MS2LINUX - Authentication basics

[David Mandala]

On Tue, 2002-10-08 at 22:39, Scott H wrote:
> > From: David Mandala <davidm@them.com>:
> > Actually there is another option for those that
> > liked the NT4 domains or
> > those that need /are required to maintain a
> > mixed Windows/Linux
> > environment. SAMBA will happily do NT4 domains
> > and shortly W2k domains
> > and Linux will quite easily authenticate
> > against it. Not that I'd go
> > that way but it is an option for those that
> > have a mixed environment.
> 
> Almost forgot about that one.  Yes, SAMBA.  From
> my limited vantage point, it seems the reasons
> against using SAMBA in this way would be:
> 
> 1) it's not "native" to *nix, meaning it might
> not perform as well as LDAP or NIS, and there
> might be less flexibility down the road. But is
> this true?

It performs very well, it is accessed via pam and some changes in /etc.
Tridge and company have worked this out very well.

> 
> 2) it's a stop-gap.  If my goal is to rid myself
> of the bondage inherent in a MS Active
> Directory/Exchange network (although still
> willing to use individual MS systems when that
> makes sense), then might it not be better to go
> with what I would have chosen at the outset, if
> MS weren't in the picture?  That is, choose the
> best authentication system, not the one that
> makes migration easiest?
> 
> On the other hand, might not SAMBA make migration
> so much easier that this would outweigh the
> disadvantages?  That question, in turn, might
> depend for it's answer on how tough it is to
> switch from SAMBA to something like LDAP, after
> the migration is complete.  Can anyone address
> that?  

It is fairly easy to switch to something else, hardest part is setting
up what you want, then you switch pam and minor changes in some of the
/etc config files.

> 
> And finally, I have to wonder, why not SAMBA,
> period?  If I throw out all my prejudices for
> doing things the *nix way, I am left with: Why is
> SAMBA not a fine authentication system to use? 
> Just because it's a hack from a MS system?  Is it
> so bad as the backend for your network
> authentication?  Dave, why wouldn't you "go that
> way"?
> 

I'd use it if I had a mixed environment it does take some work to set up
correctly and is not worth it unless I need the mixed mode
functionality. Right now I'm kind of stuck, NIS is a pain, ldap even
more. What to do...... Open LDAP was fairly messed up 6-8 months ago, of
course it could be working much better now and you need to use SSL or
SSH for security. NIS is hard to set up and unless you use NIS+ for
security you are hosed, No gimme's in this area. Perhaps back to radius?

> Thanks, 
> 
> Scott
> 
> 
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Faith Hill - Exclusive Performances, Videos & More
> http://faith.yahoo.com
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
-- 
David IS Mandala
gpg fingerprint 8932 E7EF CCF5 1B8C 1B5C  A92E C678 795E 45B2 D952
Phoenix, AZ (480) 460-7546 HP, (602) 321-8277 CP
http://www.them.com/~davidm/