Authenticate Linux Clients with Active Directory (Technet)
Nov 20, 2008, 04:03 (0 Talkback[s])
The discussion on LWN contains a lot of useful
"I personally find several advantages for using samba winbind over
straight Kerberos + LDAP.
"1. Samba joins AD as a regular host. If you want to use plain
Kerberos with pam authentication, you'll have to make
host/server@REALM users by hand in AD instead of machine accounts
and export a /etc/krb5.keytab file using Microsoft's ktpass tool
from the windows support tools. ktpass has a lot of weird
limitations and an uncertain future. I have done this, and it
works, but the samba way is easier.
"2. Winbind can use regular microsoft groups. Most Unix ->
LDAP solutions, regardless of what your LDAP server is (Microsoft?
Sun? Novell? IBM? OpenLDAP), use rfc2307 attributes for uid, gid,
home directory, shell, etc. There is a subtle but important
difference between rfc2307 and rfc2307bis: group members in rfc2307
were LDAP IA5string types (lists of usernames, compare /etc/group).
rfc2307bis also allows group members to be LDAP "distinguished
names". Microsoft groups in AD use DN's in the "member" attribute.
winbind lets you tap into the regular groups, including nested
group memberships. If you don't use winbind you may be spending a
lot of time mucking around in tools like adsiedit and using
different procedures to edit your unix groups than your windows
groups. Microsoft has extensions to their "active directory user
and computer" tool for "unix attributes" tabs, but those don't
include any decent editing support for group memberships. A plain
LDAP implementation is going to have more trouble in
/etc/nsswitch.conf with mapping groups."
Zeroshell Delivers Big Network Services in a Small Package(Nov 19, 2008)
- Let PAM Take Care of GNU/Linux Security for You(Oct 15, 2008)
- Tip of the Trade: Setting Password Policy With PAM(Sep 15, 2008)
- Local User Management in FreeNAS(Aug 28, 2008)
- Integrating Linux into Active Directory keeps getting easier(Jul 30, 2008)
- Symark's Security Access Tool Bridges Linux, Active Directory(Apr 09, 2008)
- OpenLDAP + Samba Domain Controller On Ubuntu 7.10(Jan 08, 2008)
- Linux Authentication Troubles? Try Active Directory(Jul 31, 2007)
- HowtoForge: Install and Configure Auth Shadow on Debian/Ubuntu(Feb 26, 2007)