What about wanting to go back to landline service? I'm tired of my cell service and just want to put my wireless number on a landline. Or better yet, put my wireless number on a vonage line.
I tried forever with kerberos and ldap and it was getting me nowhere.
The big problem in getting password unification is
Windows have it's one-way password hash and unix has a different one-way password hash. The goal is to generate both hash's at the time the user changes his password. There are a number of solutions but here is the easiest I've found.
You say you don't want to use SFU 2.0 but I think you're missing out. SFU NIS adds a the unix crypt password hash for the user into the Active Directory. The crypt has gets updated with the Windows hash every time the user changes his password. And with the NIS server running on windows we have and easy way to retrieve the user list and crypt passwords. We tried using SFU NIS services as the master YP server but that was a mess.
Here is what I've do:
Setup SFU NIS on your domain controllers and use a bogus YP Domain. Then setup a real UNIX YP master with the real YP domain that all the unix machines will use. Set the Unix YP master to also bind to the bogus SFU NIS domain. then write a script that will 'ypcat -d bogus-domain passwd' and look for changes. When the script sees changes it should add them to the real domain's master yp files and do a make in/var/yp. put that script in cron to run every five minutes.
Now the windows domain becomes the master auth info repository but you can unmarry yourself from windows at any time.
When you add a user to the windows domain the script will see the change in the bogus_domain's yp map and it will just add the line to you master yp's passwd file. When a user changes their windows password the unix crypt password shows up in the bogus domain and the script just replaces the old line for that user with the new one in the master yp map.
All user addition and password changes must be done from the windows side but you only have to do it once in one place.
Granted SFU NIS makes you enter in additional information like UID, GID etc... and groups are a bit tricky. But don't you want that? Having Windows make up necessary Unix attributes is a recipie for disaster. This works well and since you are filtering all the entries through your update script you get much more fine grain control of the unix side.
My goals were to have a single place for account creation and modification and make it so that users only have to change there password in one place. This does that. It's not pretty but it works.
If anyone is interested I can email them the scripts I've writted to generate and update a master yp maps from the windows NIS maps.
Slashdot Mirror
What about wanting to go back to landline service?
I'm tired of my cell service and just want to put my wireless number on a landline. Or better yet, put my wireless number on a vonage line.
I tried forever with kerberos and ldap and it was getting me nowhere. The big problem in getting password unification is Windows have it's one-way password hash and unix has a different one-way password hash. The goal is to generate both hash's at the time the user changes his password. There are a number of solutions but here is the easiest I've found. You say you don't want to use SFU 2.0 but I think you're missing out. SFU NIS adds a the unix crypt password hash for the user into the Active Directory. The crypt has gets updated with the Windows hash every time the user changes his password. And with the NIS server running on windows we have and easy way to retrieve the user list and crypt passwords. We tried using SFU NIS services as the master YP server but that was a mess. Here is what I've do: Setup SFU NIS on your domain controllers and use a bogus YP Domain. Then setup a real UNIX YP master with the real YP domain that all the unix machines will use. Set the Unix YP master to also bind to the bogus SFU NIS domain. then write a script that will 'ypcat -d bogus-domain passwd' and look for changes. When the script sees changes it should add them to the real domain's master yp files and do a make in /var/yp. put that script in cron to run every five minutes.
Now the windows domain becomes the master auth info repository but you can unmarry yourself from windows at any time.
When you add a user to the windows domain the script will see the change in the bogus_domain's yp map and it will just add the line to you master yp's passwd file. When a user changes their windows password the unix crypt password shows up in the bogus domain and the script just replaces the old line for that user with the new one in the master yp map.
All user addition and password changes must be done from the windows side but you only have to do it once in one place.
Granted SFU NIS makes you enter in additional information like UID, GID etc... and groups are a bit tricky. But don't you want that? Having Windows make up necessary Unix attributes is a recipie for disaster. This works well and since you are filtering all the entries through your update script you get much more fine grain control of the unix side.
My goals were to have a single place for account creation and modification and make it so that users only have to change there password in one place. This does that. It's not pretty but it works.
If anyone is interested I can email them the scripts I've writted to generate and update a master yp maps from the windows NIS maps.