AD Authentication?
Thomas Charron
twaffle at gmail.com
Tue Mar 4 09:50:26 EST 2008
On Tue, Mar 4, 2008 at 9:30 AM, Matt Brodeur <mbrodeur at nexttime.com> wrote:
> On Tue, Mar 04, 2008 at 08:38:25AM -0500, Kenny Lussier wrote:
> If you absolutely can't touch the AD servers you'll have to look at
> Samba's Winbind. IIRC, you'll want a separate LDAP server to store
> the SID-UID mappings, instead of letting each client make up their
> own.
This will only be a problem if you are doing something akin to NFS
mounting of drivers and maintaining permissions. This may also be
addressed, however, using an RID based IDMAP, instead of a LDAP based
IDMAP. Much easier if you're only dealing with a single domain.
> I don't know if the default AD schema has enough information to
> authenticate Linux clients directly. I think, at a minimum, you'll
> need Services For Unix installed. That'll add attributes which are
> almost, but not entirely, unlike the normal posixAccount ones. From
> there you could use OpenLDAP meta mapping to translate MS LDAP to
> something more sane.
Nope, as long as the machine is in the domain, winbind can work on
it's own in Active Directory.
> Disclaimer: I've probably done this exactly once, in a lab exercise
> during a class. FWIW, it's still what RH teaches as of 2006.
Samba has, in the last few years, grown a great deal in its ability
to function in an AD environment.
--
-- Thomas
More information about the gnhlug-discuss
mailing list