AD Authentication?

Thomas Charron twaffle at gmail.com
Tue Mar 4 09:50:26 EST 2008


On Tue, Mar 4, 2008 at 9:30 AM, Matt Brodeur <mbrodeur at nexttime.com> wrote:
> On Tue, Mar 04, 2008 at 08:38:25AM -0500, Kenny Lussier wrote:
>  If you absolutely can't touch the AD servers you'll have to look at
>  Samba's Winbind.  IIRC, you'll want a separate LDAP server to store
>  the SID-UID mappings, instead of letting each client make up their
>  own.

  This will only be a problem if you are doing something akin to NFS
mounting of drivers and maintaining permissions.  This may also be
addressed, however, using an RID based IDMAP, instead of a LDAP based
IDMAP.  Much easier if you're only dealing with a single domain.

>  I don't know if the default AD schema has enough information to
>  authenticate Linux clients directly.  I think, at a minimum, you'll
>  need Services For Unix installed.  That'll add attributes which are
>  almost, but not entirely, unlike the normal posixAccount ones.  From
>  there you could use OpenLDAP meta mapping to translate MS LDAP to
>  something more sane.

  Nope, as long as the machine is in the domain, winbind can work on
it's own in Active Directory.

>  Disclaimer:  I've probably done this exactly once, in a lab exercise
>  during a class.  FWIW, it's still what RH teaches as of 2006.

  Samba has, in the last few years, grown a great deal in its ability
to function in an AD environment.

-- 
-- Thomas


More information about the gnhlug-discuss mailing list