The FreeBSD Corporate Networker's GuideUNIX/Windows password interoperabilityA reviewer requested that I add in a section on sharing passwords between Windows and UNIX systems. This is another idea that sounded great and proved to be unfruitful. It's felt that in a network of mixed UNIX servers and Windows NT servers that it is tedious to make dual entries of userID's and passwords into both the network of UNIX servers and the network of Windows servers. So, some information on setting up a system to have adds, changes and deletions of users propagated between server networks would be helpful. When I first wrote the Networker's Guide I searched for this kind of information, because I was under the impression that this would be a simple thing to do. I did discover several schemes for doing it, but after spending a lot of time in this idea I gave it up. Basically, automatic userID and password migration only works in very, very limited and narrow circumstances, and mostly the trouble to set it up is far greater than the time saved. For example, if you have an NT Domain and a single UNIX mailserver, and all you need to do is replicate new users from the NT Domain Controller to the UNIX system, strictly so that they can obtain e-mail, then it's possible. You must use some custom NT programs, available in the NT Resource Kit and from Microsoft, along with RSH and some scripting, in conjunction with the adduser, or pw commands on FreeBSD. But, beyond this, forget it. The differences between access control lists on the Windows side and UNIX user/group permissions on the FreeBSD side is just too great to easily map one to the other. The programs I've seen to do this are all hacks and make a bunch of assumptions which may or may not be right for your installation. With the Windows 2K situation, things are going to get even more complicated, so spending a lot of time on an NT4-based solution didn't seem to be useful and would only be applicable to a very small minority of admins. Besides that, anyone doing this is most likely advanced enough to not need my book to tell them how to do it. :-)
© Copyright 2000-2003 Ted Mittelstaedt. All rights reserved. |