AD Authentication?
Ben Scott
dragonhawk at gmail.com
Tue Mar 4 12:34:37 EST 2008
On Tue, Mar 4, 2008 at 8:38 AM, Kenny Lussier <klussier at gmail.com> wrote:
> Does anyone know of any recent, good docs on using a Windows Active
> Directory server to authenticate Linux desktops?
Winbind -- part of Samba -- can act as a NSS backend, making Windows
accounts appear as native Unix accounts. Usernames become available
using getpwent(3), getent(1), etc. Password logons are passed back
through winbind to Windows Domain Controllers for authentication.
There's a few config items in smb.conf to set things like the pattern
for home directories.
The only tricky part is handling the mapping between Unix UIDs and
GIDs to Windows SIDs (Security Identifiers, which are kind of like a
union of UIDs and GIDs). By default, Samba just picks sequence
numbers from the "idmap range" you specify. It stores the mapping in
a database local to the Samba client. If that database is lost, all
the Unix<->Windows ID mappings get lost, too. Equivalent to loosing
your /etc/passwd file. So that needs to be backed up. And if you
want to have mappings be consistent between machines, you have to use
a more sophisticated mechanism to generate and/or store the mappings.
I used the Samba docs to learn about all this, and didn't really
need to go looking for more.
Now, Samba's goal is to let Unix speak Windows to Windows. With the
popularity of Linux, Microsoft has also revived their "Services For
Unix" package. It claims to let Windows speak Unix to Unix.
Supposedly the newer versions are improved over old, and are "free"
for Windows 2003 and later. In other words, SFU is part of Windows,
now. That may or may not be a better alternative to Samba. But I
don't have any experience with it.
> ... installing software on the Windows side to allow different schemas.
Active Directory is LDAP based, and schema additions are not
uncommon. They need to be managed, like any other configuration
change to a critical IT resource, but they're not deadly poision.
Microsoft's own "Services for Unix" includes schema extensions, and I
think they might even be included by default in the Windows Server
2008 default schema.
-- Ben
More information about the gnhlug-discuss
mailing list