Kerberos, by itself, is not a directory service. It's main purpose, from my understanding, is strong encryption for services and authentication. It also enables a 'single sign-on' environment for heterogenous environments that have to use Windows and UNIX.
Kerberos can be used along with LDAP/AD, or Samba (or other tools) can be used with just LDAP to provide single sign-on (Novell I think makes a replacement for the windows login that supposedly works well). There are a million combinations you can utilize, it just depends on what the actual requirements are for your environment.
As for having 200+ machines with no synchronization of user attributes, that's a huge challenge, and I don't know of an easy way to handle that. If it were me, I'd try to find a machine that gets heavy use by a lot of users, and port that machine's user information to LDAP, and use that as the central authentication. If nothing else, at least users only need one username and password for all of the machines that are LDAP clients. In general, though, projects like this are non-trivial in nature, and for me to comment on how to do it without knowing anything about your environment would be just plain foolish, in all likelihood.
I do wish you luck in it, and I hope you return and read the rest of my articles<nobr> <wbr></nobr>:-)
brian.
Learn about Linux
Download Linux
Get Linux help
Re:Just starting down this road too...
Posted by: njcajun on February 06, 2004 12:50 AMKerberos can be used along with LDAP/AD, or Samba (or other tools) can be used with just LDAP to provide single sign-on (Novell I think makes a replacement for the windows login that supposedly works well). There are a million combinations you can utilize, it just depends on what the actual requirements are for your environment.
As for having 200+ machines with no synchronization of user attributes, that's a huge challenge, and I don't know of an easy way to handle that. If it were me, I'd try to find a machine that gets heavy use by a lot of users, and port that machine's user information to LDAP, and use that as the central authentication. If nothing else, at least users only need one username and password for all of the machines that are LDAP clients. In general, though, projects like this are non-trivial in nature, and for me to comment on how to do it without knowing anything about your environment would be just plain foolish, in all likelihood.
I do wish you luck in it, and I hope you return and read the rest of my articles<nobr> <wbr></nobr>:-)
brian.
#