[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Win2000 PDC Authentication and Authorization

On Tue, Jan 28, 2003 at 09:55:02AM -0500, Whitmore Matthew E NPRI wrote:

> I'd like to authenticate/authorize against Win2000 Server PDC so
> there is one login/password instead of the users currently having
> separate login/passwords: one for Windows, and one for Linux.  I
> assume the users use the same password for both the Windows and
> Linux, but I'd like to have accounts for Windows and Linux centrally
> managed, using the PDC.

We do that (PDC serving Windows, Solaris, and Linux clients) with
pam_smb. Winbind isn't particularly required, and has several
disadvantages in our situation:

* We don't want *everyone* on the domain to be able to log into the
  Unix machines. We could use pam_listfile to fix that, however.

* Winbind has no means of synchronizing UIDs across systems. So if you
  have a central NFS server like we do, ownership gets completely
  screwy. This killed winbind for us.

Disadvantages of pam_smb:

* Have to create dummy accounts for authorized users on each system. I
  think there's a way around that, too, but like I said before, we don't
  want every domain user to have Unix access.

* Tied into the previous disadvantage, dual-boot systems are
  difficult. If we add a user onto each system to use pam_smb, that
  system has to be in Unix 100% of the time. Winbind avoids this

Personally, I've got some sort of Active Directory/LDAP idea on the
horizon, since our central IT bunch is rolling out their first AD
tree. Hopefully it's close enough to regular LDAP to make the Unix
boxes happy.

Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University -- renfro@tntech.edu

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []