Is There a Better Way to do UNIX Workgroups?

Pauly asks: "Here I am again setting up a new workgroup of UNIX workstations and servers in the traditional office arrangement. By traditional I mean many clients being authenticated by a naming service and mounting homedirs and other shares handled by centralized file servers. I can't help thinking there has to be a better way to do this. Even though this particular LAN is behind a reasonable firewall, I don't feel that NIS/NFS (and their derivatives) are designed securely enough for today's world. Even though I have gone to great lengths to secure the dmz, it just feels wrong to ignore the internal network. I don't have any legacy application or system requirements to keep me tied to NIS/NFS. All the clients will be OpenBSD, FreeBSD or Linux machine. Therefore, I am free to use the best-of-breed tools available today. So I ask: How would you implement the traditional UNIX workgroup today and which of the latest and greatest tools available would you use?"

Funny

I asked a very similar question about a week ago but, got rejected. My question wasn't "what to use?" but, was "What does everyone use?" My downfall was that I asked for real world environments with multiple platforms. So, I'll ask again in the comments.

What is everyone using for user account management in shops that support *nix as well as Windows 2000 or others like Netware?

Surely everyone is not using NIS with its limitations. OpenLDAP seems like a logical choice but, how does one authenticate Windows 2000/XP to OpenLDAP, despite Microsoft's claims that Active Directory is LDAP compliant. Microsoft's Active Directory might be LDAP and Kerberos compliant in the loosest sense but, interoperability with Unix systems seems very elusive. So, what is everyone else doing centralize network management??

Re:LDAP

[sjehay]

I've helped setting up an experimental lab full of machines of all sorts (mainly Linux on various types of hardware, some Windows 9x/NT and a few others such as Solaris, Irix and HPUX) - but only about 25 machines in all. This is on a shoestring - most of the hardware is fairly old and slow, and we're certainly not about to go out and spend any of our small budget on software if we can avoid it. Anyway, our solution for authentication was to use OpenLDAP on the server (this was relatively easy once we figured out how - there are plenty of HOWTOs drifting around, but reply if you can't find them and I'll dig them out for you) - on the Linux clients we could use the PAM module, on Windows, the latest Samba can pretend to be a domain server and take its information out of LDAP and there were various bits of code we found for the other Unix boxes. In the event, we just used our own little Perl scripts to do user admin, but there are plenty of web/pretty-clicky interfaces to it available. I disagree with the poster who said this was overkill for less than a hundred machines - as I say, it was easy to set up and works well for our couple of dozen slow machines (primary server is an old HP NetServer at 100Mhz). I'm afraid we're still using NFS for home directories, though, and I'm not particularly happy about that - we'll move to something better at some point, but I'm watching this thread with interest to see what suggestions the rest of the (Ask)Slashdot community might have!

Re:What I use

check out the Ganymede system -it is like a meta directory, without the directory

http://www.arlut.utexas.edu/gash2/