Petri Rautanen wrote:
| I have 20 Solaris 2.6-servers with NIS+ in different cities and countries
| and a lot of NT4 servers in different domains and I use samba with nis+
| support on the Solaris-enviroment to let the NT-users access their
| unix-home-directories.
That's a decent, scalable approach.
| The NT-clients has to send their passwords in "clear-text" to access
their
| directories. I would like them to send their password encrypted and
| validate them against their NT-account so that they don't have to type
| in their unix-password when they access the directory in Unix from NT.
I wouldn't consider doing that if you've already got
them interoporating: it's a long and winding path to NT
nirvana, and it removes the option of single sign-on...
If it isn't broken, don't fix it!
Plain-text passwords are (i) a security issue and (ii) a
nuisance issue. You deal with them the same way as you
deal with plaintext passwords in Unix.
i) make sure the link between your sites is encrypted or
private. Every packet you send is in plain text: encrypted
passwords encrypts **only** the passwords, not the data.
ii) Give each user (or site sysadmin) a "rescue" floppy
with the .reg files on it. Users will forget, but when
you remind them, they'll have the files handy.
Also, create a [help] share with public = yes,
and put a copy of the .reg files and a RUN_ME.BAT
file there.
Finally, give each user a startup file that sets the
registry flags: then all they have to do is connect to
[help] and they'll get the flags set automagically (;-))
|Is it security=domain i should use?
Not if nis+ works...
| And does it work with NIS+?
Not at all
| And must security=Domain (password server=<PDC>) check against the PDC
only?
No, it checks against PDCs and BDCs, which you should have
locally, as the WAN traffic Would Be Bad, as a recent letter
pointed out.
--dave (who has a distinct Unix bias) c-b
--
[I haven't tested (ii)a and (ii)b together: your mileage may vary]
--
David Collier-Brown in Boston
Phone: (781) 442-0734, Room BUR03-3632