LWN.net Logo

Advertisement

Writers Wanted

Front, Kernel, Security, Distributions, Development. See your byline here on LWN.net.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Authenticate Linux Clients with Active Directory (Technet)

Authenticate Linux Clients with Active Directory (Technet)

Posted Nov 16, 2008 0:48 UTC (Sun) by jgg (guest, #55211)
Parent article: Authenticate Linux Clients with Active Directory (Technet)

Having actually gone through this recently to setup Linux clients against an Active Directory server and tried all the options I can say the article is basically right that winbind is the best answer - that said, I don't use it yet at my shop because it has been too buggy in the 3.2 series.. Winbind has at least 4 key improvements against ldap or ldap+kerb
1) It is caching and uses AD caching hints to speed it up. 3.2 can even do off-line caching like windows for roaming users (!!!)
2) It mutually authenticates and encrypts all LDAP communication with kerberos without extra setup (MS's choices make it so that if you don't do this there is a raft of annoying configuration you have to do on the AD server)
3) It can detect and fail over (and back) to multiple AD servers
4) Password expiry, and forced change prior to logon works

Using Linux with an AD server is dead easy once you figure it out and provides real benefits to the Linux environment. If you have AD servers and are not using them as Kerberos servers with Linux you're really missing out...

The main sore point on the Linux side is that if you have Windows machines there is no free replacement for AD that is compatible with Windows clients and you pretty much have to have Windows Server to get the Windows clients working sanely. Samba 4 is the hope to fix this, but it seems far away still.

Unfortunately the samaba documentation is way out of date on how to do all this. Even if you don't want to use winbind, using 'net ads join|keytab' commands to manage the kerberos keys from ADS makes the client side pure kerberos setup dead easy. Modern MIT Kerberos even automatically uses SRV records and the like so configuration boils down to just setting the default realm.

Even the whole old problems with MS's Kerberos extensions seems completely put to rest these days. The kerberos libraries are now completely compatible by default and the Samba team has cracked the PAC and so on.

In the end the actual steps are pretty simple to get kerberdized ssh, apache, exim, dovecot and samba that fully interoperates for single sign on with windows clients and linux clients. But it was a total bitch to figure out due to the lack of up to date docs :( Particularly on the multi-homed SPN side...

(Log in to post comments)

Authenticate Linux Clients with Active Directory (Technet)

Posted Nov 17, 2008 17:11 UTC (Mon) by jeleinweber (subscriber, #8326) [Link]

The caching point is important; straight LDAP is too heavyweight for the volume of getgrent() and friends calls typical Unix applications make. The classic caching solution for the non-winbind folks using straight LDAP is to run "nscd".

Authenticate Linux Clients with Active Directory (Technet)

Posted Nov 20, 2008 4:42 UTC (Thu) by jra@samba.org (guest, #35394) [Link]

Sorry you've found the 3.2.x series buggy, we are aware of a couple of issues that we've fixed in the next 3.2.x release (due out very soon). Please give it a try and give us any feedback on any bugs you find. There are many improvements in winbindd in the 3.2.x series, so long as you find it stable enough for you.

Jeremy.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds