Subject: Re: Authorization en masse
To: Louis Guillaume <>
From: Luke Mewburn <>
List: netbsd-users
Date: 11/08/2004 19:08:56
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Nov 06, 2004 at 03:18:01PM -0500, Louis Guillaume wrote:
  | I have a situation where there is a NetBSD file server running AFP=20
  | services via Netatalk, but all the users for whom this service must be=
  | available are stored in an Open Directory (OD) database.
  | The questions are: On NetBSD...

Without knowing much of the specifics of OD, I'll try answering based
on my experience of integrating a NetBSD based file server running
Samba 3 into an Active Directory (ADS) environment.  ADS runs
over LDAP and Kerberos5.

OD appears to use LDAPv3, based on a quick perusal of:

  | 1. Must I create a local user account for each user (for authorization=
  | purposes) if the authentication is to be done via Kerberos? (OD can be =
  | KDC).

Generally, yes at this time.
If there's a way to get access to OD via a NIS(YP) emulation, then=20
you could use "nis" in nsswitch.conf(4).

Samba3+ADS uses either winbindd(8) via a dynamic nsswitch
module (which I've ported to NetBSD and will contribute back to Samba.)
I suppose it could use an, but PADL's hasn't been ported to
NetBSD yet.

  | 2. If the answer to "1" is "yes": is there software out there that will=
  | automatically import the user accounts to the local user database? Or=
  | will we have to do a script with "useradd"?

My gut feel is that for now you'll need to write a script.
Then you'll have to manage updates when users are added or removed
from OpenDirectory.

  | 3. Has anyone had any success with such a scheme (involving a NetBSD=20
  | fileserver) that would be willing to help out?
  | ... The idea is that the Netatalk/NetBSD server will share up the Mac O=
  | X users' home directories. As they log in at the login window they=20
  | retrieve a tgt and a service ticket for the afp service on NetBSD,=20
  | allowing them to mount their home directory.

No idea about the MacOS X client side requirements; I'm skivvy-challenged.
Various collegues (who are fellow NetBSD developers) do use MacOS X
and may have more insight.


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.6 (NetBSD)