How practical is it to authenticate a Linux server against AD?

Its not hard and it's perfectly practical.

We have a few hundred dual boot desktop machines that use AD auth as well as a number of servers which use AD auth to enable windows clients to use their samba shares without explicit auth by the users.

There was another article on SF about what you need to do.

Basically you need to config kerberos, winbind, nss and pam.

Then you do a kinit and a net ads join and your up.

You can configure pam to use multiple methods for auth if you want, so if one does not work it will fall back to the next.

We usually use files, winbindd and ldap for servers serving fileshares to windows servers.

If possible I'd use LDAP for account info and windbind strictly for auth, but I believe you can map attributes in I think /etc/ldap.conf if you need to. If you do end up using winbindd for account info it is possible to use the RID (hashing method) to generate uids/gids, but it is also possible to use other methods. We used RIDs on one large fileserver and it has been a real pain, so I'd try and explore one of the other options if possible. In our case all AD users and groups are reflected in LDAP by an upstream IDM system, so we use LDAP for account info on newer servers and use winbind purely for auth.


Authenticating is absolutely simple using Likewise Open. http://www.likewise.com/products/likewise_open/index.php

Nearly my entire Linux infrastructure has centralized authentication and user management thanks to Likewise Open. It's stunningly simple to install and implement. I cannot possibly say enough good about it.

As a note, UIDs and GIDs are assigned according to a hash function, so they are identical across the entire infrastructure, so NFS mounts work perfectly.


I installed Windows Services for Unix and added a user in AD called "Unix Authenticator", then made the following config file changes on the linux machines:

/etc/ldap.conf:
host ldap.<foo>.com
base cn=Users,dc=<foo>,dc=com
binddn cn=Unix Authenticator,cn=Users,dc=<foo>,dc=com
bindpw <password>
nss_base_passwd cn=Users,dc=<foo>,dc=com?sub
nss_base_shadow cn=Users,dc=<foo>,dc=com?sub
nss_base_group cn=Users,dc=<foo>,dc=com?sub
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute cn msSFUName
nss_map_attribute uid msSFUName
nss_map_attribute gid gidNumber
nss_map_attribute gecos sAMAccountName
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_attribute uniqueMember Member
pam_login_attribute msSFUName
pam_filter objectclass=user
pam_password ad
/etc/ldap.secret:
<password>
/etc/nsswitch.conf:
passwd: compat ldap
shadow: compat ldap
group: compat ldap
/etc/nsswitch.ldap:
host files dns
/etc/pam.d/system-auth:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so

account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix.so

password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
password sufficient /lib/security/pam_ldap.so use_first_pass use_authtok
password required /lib/security/pam_deny.so

session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so

Hope this helps.


Got Windows users auth'ing against AD, but most of our servers (public drive etc.) are linux, and they're part of the domain. From a windows PoV no-one notices. From my side, it feels a bit fruity ssh'ing with my windows username but thats about the size of it.

Just usin plain old samba.