[wellylug] Active Directory authentication in Linux

David Anso david at anso.net.nz
Wed Nov 20 07:20:28 NZDT 2013


I have a large customer who uses winbind for their A/D integration. I've
seen winbind die and the need for a local account to login and restart it
(on a few occasions). That said you are likely to have this sort of problem
occasionally with any large install base.

Looks like the how to for winbind magic is here:
http://wiki.samba.org/index.php/Samba_%26_Active_Directory

In our office we use the centrify client (the free one) on Mac and Linux
against the latest A/D (built fresh on 2012 servers). It seems to work
quite well.

http://www.centrify.com/express/free-active-directory-tools-for-linux-mac.asp

Previously we were running the pam-ldap packages against our two Mac
directory servers. This worked, but it felt like you had to really think
out what you wanted to end up with carefully so as to not have to revisit
every machine and reconfigure over and over again.

In fairness I haven't done much of the hands on work with any of the three
but I would be inclined to evaluate them in the order of Centrify, Winbind
and then native Pam-ldap if I did have to do something for myself.

The reason I leave Pam-ldap to last is because A/D is more than just LDAP.
You can potentially enforce more of you A/D policy if you integrate with it
in a way that seems more "Native" to it.


Cheers
David


On Tuesday, November 19, 2013, Neil Ramsay wrote:

> Hi guys,
>
> I am looking at how to integrate Active Directory authentication in Linux.
> Many years ago, I got Linux authenticating against Kerberos/LDAP with
> great success, but it was a very manual process.
>
> Has anyone done Active Directory authentication in Linux at work, and what
> approach did you take?
>
> Cheers,
> Neil
>
>
> --
> Wellington Linux Users Group Mailing List: wellylug at lists.wellylug.org.nz
> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wellylug.org.nz/pipermail/wellylug/attachments/20131120/e9a978e6/attachment.html>


More information about the wellylug mailing list