As I can understand we need Kerberos 5 for authentication and LDAP acting only as a directory service with UID, GID, home dir and etc.
[]'s On Nov 1, 2011, at 5:11 PM, gregorcy wrote: > > > On Sun, Oct 30, 2011 at 1:55 PM, Brian Kroth <bpkr...@gmail.com> wrote: > gregorcy <grego...@eng.utah.edu> 2011-10-29 10:52: > > What's missing: OpenLDAP replication from AD? Is this possible? Is this > needed? Since I want another machines (running Linux) to authenticate it > will be a good idea only ONE machine get information from AD and > everyone else authenticate natively on this Gentoo Machine. > > No this is not needed. If you are in a mixed environment (I think) it > is much easier to just use AD as the one directory service and join all > your linux boxes to it. As long as your idmap ranges match your users > will have the same uid on all boxes. > > I agree with this except for the need to "join all your linux boxes". AD is > really just ldap+kerberos. Most of the time you don't need the headache of > kerberos and can just use the ldap component. Modern AD schemas include all > the of necessary attributes support for having Linux clients talk to it > directly for uid/gid mapping, which is much nicer since it avoids the > complexity of any samba requirements when you don't need them (eg: mail, web, > etc.). > > > So if he is using samba + winbind I don't see how you can not join all your > machines to the AD. Actually I would be really interested in how you > configure your machines just using the ldap component. I have been using > winbind for the last couple of years but if there is a better way I would be > interested in learning how it works. > > >
smime.p7s
Description: S/MIME cryptographic signature
