I have been messing with Services for unix 3.5 for two days now and I am getting nowhere fast.
Let me explain our situation. We have several hundreds of Linux servers, and hundreds of windows desktops, a couple of dozen server 2003/8 servers and a few as400’s. We have 900 employees and most of these are developers of some sort. Each department has its own group of servers and pc’s they buy and we in MIS support. Managing all the users and come and go and trying to figure out what users names on what servers is becoming increasingly difficult. Heck finding out what servers they had access too can be hard sometimes. But we want a way for all the users of both windows and Linux to authenticate off of our ad. So that when we add a user and put him in the correct group then he can now log into computers belonging to that group. When they change their password, it changes across all systems, and when we take away their red stapler and they snap, we can instantly deny them access.
Before you post, yes we plan on cleaning up our AD and setting user names to be as close to some sort of standard as possible. We are just in the testing phase now and just got new hires so we can move from put out fire phase to best of practices phase.
Is SFU using NIS the best way to go about this? How would/have you implemented anything similar?
If you're just looking for authentication I'd get ldap auth setup on the Linux and AS400 machines. Using SFU's NIS does work, albeit a beast to get working in the first place.
Linux.com has a good starter article.
The Four Hundred Guru has an article on AD integration, though it's not quite as step-by-step as the previous. Honestly, I'm not that familiar with AS400s, so perhaps someone else will chime in with more info.
You don't need SFU or anything else but LDAP. The secret is you must add a dedicated AD user account with no lockout/PW expiration, and this user does nothing but run LDAP queries against AD. Then configure LDAP on all your Linux boxes. In ldap.conf you put in this user and password in the directives binddn & bindpw. It worked perfectly for me.
FYI - set up network time! I had a bad NTP config on one of my Linux servers. Linux->AD + Samba file sharing worked perfectly for months, then it's clock drifted to over five minutes off of the AD domain controllers, and it broke.