[ale] Authentication solution for Linux/Windoze environment

James P. Kinney III jkinney at localnetsolutions.com
Wed Jan 3 23:42:44 EST 2007


On Wed, 2007-01-03 at 13:50 -0500, Greg Freemyer wrote:

> James,
> 
> I'm not real current on my Samba knowledge but from what I've read:
> 
> Samba 3 can act as a NT4 PDC, but it has not implemented Win2K/Win2003
> AD Server functionality.  IIRC Samba 4 will do that eventually.  I
> have not worked with AD so I don't know if that is a big loss or not,
> but it certainly seems worth mentioning.

Keep in mind that for he most part AD is just NT4 PDC with a M$ mutated
ldap for mangling logins with. What Samba v.3.x can't do is DC
replication. I saw something about M$ using a unlabeled part of
Kerberose protocols that was holding up figuring out how it is used.
> 
> OTOH, both PAM and Samba 3 can use a Win2K/Win2003 AD server to
> authenticate against via winbind.
> 
> A quick google found this article about doing that:
> http://www.enterprisenetworkingplanet.com/netos/article.php/3502441
> 
> So they can also use Windows AD as the main authentication source and
> PAM/Winbind to authenticate the Linux users based on the AD setup.
> 
> And if they are using Samba to share Linux drives to the windows
> boxes, they can configure it to use Winbind for authentication as
> well.
> 
> As to Pros and Cons of the two approaches, I don't know.

Any working solution that lowers the M$ box count is good :)

It works quite well to use the Linux system as the main monster machine.
Use Samba for windows systems to have file and printer sharing, use an
LDAP directory that samba authenticates against and the Linux can use it
as well. Roaming profiles in samba work just fine along with
auto-exported home directories. In fact, this make have a mess of
windows machines far easier to support. The files on the Linux server
can be used for automatic infection and they are easily cleaned using a
Linux-based AV tool (I like F-Prot and ClamAV). Add IMAP email and a bit
of user training and the office can now upgrade a machine with no data
loss in about 30 minutes by just adding it to the domain and having the
user login. 

For the past several years the biggest "improvements" in AD have been to
make it even harder to abandon for anything else (i.e. vendor lock-in on
authentication).
> 
> Greg
-- 
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC        
770-493-8244                    
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list