Phil, On 5/18/06, phil walker <[EMAIL PROTECTED]> wrote:
Has anyone configured their RHEL 4.0 system to authenticate against their active directory, to hopefully overcome the administration cost of maintaining both Linux and Windows security.
Similar response to John. We are currently on RHEL2.1 and still use the pam smb module to validate against the AD server. This works well for simple stuff but pamsmb is now deprecated in favour of winbind.
a) telnet or ssh connectivity
It just works. Users that don't exist on the AD controller still need a local password in /etc/shadow.
b) samba connectivity
No problems - this has it built-in anyway which is where the original pamsmb came from.
c) UniObjects connectivity
Unless you can do as John suggested and get winbind working without pam you will need to maintain these users locally (assuming this works at all). One idea I had but never followed up was using the password chat function in Samba. As part of the user's windows login script, their PC would map a samba drive. Samba on the linux server would use the samba password chat function to set their linux password to the password sent through to samba when the drive was mapped. The login script would then unmap the drive. This means their linux password would be synched to the windows one whenever they logged into the pc. Nice idea in theory but I've not tried to make it work. Personally I think IBM claiming that UD is ported to RHEL or linux generally and not supporting PAM is a bit suspect.
d) NFS or anything else...
The only other issue I can think of is handling different windows domains. If a user that belongs to a different windows domain wants to log into your linux server, the authentication service has to know about the other domain. Pamsmb doesn't do this AFAIK, no idea about winbind. I am currently planning our RHEL4 upgrade and have yet to decide the final way we would do it. I was pretty much thinking winbind would be the answer but our Linux support people (Datacom Auckland) are suggesting an openLDAP based approach. HTH Adrian Auckland,NZ ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/
