On Sun, Oct 30, 2011 at 1:55 PM, Brian Kroth <bpkr...@gmail.com> wrote:
> gregorcy <grego...@eng.utah.edu> 2011-10-29 10:52: > > What's missing: OpenLDAP replication from AD? Is this possible? Is this >> needed? Since I want another machines (running Linux) to authenticate >> it >> will be a good idea only ONE machine get information from AD and >> everyone else authenticate natively on this Gentoo Machine. >> >> No this is not needed. If you are in a mixed environment (I think) it >> is much easier to just use AD as the one directory service and join all >> your linux boxes to it. As long as your idmap ranges match your users >> will have the same uid on all boxes. >> > > I agree with this except for the need to "join all your linux boxes". AD > is really just ldap+kerberos. Most of the time you don't need the headache > of kerberos and can just use the ldap component. Modern AD schemas include > all the of necessary attributes support for having Linux clients talk to it > directly for uid/gid mapping, which is much nicer since it avoids the > complexity of any samba requirements when you don't need them (eg: mail, > web, etc.). So if he is using samba + winbind I don't see how you can not join all your machines to the AD. Actually I would be really interested in how you configure your machines just using the ldap component. I have been using winbind for the last couple of years but if there is a better way I would be interested in learning how it works.
