I have some experience with this stuff, so I'll throw in my comments: a) Samba+WINBIND: Definitely works. HOWEVER, for transparent authentication the application must support NTLM. If the application doesn't support NTLM you'll get authentication requests.
b) LDAP: Linux can most definitely authenticate with ActiveDirectory using standard LDAP queries. Just keep in mind there are (seemingly) 10,000,000 different ways of authenticating with LDAP. Some of the variations I've seen: * read the user's plain-text password directly from LDAP * read the user's MD5 or SHA1 hashed password directly from LDAP and compare that with a MD5/SHA1 hash generated from the password the user entered * Authenticate to the LDAP server using some pre-defined credentials, search the directory to ensure the user exists, grab the DN, then re-authenticate using the previously-found DN and the provided password * Assume the users's DN matches a certain template (ie cn=$username,cn=users,dc=domain,dc=local) and use the provided password; if authentication succeeds then the user provided good credentials For the first 2 I have to say "what the h-e-double-hockey sticks were they thinking when they came up with that". The last 2 are the ones that will work with AD. The only Microsoft-specific extensions I've run into are for changing the user's password. c) Kerberos: Linux can most definitely authenticate with AD via Kerberos. To my knowledge no special setup is required; IME it is truly and honestly no different than authenticating against any other vendor's KDC. d) NIS/YP: Most definitely works. I've done it with SFU on Windows 2000 DCs. SFU has been integrated into Windows Server 2003 R2 and Windows Server 2008, you just need to make sure you add the appropriate components. Ben Scott wrote: > This is definitely possible, in the general case. > > There are two approachs to this kind of thing, get Linux to speak > Microsoft protocol to the Windows box, or get the Windows box to speak > Unix protocol to the Linux box. Either one can work. > > Linux can act as an Active Directory domain member using Samba and > "winbind". This can give you full user account information, including > groups, password authentication, etc. I've done this; it works pretty > good. Advantages: No need to learn about Unix protocols. > Disadvantages: Integration may not be as "smooth", as the Windows > network protocols aren't designed to support Unix concepts. > > Linux can speak Kerberos and LDAP, two protocols which Active > Directory is built on. I've successfully queried AD using LDAP from > Linux to get information like names, email addresses, and groups. > I've never tried to do password authentication with this. Advantages: > LDAP can store just about anything you want, including Unix account > info. Disadvantages: I remember reading that Microsoft used some > proprietary extensions to Kerb/LDAP to implement password > authentication, which the standard stuff on Linux might not support. > > Windows can supposedly speak Unix protocols (like NFS and NIS/YP) to > Linux. Never tried this. Advantages: Unix software think they're > talking to a Windows box, which might yield smoother integration. > Disadvantages: You have to figure out all that stuff. > > Some of this stuff might need Windows Services For Unix (SFU), or > whatever they're calling it now, but that's supposed to be a "free" > add-on. > > -- Ben > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ -- Phil Brutsche [EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
