[TriLUG] ldap authentication from Active directory or NTDS
Magnus Hedemark
chrish at trilug.org
Thu Jan 15 08:10:15 EST 2004
On Wed, 14 Jan 2004, Turnpike Man wrote:
> Holy crap... interesting.
>
> So how much easier does this make it for *nix clients to authenticate to M$
> ADS, if any??
Extremely.
This gives you a snap-in to MMC that just adds another tab to your user
management window. So you can assign a UID to the user, home directory,
etc. just like any other *NIX system. User KerberosV for password
authentication (which already works while making NO changes to your
Windows systems and simply running authconfig on a Red Hat Linux system).
You also can assign GID's to AD groups.
Note that the MS KerberosV implementation is b0rked in that there is no
admin server, so you can't change your password from Linux without some
sort of extra provisions.
With MS SFU installed on your AD server you can use NIS for user metadata
(which has some security risks... a lot less than pure NIS since SFU isn't
publishing password hashes through NIS but it is still exposing a list of
user accounts and group memberships). You can connect to AD via LDAP for
better security but its quite a bit more work.
SFU comes with an NFS server so you can share Windows home directories to
Linux users via NFS. I'm skipping this option and instead building an AFS
server for security reasons.
More information about the TriLUG
mailing list