Hi,

I'd like to know if anyone here authenticates their servers against active directory? I did this a couple of years ago, but never rolled it out to my servers for a few reasons.

Now I'm thinking of this again, but the main thing I'd really like to know is how stable and maintainable this is across lots of servers and through upgrades. I've noticed that when there are upgrades, occasionally pam files are changed/upgraded. Since this generally relies on you fiddling the pam stacks I figure that sooner or later this brittle solution will snap in an upgrade, locking people out of the server.

I suspect that the main problem is that most people do not change pams and therefore there is included user-defined stack that is kept referenced through rolling upgrades...

Does anyone have an experience with how stable it is to authenicate lots of servers against AD for single-sign-on?

You don't need active directory to do that. look into OpenLDAP. http://www.openldap.org/

you can configure multiple systems to look to the LDAP servers for authentication and not have to worry about using a Windows server that is a AD domain controller.

yes of course you can authenticate to openldap, but the question was regarding active directory specifically because this gives you single sign on between windows and linux, there's no point in having 2 different systems to maintain the same user accounts on each, it just doubles the workload...

I did here a few years ago, and it seemed ok, but we went the LDAP route instead.

Check out these links, they may help you:

http://ubuntuforums.org/showthread.php?t=91510
http://developer.novell.com/wiki/ind...Authentication

Personally, I think LDAP is a bit friendlier to administer, and has a greater set of tools. It's also supported by alot of different things, so you're not tied in to one platform, but I know sometimes you just get forced down another path.

The thing of the thing is that there are a lot of us out here that have massive MS installs. And we'd like to bring Linux into the picture, but we can't start out by replacing everything. It just isn't practical.

Right now I'm working on deploying our first production Linux server and I need to be able to evaluate print permissions based on AD group membership. That's my current dilema and it is keeping Linux out of our business. This is the pervasive problem that is keeping Linux out of a lot of businesses.

If it's an all or nothing situation, it will almost always end up being nothing.

I'm making progress on my project, but it has definitely been an uphill battle. I know it can work, and I will make it work. But please don't ask people to completely dump the infrastructure that they have so that they can use Linux, becuase from a VP or Manager standpoint the answer will probably be "I guess we don't need Linux after all."


(sorry if I got preachy there, but I've heard this stuff from managers and VP's for about 5 years now)

it can be done, it's just very inconvenient and may be more trouble than it's worth unless you're very skilled and experienced in linux. Getting it to work is the easy part, keeping it working through upgrades is harder (depending on distro), which is why I ask...

I got this working more than 2 years ago but it felt brittle so I didn't roll it out to all my linux servers.

windows services for unix (SFU) 3.5 might be able to help with the ad integration.

Also AD supports ldap queries so you could just set up the system to auth to ldap and use AD. But as far as single sign-on if you are talking about just using one account on both windows and unix then thats fine. But the "microsoft single sign-on" wont work because it uses NTLMSSP (NT Lan Manager Security Support Provider) and that works for all mapped drive, proxy, etc.