| All Forums |
Register |
Login |
Search |
Subscriptions |
My Profile |
Inbox |
| Tool Warehouse |
FAQs |
Resources |
Help |
Member List |
Address Book |
Logout |
|
|
Other options for Active Directory integration
|
Logged in as: Guest |
| Users viewing this topic: none |
|
Login  |
|
|
 Other options for Active Directory integration - Jun. 30, '05, 11:47:45 AM
|
|
|
dpcmiller
Posts: 2
Joined: Jun. 28, '05,
Status: offline
|
Following up on the previous post, there are at least a couple of other options for using Active Directory authentication for HP-UX and other UNIX / Linux systems.
Centrify has a commercial solution that allows UNIX, Linux and Mac systems to use Active Directory as a central authentication, authorization and policy server. It does not require schema extensions in AD. It also provides authentication modules for Apache, Tomcat, JBoss, etc.
The other option of course is to do this with Open Source and use the latest Samba plus a recent build of Kerberos. The Samba-3 By Example guide has instructions. Also see the online Samba HowTO docs at http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member.
This works very well but you need to make sure Kerberos is set up just right, time is in sync etc. This approach also does not require schema extensions and instead stores user information locally on each UNIX / Linux system (which means UIDs are not necessarily the same across each system joined to the domain).
I have created some scripts to automate the setup of Samba / Kerberos and the joining to an AD domain. If anyone is interested, drop me an email at .
Doug Miller
_____________________________
Doug Miller
Milltech Consulting Inc.
Tel: 425-246-6499
Fax: 425-484-6218
Email:
IM:
|
|
|
|
|
RE: Other options for Active Directory integration - Dec. 13, '05, 12:49:12 AM
|
|
|
legerf
Posts: 1
Joined: Dec. 13, '05,
Status: offline
|
Hi,
When you use Linux/Unix server with NIS or an other unix directory you benefit centralized authentication, id mapping. With Samba and winbind who use kerberos and Active Directory you lose central id mapping. Because winbind store a table UID/GID <--> SID in a local file (under /var/cache/samba) without central storage. So you have already some Linux/Unix servers with consistancy id mapping you need other solution than Samba and winbind.
Frederic Leger
IT manager
|
|
|
|
|
RE: Other options for Active Directory integration - Dec. 13, '05, 7:51:06 AM
|
|
|
dpcmiller
Posts: 2
Joined: Jun. 28, '05,
Status: offline
|
Actually it is possible to run Samba with SFU NIS and benefit from central storage of UIDs and GIDs in Active Directory.
Make sure NIS is set up on the UNIX/Linux machine and pointing to the SFU NIS server in AD. Make sure NIS is set up for passwd and group in /etc/nsswitch.conf. Populate the UNIX user attributes in AD. Then start Samba (nmbd/smbd) but do not start winbind. If winbind is not running then Samba will fall back to NSS for UID/GID resolution. This is a fairly easy way to get consistent central UID/GID mapping via AD.
Doug Miller
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
|
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
|
Printable Version
