| 1 |
On 7 Aug 2008, at 23:04, Andrey Falko wrote: |
| 2 |
> ... |
| 3 |
> As far as I know, don't take my word for it, in order to use Active |
| 4 |
> Directory on a GNU/Linux host, you need to setup LDAP and have it talk |
| 5 |
> to AD. Unfortunately I don't know how to do this, perhaps this will |
| 6 |
> help: http://www.linux.com/articles/40983 . |
| 7 |
|
| 8 |
Hi there, |
| 9 |
|
| 10 |
I understood Active Directory to be Microsoft's implementation of |
| 11 |
LDAP + extensions. Or maybe it's a Microsoft's entirely own way of |
| 12 |
doing a directory service, with LDAP support bolted on afterwards. |
| 13 |
Anyway, yes, Linux hosts should indeed be able to talk LDAP to an AD |
| 14 |
server. |
| 15 |
|
| 16 |
On a domain that I manage we authenticate over Samba instead. I can't |
| 17 |
entirely recall why I chose this method instead of AD, but I'm pretty |
| 18 |
sure there were good reasons for it at the time. Once Samba is |
| 19 |
configured to to do winbind - it obviously needs to know the name of |
| 20 |
the domain server &c - one installs the PAM winbind module and |
| 21 |
references it in /etc/pam.d/ for any Linux services one wishes to |
| 22 |
authenticate off the Windows server. Samba then, presumably, acts as |
| 23 |
a client to the domain server and says "user X, hash(password Y) |
| 24 |
wants to log on, is this ok?"; PAM passes the response back to the |
| 25 |
service the user is trying to use. |
| 26 |
|
| 27 |
I think winbind alleviates some need to deal with Active Directory. I |
| 28 |
really know nothing about AD - all I have to do is log on to the |
| 29 |
Windows server (SBS 2003) and add a user to the domain in the Server |
| 30 |
Management For Idiots program Microsoft so kindly provides. The user |
| 31 |
is able to authenticate on the Linux box immediately after restarting |
| 32 |
Samba (and the restart is probably only required because I've fouled- |
| 33 |
up the caching configuration, or something). I also use pam_mkhomedir |
| 34 |
so that when the user logs on to IMAP for the first time ~ is |
| 35 |
automagically created; I had to reject Courier-IMAP in favour of |
| 36 |
Dovecot in order to be able to do this, as IIRC Courier doesn't use |
| 37 |
the PAM type "session", and that's required to make pam_mkhomedir |
| 38 |
work (Dovecot doesn't actually need to use this type, but adds an |
| 39 |
option to open a PAM session specifically to enable mkhomedir to be |
| 40 |
used. This is a requirement of pam_mkhomedir, NOT pam_winbind). |
| 41 |
|
| 42 |
What I have enjoyed about winbind is that it has (so far!) made |
| 43 |
adding additional services easy. I needed to run an ftp server (allow |
| 44 |
only 127.0.0.1) on the Linux machine, so that Squirrelmail's vacation |
| 45 |
plugin could upload the users' vacation messages to their homedirs. |
| 46 |
To get the ftp service (net-ftp/vsftpd) to authenticate off the same |
| 47 |
credentials was as easy as copying the PAM settings for the already- |
| 48 |
working IMAP server to /etc/pam.d/ftp (although I see that each is |
| 49 |
"sufficient" instead of "required" in this case). I was quite |
| 50 |
surprised it worked so easily, quickly and smoothly. Anyway, any user |
| 51 |
can sit at their Windows workstation, CTRL-ALT-DEL and change their |
| 52 |
password and the IMAP server will now respect their new credentials, |
| 53 |
which is the important thing (for me). |
| 54 |
|
| 55 |
Stroller. |
Archives