http://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx http://www.linux.com/archive/articles/40983 http://www.securityfocus.com/infocus/1563
Given the availability of LDAP, Kerberos, and Winbind on Linux machines, there are three different implementation strategies we can employ to allow our Linux machine to use Active Directory for authentication.
- configure PAM to use LDAP authentication
LDAP authentication (called LDAP binding) passes the user name and password in clear text over the network. This is insecure and unacceptable for most purposes.
- configure PAM and NSS to make calls to the Winbind daemon. Winbind will translate the different PAM and NSS requests into the corresponding Active Directory calls, using either LDAP, Kerberos, or RPC, depending on which is most appropriate.
Getting RHEL5 to authenticate to Active Directory basically requires five separate steps, as follows:
Locate and download the appropriate Samba and other dependent components. Build Samba. Install and configure Samba. Configure Linux, specifically PAM and NSS. Configure Active Directory.
Even though Linux is natively a small kernel, the RHEL comes with many packages preinstalled.
Normally this makes life much easier but the preinstalled packages sometimes conflict with later software.
ensure that the DNS resolver for the Linux machine is set to use the same DNS name server that your DCs use (usually the DC is the DNS server)
edit the /etc/hosts file directly, and add an entry below the localhost.localdomain entry that has the form
Kerberos protocol is dependent on the authenticating systems having clocks that are synchronized within a relatively small value
configure your Linux systems to use the Network Time Protocol (NTP) service of a DC
PAM and NSS provide the glue between a Linux application, such as the desktop, and Winbind.