[Wylug-discuss] Linux authentication against Windows active
directory
John Hodrien
johnh at comp.leeds.ac.uk
Mon Apr 21 12:14:34 BST 2008
On Mon, 21 Apr 2008, Nigel Metheringham wrote:
> However, I have found that doing the first sets of steps WITHOUT joining
> the AD domain works fine for authentication etc, ie:-
> - Set Kerboros up to look at the AD servers
> - Set LDAP up to grab account data from the AD servers
> - Set PAM to auth against Kerboros, and get account info from LDAP
Yes, that's what I've done. Does you AD allow anonymous querying, or are you
using a lookup account in the ldap.conf? Or something else?
> At this point, without installing samba, and without joining an AD
> domain, I can now authenticate quite happily against the AD system.
Yes. It's all down to the way kerberos works. Which is also why the fqdn
needs to be right if you join a domain. If your domain is big, and setup in a
less than ideal way, the performance of out of the box nss_ldap vs winbind can
be quite poor, to the point of being problematic.
> So, and finally we get to the question:
> What reason/advantage is there for me to join the AD domain?
If you want to offer kerberised services on the machine, then you probably
want to join. If you want to offer non-kerberised Samba then you probably
want to join. Erm... Would you find it useful to know that I've currently
settled on a krb5/nss_ldap combo against AD?
> It should be noted that in this particular case, I have no need or
> desire for the abilities to:-
> - Change the AD passwords from the linux boxes
Doesn't that work already with your setup?
> - Get additional information such as home directory mounts
You can pull that out of AD anyway without a join.
jh
--
"I think it is well also for the man in the street to realise that there is no
power on earth that will protect him from being bombed. Whatever people may
tell him, the bomber will always get through. The only defence is in offence
which means you have to kill more women and children more quickly than the
enemy if you want to save yourselves." -- Stanley Baldwin
More information about the Wylug-discuss
mailing list