We use the sssd daemon to negotiate LDAP and Kerberose with Active Directory. This is nice because it plugs into PAM very easily and also caches group membership and user attributes as with nscd.
We also have Samba with ADS security so the FreeBSD and Linux file servers can publish shares to MS Windows clients. The servers themselves do not mount CIFS shares, everything they need is available via an NFS mount. (Which also uses AD users.) The biggest caveat is the way Active Directory deals with Unix account information. In our case the AD service has been upgraded through at least three different versions of Unix attribute mapping. The latest, in Win2k8, is the most sensible and I think I've finally converted everything to use those attribute. The AD tools still do not manage those attributes correctly so we create all the users with a perl script on one of the Linux hosts. On Mon, Nov 25, 2013 at 4:19 PM, Peter Loron <[email protected]> wrote: > Hola. At $WORK we have an Active Directory domain that we would like to use > for authentication and authorization for some Linux boxes (primarily CentOS > 6.4). We don't need anything fancy as far as pushing out group policy, etc. > Just logins and groups. > > I've done a bit with using LDAP + Kerberos, but am wondering about going > further and using winbind to actually join the machines to the domain. Also, > there are some commercial products (some have free versions) which play in > this space. > > My experience with winbind from several years ago was that it was flaky and > temperamental...possibly changed now? > > Does anybody have experiences to share here? > > Thanks! > > -Pete > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
