Victor Rossi wrote:
> After you have read this, could someone please answer a question
> that has been bothering me for awhile. What are we going to get from
> deploying active directory that we don't already have available for free?
Free? Is that "free, as in beer"? There is no free lunch, folks.
This is kind of a big question for a footnote to a separate thread, but
I will take a ten-minute stab at it:
CIT's experiences with integration of different open and closed-source
solutions for integrated desktop services have been a mixed bag.
Samba, although fairly reliable and simple (no third-party software
required), lacks entirely any sort of ACL control on files. Management
of file permissions is fairly limited, and does not meet the needs of
many administrative departments. There has been some effort to
implement ACL's on various UNIX filesystems, but there is no standard,
and integration with Samba is sketchy.
NetWare provides very fine filesystem access controls. However, quality
of the NetWare client software has been sliding over the past few
years. Hardware and third-party software support for NetWare also has
become quite weak. Connectivity from Linux/UNIX systems is difficult to
accomplish as well.
Neither of these solutions helps us to manage the sticky problems of
software distribution, patch management, or security policy enforcement.
Active Directory and Windows-server based services offer a few key
advantages over previous solutions used by our department:
-Full desktop login integration with all currently supported Microsoft OSs
-Zero third-party software requirements
-Broad range of third-party hardware and software support
-Fairly simple integration of MS Active Directory with existing UVM
authentication/authorization systems (DCE, MIT Kerberos, and OpenLDAP)
-Availability of abundant training and documentation resources
-Ability to perform rudimentary patch management and software
distribution using Microsoft "Group Policy".
I am glad that the folks in EMBA have been able to leverage their NIS
infrastructure so well. However, CIT is unlikely to migrate to
NIS/NFS. Also, given the number of end-users we have to support, I have
deep reservations about the supportability, manageability, and lifecycle
of products like NISGina. We have seen products like that rise and fall
in the past. There used to be a DCE/DFS login integration product for
Windows... gone. There also used to be MIT Kerberos GINA extensions...
Again, I am not suggesting that NISGina is a "bad" solution, just that
it will not scale up to the whole campus very well. It would take more
staff working to maintain all of the customized desktop installations,
and staff salary cannot be called "free".
CIT Client Services