[Gllug] Integrating *nixen (mostly OSX) into MS Active Directory
Bruce Richardson
itsbruce at workshy.org
Thu Oct 23 14:37:37 UTC 2008
On Thu, Oct 23, 2008 at 02:52:31PM +0100, Avi wrote:
> I want to argue that it is possible to achieve some AD integration with
> *nix OSs (I presume I can get quite a bit with an LDAP client?), but I'm
> having fun finding any real-world information on it.
Active Directory is a mixture Kerberos, DNS, LDAP and SMB/CIFS. *nix
machines can work quite well with this. It's probably easier on OS X
than Linux, in some respects, because OS X comes with kerberos by
default and has many kerberised clients.
I'm working in a mixed environment at the moment, with AD and Microsoft
Exchange in the office. I start my day, on my linux workstation, by
using kinit to get a ticket-granting ticket from the AD domain
controller, after which I can mount shares and query the AD directory
heirarchy without having to type in any more user credentials (or have
them hidden in files on disk). The Linux servers have Samba, Winbind
and Pam configured so that AD users can log in and use services using
the same username/password they use everywhere else, with no need for
any user accounts to be created on the servers. With just a little
extra work, I could be using kerberos to authenticate agains the ssh
daemons. If we had Exchange 2007, which finally supports Kerberos auth
for IMAP etc, I'd barely have to type in a password at all during a
working day.
Much of this should work the same for OS X and you shouldn't even need
to use kerberos tools to request a ticket - it should be handled by the
OS X login app once kerberos is enabled.
>
> Have any of you got any experience of it, and how successful were you?
> I'm currently more after an idea of what is possible than an explanation
> of exactly how I do it (with a bit of luck I'll be back for that shortly).
http://www.apple.com/itpro/articles/adintegration/
http://www.linux-watch.com/news/NS9227285361.html
http://www.enterprisenetworkingplanet.com/netos/article.php/3502441
http://www.windowsnetworking.com/articles_tutorials/Authenticating-Linux-Active-Directory.html
Essentially, you can have integrated user management (up to a point),
network share management and, with the right ingredients, mail access.
That said, *nix is not Windows, so you don't get unified application
management or server management (except in the most basic sense).
--
Bruce
What would Edward Woodward do?
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list