing this to your superirors may slow the implementation of AD long enough for some tools to help you manage. An AD migration is painful for the admins, as the learning curve is steep and fast. Your users, oth, shouldn't notice too much of a problem. For example, NT 4 and 9x are perfectly happy sitting in an AD domain, it's just that some functionality is lost.
I haven't tried this yet but others have had this working on NT and it looks like it will work on W2K. This replaces the M$ authentication routines with standards complient ones. They include kerbrose V.4 and V.5 modules with this.
http://www.citi.umich.edu/u/itoi/
All generalizations are false, including this one. Mark Twain
He said he wants 4 speaker output! I'm suprised no one has suggested a card based on the vortex2 chipset.
Only the State obtains its revenue by coercion. - Murray Rothbard
Wow, people are starting to develop plugin modules for NT... now we just need some better authentication modules. Somebody want to slap MS and convince them to provide adequate documentation to develop these tools without first signing a formal contract (signing your soul over) and buying Visual Studio, TechNet, MSDN, a dozen or so dev kits, and an equal number of "Programmer's Guide to" and "Undocumented" nooks?
Those graphics apps run fine on Win95 for instance and that would leave you with a lot more memory for your apps.
Yeah win9x is GREAT for adressing that half gig of RAM.
*snicker*
- Toby
Windows 2000 is designed to market a Windows server-dependency. The IEEE Computer Society's latest August 2000 (Vol. 33, No. 8) Computer magazine featured an article called Windows 2000: A Threat to Internet Diversity and Open Standards? (PDF available to members here).
A such, you need to adopt a Windows server-free network. This includes holding off on Windows 2000 until either Samba supports its interfaces (will take some reverse engineering) or someone finds a way to have it use NIS/NIS+ for authentication -- e.g., NISGINA does for NT 4.0. At my company, Theseus Logic, we use NISGINA instead of Samba TNG (just use regular Samba 2.0.7) to deal with authentication of NT 4.0 systems.
-- Bryan "TheBS" Smith
-- Bryan "TheBS" Smith
Independent Author, Consultant and Trainer
sorry, I don't have any answers...
;-)
I hope that you can survive this mess. When and if you do, it would be instructive for others if you could share you experience. Many many people are going to be going through these pains in the future and there seems to be a great deal of incorrect information floating around.
Don't forget
I suppose I'm not too threatening, presently, but wait till I start Nautilus
Let them beat themselves senseless "driving Microsoft solutions", then plug in a server farm of win2k servers with Terminal services and Metaframe. Distribute the Metaframe client to your unix boxes and voila, everyone has a Windows 2000 desktop inside their trusty Unix workstation.
All your unix brethren can then run office 2k, outlook, the goofy accounting custom VB app, etc without harming your current investment.
win2k should have no problem accessing a samba share, so ppl can still access unix files and home directories from within their session.
The only issue left is the pain of maintaining 2 separate logins (your users get their existing unix world and the new win2k login id) but supposedly you can authenticate a unix workstation to a Win2k KDC (but not the other way around without serious issues). So, once you have a terminal services farm in place, at your leisure figure out how to auth your unix boxes to a win2k kdc while preserving all your permissions.
Eventually you will have single signon, full unix stability, and a way for your users to run the "Corporate Standard Win2k desktop". I have a feeling that the unix to win2k auth will be a bit of a bear, so brush up on your perl/nis/c skills.
Dood, use quotes and you can display the whole name?
Just think of all the great waves of mergers followed by great waves of divestitures that occur on wall street. Most of this never brought a dime to anyone outside of the legal departments of said firms and the management that thought it up.
Sadly, Pogo was right : "We have met the enemy and he is us".
________
If you can, prepare a project plan showing how much time and money and how many people it will take to convert to AD. This has a better chance of convincing management than just technical arguments. The technical arguments then make a good backup.
"Display some adaptability" -- Doug Shaftoe, _Cryptonomicon_
At the humongous web shop I work at I have been asked to make Sun Java 1.2 use Active Directory on a Windows 2K server as an LDAP server. This is proving to be difficult. My only hope thus far has been -> JADSI (Java Active Directory Services Interface) ---> This should let Sun Java talk to Active Directory's Domain Controller. You can use LDAP to accomplish sign in to AD on Unix. I have yet to have any success with it but have not given up yet. Please tell me if you have any success. If you want to do this very badly, you can try using the C LDAP libraries that come with Netscape's Directory Server SDK (or from the LDAP UMich project) and write a C client that can speak LDAP to Active Directory. Again, I have done none of this but am presently trying to make the Java soloution work. I am in a similar situation being forced to work using Microsoft garbage mislabled software. It happens in the consulting industry. Best of luck, wishing you all your future projects in Java on Linux.
Like the other poster said, probably a Vortex2-based card. I think the Diamond MX300 runs it, and there's a couple other cards that I don't know the names of. Be careful though, Aureal's been having financial problems as of late (you may have heard), and if someone doesn't buy the company soon (I know Gulliemont is interested, as is Creative themselves), you may be stranded with a card that gets no driver updates. You can still get support for it from S3, even though they officially dissolved Diamond a couple weeks ago. As for linux support, there's Aureal support in OSS (gotta pay for it), and there MIGHT be in ALSA, though you should check it out yourself.
> an SMP machine, just don't even bother. Blue screens abound
Not true. Just crackling, and no volume control (volume is allways loud, no matter what the slider is set at) You can check the creative labs news server, for news on the SB Live and SMP. The fixed driver won't be out till october.
There is a utility you can use to set the affinity of the sound driver. It has helped a few people.
I'll post the relavent links once I get home.
> using an SB Live under Win2k professional on a dual proc box (ABit BP6)
What are your settings? I have a BP6 (dual cel 366 o/c 550) as well.
> and its been running for several months now.
>The EAX stuff works great in Everquest
Diablo 2 doesn't recognize EAX, and the sound allways crackles.
> This is with the newest drivers.
You mean LiveWare 3.0 ? or did you just install the basic drivers?
> How is Win2K better?
Native support for DX7 and DX8.
Here is the link to the utility you can use to set the affinity of the sound driver. File: intfiltr.zipi nnt/winnt-public/tools/affinity/
http://sunsite.org.uk/packages/microsoft/bussys/w
The Creative Labs Forum can be found here:
news://news.creat ivelabs.com/creative.products.sound_blaster.live
However, my understanding is that the Windows domain client components do not use ADSI, but rather are hardwired to use Active Directory. Therefore, a Windows client will not be able to use a different directory service than AD for domain authentication and configuration management.
If Microsoft permitted this, they would effectively be saying, "Sure, you can replace your Win2k server with a Novell box, or a Linux box, or anything that speaks LDAP." They can't afford to give users that flexibility, or Win2k Server would not sell.
In other words, simply having a "Linux ADSI provider" does not help. I am not saying it's not possible -- I am sure that hackers will eventually be able to duplicate AD in an open-source product, just like Samba duplicated NT4's SMB/RPC/SAM stuff -- just that this ain't it.
(Also, I do not believe those links you included are exactly what you think they are. They seem to be libraries to help porting Windows-based ADSI apps to Linux.)
.. No one gets fired for choosing Microsoft ..
---
I'm nearly certain that there is a PAM module to authenticate against an NT/Win2k domain controller. You could configure PAM to use this for authentication when users log onto their workstations.
Sun Micro, has a modified Kerberos server that can intoperate with AD. The product is called SEAM. Look it up on there web site. I beleive it is a bundled free product with Solaris.
Cheers,
WFE
===========
Aureal filed for bankruptcy, leaving me with a VideoLogic card with shoddy beta drivers which didn't work a whole lot, and "are not going to be updated". Fuck that. :-|
Open Source. Closed Minds. We are Slashdot.
It died when MS gained a monopoly. Now inferior products are forced on unsuspecting people by stupid PHBs who read too many MS whitepapers.
A Dick and a Bush .. You know somebody's gonna get screwed.
War is necrophilia.
These things, obviously, will be fixed as information is obtained. Samba TNG can deal with some of these things, already, for example.
So, if it is sufficient [and a requirement] that NT5 be in "backwards compatible mode" for a controlled, stable roll-out of NT5, then Samba is perfectly capable of acting in backwards-compatible mode, both during and after that deployment.
The crucial rule is, though that if there is no incentive for Samba's development to include the extra features of NT5, namely that there is not one request per day on the Samba mailing lists for these features, then please could someone explain to me what the justification is for spending significant amounts of effort on obtaining the info necessary to be compatible with NT5-only-mode?
Thanks,
Luke Kenneth Casson Leighton , Samba Team
Time to consider a change.
I also work for a govt. agency.. and the absolutely, completely, bonheaded, nonthinking, Borg-perfect actions of the US govt. to use MS only solutions at the expense of any and all other computing solutions has been set in stone for some time now.
In the Air Force, they call it Joint Technical Architecture - and while it inlcudes unix today, it won't tomorrow.
In the Navy, they call it IT2000... it just as well should be called Windows2000.
DISA - Defense Information Service Agency - has a brilliant idea... make everyone fall under a single defense information infrastructure common operating environment - DII-COE - put all of our fscking eggs in one basket - which is held by Redomond.
http://diicoe.disa.mil/coe/
In short - i have seen all Mac communities, all NeXT communites, all SGI communities, and all Sun communities get their perfectly good computers tossed out, sent to DRMO (where you can get insane deals on hardware... buckets of Sun UltaSparcs for $50 a bushell, etc.).. all of them... packed up and shipped out for shitty fscking Compaq and Dell servers that give us nothing but the shits.
What people fail to realize is that in a lt of these kinds of communites, the people coming up now EXPECT computers to crash, to hang up, to fsck you over at any old time.. its old hat, and it doesn't bother them.
And - i promise i'm NOT going Mulder on you - but i am convinced, beyond a shadow of a doubt that there is a good reason for it.
Someone is living in redmond, and they don't work for Bill.. and the only way to assure that there are backdoors, ways in, and holes in security are to use this software, shit or not. I have seen grown up adults literally piss and moan that I couldn't demand a certain kind of projector, computer, or other piece of hardware because i didn't have a reason.. because we cannot "sole-source" our purchases.
5 seconds later, the only option we have which is directed by the same officers and contractors full of MSCE pukes is that we throw out PERFECTLY GOOD hardware and software - and bring in shitty Windows boxen.
I had a DNS server at a base that i had been told has been up for 4 years before i got there.. and in 3 years there, never crashed once. It was a Sparc classic. The Win-based Compaq POS that replaced the Sparc went down once a week.. and had to be restarted every night.. it was a checklist item to restart the Exchange and DNS servers.
In any case... i would say that it woudl behoove you to not fuck around with UNIX any more.. i promise that your ass is NOT going to win.. you ARE going to get overruled, and you ARE going to get fired for not going with the program if you continue to bitch and moan.
It WILL NOT matter that real work falls on the floor.. it WILL NOT matter that you have to keep fucking with the new machines every day.. and it will NOT BOTHER your higher ups or the workerbees.. so long as they finally get Outlook 2000 and MS Word... which is all they really want.
I pity you.. and i will pray for you. I pray for all of our souls.. i'm just glad i'm not going to be CIO of my location in 2 weeks... and that i'm off to other things.
oh well.
damn.. that's fucking depressing.
guns kill people like spoons make Rosie O'Donnell fat.
Yes, Microsoft has now set their sights on Unix and is hoping to do to Unix what they did to Novell with the same idea.
Some of the things included are NFS share support and NIS+ integrated into Active Directory.
For just the cost of the NT resource kit, you may be able to retain some control without riling management to badly.
Just my $0.02
-RobHood
I'm not an anti-{insert OS} zealot. I just like blowing people's little minds.
Surprisingly, you might find that cisco has made some advances in AD on unix. You might poke around their website and see if you can turn up anything useful.
To answer your questions,
1. this is true, when win2k workstations are using AD, they lose the ability to access old NT4 and other SMB shares. Even with
3. if at all possible, try to get your own OU and child domain, and you can isolate yourself from many stupid AD administration decisions. Make it clear that a move to AD means that all groups will have to maintain their own servers, rather than just one big central server where a screwup will take everyone down. This will allow for some degree of survivability during AD outages, which will be numerous during the first few years of rollout. Then you can propose a unix based AD/LDAP server for your group.
4. make your requirements that the win2k group accept working with lesser functionality for now, i.e. mixed mode AD, until such time as M$ opens their AD implementation so that every system can profit from those features. Propose running the AD servers on unix (does anyone have any good references?), which will guarantee a level playing field for everyone for now. The "benefits" of moving to win2k are not all that great if it locks everyone into win2k, with the expected increase in licensing fees that M$ does once a company or group makes the fatal switch. It has been well documented before, go find some horror stories in the press or on the web.
5. Only for large amounts of money. I'm not really an AD expert, I'm just supporting some guys who are learning it. In my spare time, I'm studying the security implications of putting all your eggs in one basket, especially when that basket runs on windoze. When AD becomes more widespread, and more critical data and functions are protected by AD, then the hackers will discover many exploits. Can you imagine what would happen to your group if your sole security server were cracked? Every machine would be instantly compromised and the infocriminals would have free reign on all systems without so much as another password prompt to keep them out.
Your best bet is to find some AD server which run on unix, certainly cisco has one that runs on solaris (as part of another product), and propose it to be the main server. And dig up a bunch of horror stories from the URLs already posted here and do your own web search. Trust me, the time you spend now helping steer this disaster in a slightly better direction will help you in the long run.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on