Linux Today: Linux News On Internet Time.

Authenticate Linux Clients with Active Directory (Technet)

Nov 20, 2008, 04:03 (0 Talkback[s])

The discussion on LWN contains a lot of useful information--ed.
"I personally find several advantages for using samba winbind over straight Kerberos + LDAP.

"1. Samba joins AD as a regular host. If you want to use plain Kerberos with pam authentication, you'll have to make host/server@REALM users by hand in AD instead of machine accounts and export a /etc/krb5.keytab file using Microsoft's ktpass tool from the windows support tools. ktpass has a lot of weird limitations and an uncertain future. I have done this, and it works, but the samba way is easier.

"2. Winbind can use regular microsoft groups. Most Unix -> LDAP solutions, regardless of what your LDAP server is (Microsoft? Sun? Novell? IBM? OpenLDAP), use rfc2307 attributes for uid, gid, home directory, shell, etc. There is a subtle but important difference between rfc2307 and rfc2307bis: group members in rfc2307 were LDAP IA5string types (lists of usernames, compare /etc/group). rfc2307bis also allows group members to be LDAP "distinguished names". Microsoft groups in AD use DN's in the "member" attribute. winbind lets you tap into the regular groups, including nested group memberships. If you don't use winbind you may be spending a lot of time mucking around in tools like adsiedit and using different procedures to edit your unix groups than your windows groups. Microsoft has extensions to their "active directory user and computer" tool for "unix attributes" tabs, but those don't include any decent editing support for group memberships. A plain LDAP implementation is going to have more trouble in /etc/nsswitch.conf with mapping groups."

Complete Story

Related Stories: