On Sun, Mar 19, 2006 at 10:42:53AM +0400, Bruno Carnazzi wrote: > Hi misc, > > At work, we are running a Microsoft Active Directory for our Windows > Domain, who mainly provided Windows Desktop for our customers and > centralized authentication. We have also several OpenBSD & Linux boxes > for some DNS, SFTP, Squid, CVS and also several Web-apps. We'd like to > centralize these Unix authentication... Is there a way to authenticate > directly over a MS Domain Controller ? How can this be achieved > (Kerberos, LDAP..?) ? Also, is it a good idea ? :) What are the > alternatives (building an OpenLDAP server, Kerberos, (we don't wan't > NIS !)) ?
MS AD provides MIT-ish KDC support, or so I hear. I've never used it from the UNIX side, but I do know that Windows clients will willingly talk to a UNIX KDC, and I'm told the reverse is true. Authenticating Windows clients from OpenBSD Heimdal works just lovely. Microsoft does provide a services for unix package, but it uses NIS last time I looked at it. Your problems will most likely occur when mapping possibly long principal names on Windows to the UNIX side, or getting the data from LDAP and populating (either using scripts or an nss_ldap module) the user accounts on the client side. If you have simple accont names on Windows, it's fairly straightforward to use PAM or login to authenticate the password. Google will find you many resources on setting this up. -- adam
