Other options for Active Directory integration

Other options for Active Directory integration (Full Version)

All Forums >> [Windows - UNIX Interop] >> Active Directory Integration

Message

dpcmiller -> Other options for Active Directory integration (Jun. 30, '05, 11:47:45 AM)
Following up on the previous post, there are at least a couple of other options for using Active Directory authentication for HP-UX and other UNIX / Linux systems. Centrify has a commercial solution that allows UNIX, Linux and Mac systems to use Active Directory as a central authentication, authorization and policy server. It does not require schema extensions in AD. It also provides authentication modules for Apache, Tomcat, JBoss, etc. The other option of course is to do this with Open Source and use the latest Samba plus a recent build of Kerberos. The Samba-3 By Example guide has instructions. Also see the online Samba HowTO docs at http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member. This works very well but you need to make sure Kerberos is set up just right, time is in sync etc. This approach also does not require schema extensions and instead stores user information locally on each UNIX / Linux system (which means UIDs are not necessarily the same across each system joined to the domain). I have created some scripts to automate the setup of Samba / Kerberos and the joining to an AD domain. If anyone is interested, drop me an email at . Doug Miller

legerf -> RE: Other options for Active Directory integration (Dec. 13, '05, 12:49:12 AM)
Hi, When you use Linux/Unix server with NIS or an other unix directory you benefit centralized authentication, id mapping. With Samba and winbind who use kerberos and Active Directory you lose central id mapping. Because winbind store a table UID/GID <--> SID in a local file (under /var/cache/samba) without central storage. So you have already some Linux/Unix servers with consistancy id mapping you need other solution than Samba and winbind. Frederic Leger IT manager

dpcmiller -> RE: Other options for Active Directory integration (Dec. 13, '05, 7:51:06 AM)
Actually it is possible to run Samba with SFU NIS and benefit from central storage of UIDs and GIDs in Active Directory. Make sure NIS is set up on the UNIX/Linux machine and pointing to the SFU NIS server in AD. Make sure NIS is set up for passwd and group in /etc/nsswitch.conf. Populate the UNIX user attributes in AD. Then start Samba (nmbd/smbd) but do not start winbind. If winbind is not running then Samba will fall back to NSS for UID/GID resolution. This is a fairly easy way to get consistent central UID/GID mapping via AD. Doug Miller

Page: [1]

Forum Software © ASPPlayground.NET Advanced Edition 2.5 ANSI

0.016