[olug] local groups and Active Directory
Phil Brutsche
phil at brutsche.us
Tue Feb 13 01:20:11 UTC 2007
Rob Townley wrote:
> This is one those projects i have been considering, but didn't do it
> because i thought it more secure to have two different sets of
> passwords. But now i want to do it.
>
> Assuming the MS AD is not going anywhere, do you absolutely have to
> use Microsoft's Services for Unix? Really?
No, but it's a good idea:
* SfU provides you with an NIS server
* SfU provides standard RFC2307 schema so that the LDAP server can be
queried directly
* Doing it through Samba is the hard way and is only useful if you wish
to have your Linux file server authenticate Windows clients against a
Windows domain controller.
My snippet you quoted is part of the configuration for the winbindd
daemon from Samba to provide local users via the SMB protocol.
Installing SfU on your AD DCs provides you with an LDAP server that
pam_ldap and nss_ldap can talk to directly; it extends the AD schema to
provide the RFC2307 attributes Linux expects to see in the LDAP directory.
Note, however, that most UNIXes don't understand LDAP for local users
(Linux and Solaris are the only ones I know of that do) - which is why
the NIS server is a good idea.
> If a Linux based LDAP server syncs with MS AD. Then the Linux
> workstation authenticates with the Linux LDAP server, would you still
> have to have MS Services for Unix?
Yes, because a Linux LDAP server won't be syncing with an
ActiveDirectory LDAP server anytime soon. Theoretically Samba4 could do
it, but they've been saying "it's a year away" for a couple years now.
The best way to save yourself a lot of headache is to take the
"Linux based LDAP server" out of the equation and have your Linux
machines talk directly to AD.
--
Phil Brutsche
phil at brutsche.us
More information about the OLUG
mailing list