My Linux machines authenticate against our AD.  So, it is definitely 
possible.  There's nothing special.  You just need to set up your 
krb5.conf file with the relevant bits of info that are unique to your AD.

However, kerberos handles only authentication -- the username/password 
pair.  The second half of a login loads what is conventionally called 
authorization.  In Unix terms, this refers to the uid/gid pair, the home 
directory, the shell, group memberships, etc.  Unfortunately, the guys 
who run our Windows AD are not willing to provide support for this. In 
short, they are unwilling to install Microsoft's Services for Unix 
package into the AD; basically, the necessary LDAP schema on their 
domain controllers.  In this case, you will need to use either the /etc/ 
files, NIS, or your own LDAP server to provide the authorization 
information.  Bottom line is that you need to check with your AD folks 
if they will carry this information for you.



Michael H. Semcheski wrote:
> Hello,
> 
> My University uses Active Directory.  I use Linux.
> 
> I would like my SL server to use the active directory to determine
> which usernames are valid for things like logins.
> 
> I'm already using the University's Kerberos infrastructure to verify
> passwords, but I have to make sure the user names are in /etc/passwd.
> I'd like to not have to add the users to /etc/password.
> 
> It would be even better if I could get group information from Active
> Directory, but I can probably live without it.
> 
> Anyone know if this is possible?  Know what needs to go into the
> setup, or know of a good howto?