RE: Re: [Micronet] ADmitMac Educational Pricing / pam_ldap

> -----Original Message-----
> From: Tom Holub [mailto:tom@LS.Berkeley.EDU]
> Sent: Tuesday, June 01, 2004 4:14 PM
> To: Eric Chamberlain, CISSP
> Cc: magnet-list@lists.berkeley.edu
> Subject: Re: [MAGNet] Re: [Micronet] ADmitMac Educational
> Pricing / pam_ldap
>
>
> I see no mention of either "Mac" or "SAMBA" under "FAQ", or
> "Documentation", or "Technical->Configuration files and
> templates", or "CalNetAD Scripts", or "Various CalNetAD
> Procedures and How To's", or "Configuration Files", or
> "Support and Tools".
>
> In the article "CalNetAD Security NTLMv2", there is no
> mention of the implications for anything except various
> versions of Windows.
>

Tom,

Try
http://www.google.com/u/berkeley?q=calnetad+mac&sitesearch=berkeley.edu&doma
ins=berkeley.edu for Mac information or
http://www.google.com/u/berkeley?hl=en&lr=&ie=ISO-8859-1&domains=berkeley.ed
u&q=calnetad+samba&sitesearch=berkeley.edu for SAMBA references.

There isn't much mention of NTLMv1 or NTLMv2 and other platforms, because
our user community hasn't wanted it. The vulnerabilities of NTLMv1 are
platform independent. The protocol shouldn't be used unless the session is
in an IPSec tunnel. OS platforms that support IPSec also support Kerberos,
so the decision was made to not document something that was never supported
in the first place. CalNetAD is about CalNet integration. The only way to
integrate with CalNetID's, without synchronizing passwords, is to use
Kerberos. With rare exception, our user community is joining machines that
support Kerberos. If the machines don't support Kerberos or LDAP, then
there isn't much gained by joining CalNetAD.

Until Panther was released, it was easier to have Macs use the Campus MIT
realm and LDAP, nothing was gained by integrating with Active Directory.

> Could you show me where the documentation about connecting
> SAMBA clients, and particularly MacOS clients, to CalNetAD exists?
>
> I suggest that, instead of blaming the users, that the
> CalNetAD team evaluate its own internal policies to determine
> why, after several years of warnings of the importance of
> alternative platforms on campus, CalNetAD still fails to show
> any interest in supporting non-Windows platforms.
>

Our documentation is driven by three factors: the number of times the same
question is asked by our users, areas of interest to our current users (less
weight is give to requests by units not using CalNetAD), and our 2.8 FTE
resources. We don't have much documentation for non-windows platforms,
because the vendor documentation does not exist. In the case of Apple, they
have changed their Active Directory integration implementation a number of
times in the last two years. As I mentioned before, until Panther, not much
was gained by pointing Mac's at CalNetAD. Apple's AD integration
documentation has been vague and difficult to follow and none of their
documentation discusses using Active Directory with an external Kerberos
Realm. We lack the resources to conduct the R&D necessary to properly
document what Apple has not. We don't have any Macs in our group and have
been waiting for someone in our user community that does have Macs to
provide instructions for other users.

In the end, it comes down to resource allocation. Here is our current
forest machine breakdown:

1750 Windows XP Professional
1376 Windows 2000 Professional
481 Undefined
190 Windows 2000 Server
88 Windows Server 2003
67 Windows NT
18 Mac OS X
1 Samba

Based on these numbers, it doesn't make much sense for us to allocate
resources documenting systems that are not being used by our user base. Our
intent is not to arbitrarily exclude non-Microsoft platforms. We also don't
have much documentation available for Server 2003, Windows NT, or Windows98.
Currently, we receive many more questions about Server 2003 than Panther.
As more Panther machines join AD, we will provide documentation as our time
permits. But CalNetAD is a community effort, if our more technical users
have documentation, we welcome their submissions and will post the
documentation on our site.

--
Eric Chamberlain, CISSP
Campus Active Directory Architect
Central Computing Services
University of California, Berkeley
http://calnetad.berkeley.edu
 
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.