On Tue, 2005-06-21 at 16:23 +0300, Ira Abramov wrote: > I wondered once or twice if people united their linux machine to > authenticate against an existing Active Directory. today I had the > chance to do it for a client. first we tried the old fashioned way - > install SFU (Seervices for Unix) on the 2000/2003 machine, and bind to > it with LDAP. this proved to be a trial-and-error process sadly rnough, > most of the time we could not ever see the logs indicate that PAM was > even logging into the LDAP. For the sake of common sense, by any means try to avoid using SFU. It opens up some very nasty black holes in AD sucking up any security you may have already implemented in AD. Much cleaner way is to use only SFU schema extensions without having AD playing NIS-wannabe.
btw, for W2K3 you would probably need to enable simple binds on DCs (disable LDAP signing requirement on the DCs). Also, for pam_ldap to work without proxy account, you need to enable anonymous LDAP queries on W2K3 DCs (off by default): http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm and grant read permission to sAMAccountName, userPrincipalName, distinguishedName AD attributes of user objects (needed for username<=>userDN resolution) > We quickly ditched it for winbind, a daemon bundled with Samba. the Red > Hat RHEL workstation (and appenretly Fedoras since at least RH9) come > with a script caled authconfig that takes care of editinig your > smb.conf, your nsswitch.conf and pam's system-auth files, and helps you > join the domain almost automaticly (needs kerberos). it was a bit > confusing to discover one can authenticate only some 50-60 seconds after > winbindd fires up but we did manage to get to the AD and authenticate > users. The threshold depends on the the number of user/computer objects in the AD. Winbind is quite stupid and tries to enumerate ALL the computer/user objects in AD and generate uid/gid for them. I have seen it segfault after 20-30 mins (!) in some large (>50K user account) environments. Definitely think twice and test,test,test if you are going to implement it in environment that counts the user accounts by thousands (or has very low end DCs). > at last we could not log in with them though since winbindd kept > complaining about not being able to translate the users' SIDs to the > local UIDs, but that too was solved with a reboot (Tomer Perry suggested > it was a restart of nscd that released that final hurdle, I did not go > back to figure it out for sure). You should NOT run nscd on systems running winbind: http://info.ccone.at/INFO/Samba/winbind.html#id2952021 Running nscd collides with winbind which is already doing caching. > > I hope this helps people out there, enjoy :) > ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
