My Linux machines authenticate against our AD. So, it is definitely
possible. There's nothing special. You just need to set up your
krb5.conf file with the relevant bits of info that are unique to your AD.
However, kerberos handles only authentication -- the username/password
pair. The second half of a login loads what is conventionally called
authorization. In Unix terms, this refers to the uid/gid pair, the home
directory, the shell, group memberships, etc. Unfortunately, the guys
who run our Windows AD are not willing to provide support for this. In
short, they are unwilling to install Microsoft's Services for Unix
package into the AD; basically, the necessary LDAP schema on their
domain controllers. In this case, you will need to use either the /etc/
files, NIS, or your own LDAP server to provide the authorization
information. Bottom line is that you need to check with your AD folks
if they will carry this information for you.
Michael H. Semcheski wrote:
> Hello,
>
> My University uses Active Directory. I use Linux.
>
> I would like my SL server to use the active directory to determine
> which usernames are valid for things like logins.
>
> I'm already using the University's Kerberos infrastructure to verify
> passwords, but I have to make sure the user names are in /etc/passwd.
> I'd like to not have to add the users to /etc/password.
>
> It would be even better if I could get group information from Active
> Directory, but I can probably live without it.
>
> Anyone know if this is possible? Know what needs to go into the
> setup, or know of a good howto?
|