Thanks to the following for replying: (Appended at the end is each
person's reply)
Erwin Fritz
Dylan Carlson
Iain Rae
Lee Trujillo
Ken Wallace
Florentin Albu
John Chrisoulakis
Dan Penrod
I am trying the option of using MS-NT Services for UNIX. It seems simple
enough and cheap enough.
Once I put it in place and test it I will follow up with another summary
for how it worked.
Thanks again everyone!
Individual replies:
*****************************************************************************
Erwin Fritz
I'm in a similar situation. I've done some digging into _affordable_
password
sync software. I've come up with two possibilities:
- Samba (which we use here already) claims to offer syncing, but password
changing can only be done on the Samba server. So your NT users would have
to
telnet to a UNIX box to change their domain passwords. I know my users here
wouldn't appreciate that inconvenience, so I discarded it.
- Microsoft has a CD you can buy called Microsoft Services for UNIX. I
ordered
it, but have had only a brief look at it so far. It _appears_ to have a
replacement login daemon for UNIX, which talks to the NT domain controller.
I am
hesitant about letting Microsoft put any software on my UNIX servers, so I
will
explore this carefully and cautiously.
If you come up with a different way around this, let me know please.
*****************************************************************************
Dylan Carlson
Sun makes a product called Cascade that can function as a full NT PDC or
BDC. Maybe you can put Cascade on the Firewall-1 box as a BDC and that
will
solve your problem.
Having run FW1 myself for several internet domains, I would wonder if that
would be a security risk but hey, it's an idea.
There is a password synch program I am aware of called PSync, here's the
URL: http://www.m-tech.ab.ca/. I don't have any direct experience with
it.
Microsoft also makes a Unix Services package which is free, that I think
might include a sync utility but I would be really skeptical of how well it
works.
Best of luck
*****************************************************************************
Iain Rae
check out www.samba.org and look for pam_ntdom ( it should be in the
samba/ftp/pam_ntdom/ directory of your local mirror. This is a pam module
which allows authentication against an nt PDC. I don't think you can
change the NT password from the solaris box though.
*****************************************************************************
Lee Trujillo
We are doing this exact thing, without the Firewall part for a major
telecom customer. We are synching NT to LDAP which is also usable by
the Unix side. We are templating the solution for other customer that
need this same solution. Firewall-1 also can bind to LDAP for
authentication which we did for another major Fund Manager (Financial)
company. Everything is managed centrally from the LDAP side.
*****************************************************************************
Ken Wallace
I faced a similar problem -- wanting to give access to some Solaris
boxes
to NT users and not requiring users to maintain passwords on both
systems.
We opted for using PAM_SMB (version 1.1.5). The s/w is installed and
configured on the Solaris system. Authentication may or may not work
depending upon the application -- how the application verifies
passwords.
The installation and configuration is fairly simple and straight
forward.
I obtained the package from the Samba Web site -- search for PAM. You
could probably use "http://us1.samba.org/samba/ftp/pam_smb/".
The only tweak I made was ensuring that user id's less than 100 (e.g.
root)
did not authenticate against the NT domain (since I don't have control
over
that). Password authentication is on the order of
Verify password against local database, if that fails verify
password against
the NT system.
Hence, my tweak -- some one could create a "root" user name on the NT
system, set the password, and be able to login. This is not a terribly
good
idea. The user accounts on the Solaris system do NOT require passwords
-- as
a matter of fact, I make them no login accounts (shell is set to
/bin/false).
I had an application not work, because the app read the passwd/shadow
files
directly. It wasn't PAM enabled.
Hope this is of some benefit. Good luck.
*****************************************************************************
Florentin Albu
Hello!
There are two options.
First one:
The NT Services for Unix can synchronize passwords from NT to UNIX (and
only
this direction).
You install the software on the PDC and each BDC and each time the password
is
changed, it will be changed on the UNIX box as well.
Note you cannot synchronize users, only passwords.
I didn't use it yet, I plan to.
You can download from M$ web site the beta for Services for Unix v.2
(currently
availableis v.1)
Scroll down at the end of the message to find some more (from the help
file).
Second one:
I heard that there is a product from Sun called PC NetLink that can make a
Sun
box to act as a PDC (which I don't reccomend) or as a BDC.
I don't have too much info about this one, but I understand that it can be
obtained free with a hardware server purchase or upgrade.
But on long term you may have some problems with it because Sun licensed
the NT
authentication code from AT&T; however, in Windows 2000 M$ changed the
authentication scheme and AT&T doesn't have it (yet).
So if you plan to upgrade to W2K in October, take care... ;-)
Best regards,
*****************************************************************************
John Chrisoulakis
Steve
We are also looking to synch Solaris and NT passwords. Microsoft can sell
to you a product called: "Microsoft Windows NT Services for UNIX" which
includes a daemon that you can run on your solaris machine which updates
the passwords locally to match the NT password of the corresponding user.
You can find details about it on:
http://www.microsoft.com/unix/sfu
We are still investigating (which means I've just printed the documentation
from the above site) so I can't vouch for how well it works in real life.
Regards,
*****************************************************************************
Dan Penrod
I'd be curious about any responses you got to this.
I know of one way to do it... sort of the golden fleece for me, but I
haven't
implemented it myself yet.
Solaris 7 supports a new Solaris Names Services feature set which includes
an
LDAP server for account management. Supposedly you can add an entry in the
nsswitch.conf that looks something like this...
passwd: files ldap nis
...so now you don't have to maintain multiple accounts... you just maintain
the
LDAP directory server for user ids and password. Incidently the new Novell
NDS
can use it... the new MS NT 2000 Active Directory will use it... Netscape
mail
server and calendar server can use it... fax servers can use it... etc..
[Until Microsoft delivers Active Directory...] Netscape has a utility that
will
allow you to syncronize an LDAP server with a PDC. I've forgotten what
it's
called... seems like I downloaded it from Netscape for free though. I
think it
was bundled with the Netscape NT version of LDAP Directory Server, so look
for
it on Netscapes site under download -> servers -> directory server.
I think that's ultimately the way to go. I just haven't had time to
implement. Soon everything will be in the LDAP.
Good luck,
d a n
\\|//
(0~0)
------------------------oooO-(_)-Oooo-----------------------------
Steve Gauthier Domain Pharma Corporation
UNIX Systems Administrator 10 Maguire Road
PHONE: (781) 778 - 3953 Lexington, MA 02421
FAX: (781) 778 - 3800 E-mail: sgauthier@domainpharma.com
______________________________Oooo._______________________________
.oooO (___)
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:25 CDT