[Wylug-discuss] Linux authentication against Windows active directory

[Nigel Metheringham]

On 21 Apr 2008, at 12:14, John Hodrien wrote:
> On Mon, 21 Apr 2008, Nigel Metheringham wrote:
>
>> However, I have found that doing the first sets of steps WITHOUT  
>> joining
>> the AD domain works fine for authentication etc, ie:-
>> - Set Kerboros up to look at the AD servers
>> - Set LDAP up to grab account data from the AD servers
>> - Set PAM to auth against Kerboros, and get account info from LDAP

> Yes, that's what I've done.  Does you AD allow anonymous querying, or
> are you using a lookup account in the ldap.conf?  Or something else?

I'm using a lookup account - an AD account defined as a Domain Guest.
For these experiments it should be stated that I'm using a brand new
pair of AD 2003 R2 servers working in an example.com subdomain, so its a
very simple proof of concept test configuration with minimal data
within.


>> At this point, without installing samba, and without joining an AD
>> domain, I can now authenticate quite happily against the AD system.
>
> Yes.  It's all down to the way kerberos works.  Which is also why  
> the fqdn
> needs to be right if you join a domain.  If your domain is big, and  
> setup in a
> less than ideal way, the performance of out of the box nss_ldap vs  
> winbind can
> be quite poor, to the point of being problematic.

As in winbind would be giving better performance. Have you any pointers
as to where I could learn more about this?

[snip]
>> It should be noted that in this particular case, I have no need or
>> desire for the abilities to:-
>> - Change the AD passwords from the linux boxes

> Doesn't that work already with your setup?

It might - its explicitly something we don't care about at present, so  
I haven't tested :-)

     Nigel.

--
[ Nigel Metheringham             Nigel.Metheringham at InTechnology.com ]
[ - Comments in this message are my own and not ITO opinion/policy - ]