[sparks-discuss] Active Directory name service module (nss_ad) [PSARC/2008/441 FastTrack timeout 07/18/2008]
Nicolas Williams
Nicolas.Williams at sun.com
Thu Jul 17 08:58:52 PDT 2008
On Thu, Jul 17, 2008 at 02:49:41PM +0200, Serge Dussud wrote:
> along the same lines, nsswitch.conf(4) states in NOTES section:
>
> .....
> The use of both nis and nisplus as sources for the same
> database is strongly discouraged since both the name ser-
> vices are expected to store similar information and the
> lookups on the database may yield different results depend-
> ing on which name service is operational at the time of the
> request. The same applies for using ldap along with nis or
> nisplus.
> ....
>
> These sentences probably need to mention ad repository somehow as well.
Only when nss_ldap is configured with schema mapping to use AD is there
any possibility for conflict with nss_ad (specifically, for getpwuid()
and getgrgid() calls).
We could add:
"When using ldap with schema mapping against an Active Directory
domain and the ad backend it is strongly recommended that ldap come
first, then ad."
> >
> > IMO, it is important to understand this and ensure that users
> > of nss_ad are correctly informed.
>
> need for Solaris Admin guide update with this case ?
We'll probably add a mention of nss_ad to the ID mapping guide and to
the name services guide.
> Also, I understand that Windows logons are out of scope. However:
>
> - I don't see it mentioned in the provided man pages and this shall be
> somewhere in the public documentation IMO (man pages and/or Admin guide)
IIRC that was my fault for not dropping those manpages in place.
> - it's said in the case that 'sp_pwdp will be "*NP*"' ? will this
> prevent Windows logons or does our PAM stack/modules need to take this
> into account ? e.g., what if one answers the login prompt with
> myuser at addomain, which presumably would get resolved by
> getpwnam/getspnam ? what's the expected behavior ?
That you cannot login since no password for myuser at addomain can be
validated (assuming you don't have /etc/passwd entries for
myuser at addomain...).
Nico
--
More information about the opensolaris-arc
mailing list