samba - May 2005 - Solaris, Winbind and Active Directory Authentication

We have not worked with Solaris much, and our contract Solaris guy has 
very little experience with Winbind.  So, we are like two blind people 
touching opposite ends of the elephant and trying to come to a 
solution.  (No comments please on which end I drew...)  :-)

The question involves authentication in a native mode Windows 2000 
Active Directory domain.

Is there any reason Samba/Winbind running on Solaris could not be used 
for authenticating users who want to access resources on the Solaris 
box against the AD user/group accounts?  We have done this with a SuSE 
box, but never with a Solaris box (yet!).

Currently, the Solaris system (9 now, upgrading to 10 later this 
year...) is manually populated with a set of *NIX user accounts that 
mirror the accounts in AD.  This creates a lot of administrative 
overhead (there are some 300+ user accounts, and employee turnover is 
by nature fairly high), and will create even more help desk issues as 
the AD environment is about to implement a GPO forcing frequent 
password changes.

Any major "gotchas" we should watch out for?

Thanks,
Mark
-- 
_________________________________________________________
A Message From...  L. Mark Stone

Reliable Networks of Maine, LLC

"We manage your network so you can manage your business."

477 Congress Street
Portland, ME 04101
Tel: (207) 772-5678
Web: http://www.rnome.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

L. Mark Stone wrote:
> We have not worked with Solaris much, and our contract Solaris guy has 
> very little experience with Winbind.  So, we are like two blind people 
> touching opposite ends of the elephant and trying to come to a 
> solution.  (No comments please on which end I drew...)  :-)
> 
> The question involves authentication in a native mode Windows 2000 
> Active Directory domain.
> 
> Is there any reason Samba/Winbind running on Solaris could not be used 
> for authenticating users who want to access resources on the Solaris 
> box against the AD user/group accounts?  We have done this with a SuSE 
> box, but never with a Solaris box (yet!).
> 
> Currently, the Solaris system (9 now, upgrading to 10 later this 
> year...) is manually populated with a set of *NIX user accounts that 
> mirror the accounts in AD.  This creates a lot of administrative 
> overhead (there are some 300+ user accounts, and employee turnover is 
> by nature fairly high), and will create even more help desk issues as 
> the AD environment is about to implement a GPO forcing frequent 
> password changes.
> 
> Any major "gotchas" we should watch out for?
There is a bug in the current Samba code where we never change
the machine trust account password when configured for 'security
= ads'. If the AD administrators are disabling accounts based
on the last password change time, this will be an issue for you.
But then, we need to fix it anyways.

Other than that, you should be ok.



cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCji6cIR7qMdg1EfYRAoF/AJ95VXZv3kaK1cTkqObEhGdU2b0WLgCcCt5m
dNkYYW0qH2I1T9u3NLGIskM=nOL3
-----END PGP SIGNATURE-----