[olug] local groups and Active Directory

Sean Kelly smkelly at zombie.org
Tue Feb 13 05:12:21 UTC 2007 

On Mon, Feb 12, 2007 at 07:20:11PM -0600, Phil Brutsche wrote:
...
> No, but it's a good idea:
>  * SfU provides you with an NIS server
>  * SfU provides standard RFC2307 schema so that the LDAP server can be
> queried directly
>  * Doing it through Samba is the hard way and is only useful if you wish
> to have your Linux file server authenticate Windows clients against a
> Windows domain controller.

I know very little about this, but supposedly a lot of this was supposed to
be rolled into Windows 2003 R2. Anybody have any specifics on what R2
provides in this area?

> My snippet you quoted is part of the configuration for the winbindd
> daemon from Samba to provide local users via the SMB protocol.

I'm not a big fan of winbindd. We have it on some systems at work, and the
thing seems to explode quite often, leaving the machine with only local
user awareness. Not entirely good for a web server with user pages on it
where the users come from AD... I would encourage the SFU route, with a
dash of Kerberos to do the actual password authentication part.

...
> Note, however, that most UNIXes don't understand LDAP for local users
> (Linux and Solaris are the only ones I know of that do) - which is why
> the NIS server is a good idea.

I don't really think this is the case anymore. LDAP/krb5 seem to be
catching on quite heavily in the Unix field. I know FreeBSD now has
nss_ldap/pam_ldap. I can login to one of my FreeBSD desktops at work
using my AD credentials becuase of pam_krb5 as well. I can only imagine
that NetBSD has this, and maybe OpenBSD too.

> > If a Linux based LDAP server syncs with MS AD.  Then the Linux 
> > workstation authenticates with the Linux LDAP server, would you still
> > have to have MS Services for Unix?
> 
> Yes, because a Linux LDAP server won't be syncing with an
> ActiveDirectory LDAP server anytime soon. Theoretically Samba4 could do
> it, but they've been saying "it's a year away" for a couple years now.
> 
> The best way to save yourself a lot of headache is to take the
> "Linux based LDAP server" out of the equation and have your Linux
> machines talk directly to AD.

Agreed. When I was at LISA '05, I attended a BoF where various universities
and companies presented how they do this sort of thing. The common trend
seems to actually be feeding AD from an OpenLDAP server if you really want
to have a Linux LDAP server involved.

-- 
Sean Kelly          | PGP KeyID: D2E5E296
smkelly at smkelly.org | http://www.smkelly.org

More information about the OLUG mailing list