On 7 Aug 2008, at 23:04, Andrey Falko wrote:
...
As far as I know, don't take my word for it, in order to use Active
Directory on a GNU/Linux host, you need to setup LDAP and have it talk
to AD. Unfortunately I don't know how to do this, perhaps this will
help: http://www.linux.com/articles/40983 .
Hi there,
I understood Active Directory to be Microsoft's implementation of
LDAP + extensions. Or maybe it's a Microsoft's entirely own way of
doing a directory service, with LDAP support bolted on afterwards.
Anyway, yes, Linux hosts should indeed be able to talk LDAP to an AD
server.
On a domain that I manage we authenticate over Samba instead. I can't
entirely recall why I chose this method instead of AD, but I'm pretty
sure there were good reasons for it at the time. Once Samba is
configured to to do winbind - it obviously needs to know the name of
the domain server &c - one installs the PAM winbind module and
references it in /etc/pam.d/ for any Linux services one wishes to
authenticate off the Windows server. Samba then, presumably, acts as
a client to the domain server and says "user X, hash(password Y)
wants to log on, is this ok?"; PAM passes the response back to the
service the user is trying to use.
I think winbind alleviates some need to deal with Active Directory. I
really know nothing about AD - all I have to do is log on to the
Windows server (SBS 2003) and add a user to the domain in the Server
Management For Idiots program Microsoft so kindly provides. The user
is able to authenticate on the Linux box immediately after restarting
Samba (and the restart is probably only required because I've fouled-
up the caching configuration, or something). I also use pam_mkhomedir
so that when the user logs on to IMAP for the first time ~ is
automagically created; I had to reject Courier-IMAP in favour of
Dovecot in order to be able to do this, as IIRC Courier doesn't use
the PAM type "session", and that's required to make pam_mkhomedir
work (Dovecot doesn't actually need to use this type, but adds an
option to open a PAM session specifically to enable mkhomedir to be
used. This is a requirement of pam_mkhomedir, NOT pam_winbind).
What I have enjoyed about winbind is that it has (so far!) made
adding additional services easy. I needed to run an ftp server (allow
only 127.0.0.1) on the Linux machine, so that Squirrelmail's vacation
plugin could upload the users' vacation messages to their homedirs.
To get the ftp service (net-ftp/vsftpd) to authenticate off the same
credentials was as easy as copying the PAM settings for the already-
working IMAP server to /etc/pam.d/ftp (although I see that each is
"sufficient" instead of "required" in this case). I was quite
surprised it worked so easily, quickly and smoothly. Anyway, any user
can sit at their Windows workstation, CTRL-ALT-DEL and change their
password and the IMAP server will now respect their new credentials,
which is the important thing (for me).
Stroller.
