SUMMARY: NIS - Active Directory Integration

From: Fabrice Guerini (fabrice@isharp.com)
Date: Wed May 17 2000 - 14:16:53 CDT


As you might have imagined, this question did not have an easy answer.
Thanks to the following people for offering their advice.

At 06:45 PM 4/28/00 -0300, Marco Shaw said:
>--http://www.microsoft.com/WINDOWS2000/sfu/default.asp
>--'UNIX' Kerberos cannot talk to 'Win2k' Kerberos

Indeed, Microsoft's Services for UNIX 2.0, now released for Windows 2000
(announced earlier this month at Networld+Interop) is probably going to be
the answer to most of my integration questions. It provides NIS/AD
synchronization, in *both* directions (I'll believe it when I see it). It
also has NFS server and client, and a bunch of utilities like Telnet
licensed from MKS.

It looks like we may have to turn our Windows 2000 server into our NIS
master, which hopefully will be okay, considering all the slaves will be
Solaris machines.

Bruce Zimmer, Gary Litwin, Raj Jangalwa and Misha Pavlov also suggested
Microsoft's Services for UNIX.

Misha Pavlov also pointed out that Sun Directory Services (Solaris 2.7 and
8) has LDAP/NIS server and many migration utilities. This covers the LDAP
issue, which we will need as well, and this product could be used to
synchronize LDAP with NIS, which in turn will be synchronized with Win2k/AD.

At 09:19 PM 4/28/00 -0500, Dave McFerren uttered:
>Take a look at NISgina. I have not used it, but it may be what you are
>looking for.

The README file from NISgina says "It should be noted that NISGINA does not
communicate with domain controllers and is therefore only suitable for
sites that do not intend to use NT server."

At 02:57 AM 4/30/00 -0500, Miguel A. Guirao A. wrote:
>I don't know if Samba works with Windows 2000 Server Active Directory, but
>it does with Windows NT 4.

The problem with Samba is that it will authenticate using either NIS or the
NT domain, and even act as an NT domain controller, but it will not
synchronize the two domains, and also it probably does not support Windows
2000 AD, yet.

At 06:38 AM 5/1/00 -0500, Mark Hargrave wrote:
>DataLynx is in the process of coming out with a product that
>will do this. You can contact:
>
>F. David Callison Jr.
>
>Senior Account Executive
>(858)560-8112 Phone
>(858)560-8114 Fax
>dcallison@dli-security.com

I called DataLynx, but their product is more geared for tightened internal
security, and although it may do what I need with its Guardian NT AgeNT, it
is way overkill.

In conclusion: I have ordered Microsoft Services for UNIX v2.0 ($139.00)
and will test it out in our NIS environment (we don't have an NT domain
yet). To synchronize our LDAP server with NIS, I will test Sun's Directory
Services.

Thanks for the help.

My original message (28-Apr-00):
>
> My company is about to acquire a Windows 2000 Server, and the issue of
> Window/UNIX integration is again rearing its ugly head. Now, I know that
> this is a very broad subject, but I have only one specific question:
>
> How can I synchronize the username/password entries in NIS and Windows 2000
> Active Directory? I am willing to have the passwords changed from one place
> only, and I lean toward allowing the users to change their passwords using
> the standard Windows dialog, but if necessary, I am willing to write a
> script that accepts the new passwords over, say, a web form, and
> distributes it to NIS and Windows simultaneously. I am also willing to use
> Kerberos on UNIX, if it helps the integration in any way (although I am not
> familiar with it at all).
>
> I see three possible schemes here (listed in order of preference):
>
> 1. Change password in the way the user is most comfortable with, i.e.
> either using passwd(1) when logged onto Solaris, or in the Windows
> password dialog.
>
> 2. Change password on the Windows side only, propagated to the NIS domain.
>
> 3. Change password on the UNIX side only, propagated to Windows.
>
> Has anyone done this, experimented with this, heard about this, or can
> anyone point me to a white paper/web page/software/book that thoroughly
> covers the subject?
>
> Thanks to anyone willing to take a stab at this!

--
Fabrice Guérini
(650) 413-5939



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:08 CDT