[Wylug-discuss] Linux authentication against Windows active directory

Nigel Metheringham nigel.metheringham at dev.intechnology.co.uk
Mon Apr 21 12:02:31 BST 2008


Strangely enough this is one of the things I have never bothered to look
at previously despite running linux servers for too many years....

I've been looking at getting a batch of linux servers to authenticate
against a windows AD domain. As ever there are various sets of
information about this that can be found by google, and some of them are
even somewhat accurate....

So if I follow the steps in either of these:-
   http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/
   http://blog.wazollc.com/Lists/Posts/Post.aspx?ID=2

I get a working set of authentication - although there are a couple of
gotchas in that to join to an AD domain you appear to have to be rather
careful about how the systems FQDN is set up (you must be in the AD
domain for DNS, hostname must return a single component name, hostname
--fqdn must return the FQDN - basically you have to make sure hosts is
set right)

However, I have found that doing the first sets of steps WITHOUT joining
the AD domain works fine for authentication etc, ie:-
   - Set Kerboros up to look at the AD servers
   - Set LDAP up to grab account data from the AD servers
   - Set PAM to auth against Kerboros, and get account info from LDAP

At this point, without installing samba, and without joining an AD
domain, I can now authenticate quite happily against the AD system.

So, and finally we get to the question:
   What reason/advantage is there for me to join the AD domain?

It should be noted that in this particular case, I have no need or
desire for the abilities to:-
   - Change the AD passwords from the linux boxes
   - Get additional information such as home directory mounts

	Nigel.

--
[ Nigel Metheringham             Nigel.Metheringham at InTechnology.com ]
[ - Comments in this message are my own and not ITO opinion/policy - ]




More information about the Wylug-discuss mailing list