[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Win2000 PDC Authentication and Authorization



On Tue, Jan 28, 2003 at 09:55:02AM -0500, Whitmore Matthew E NPRI wrote:

> I'd like to authenticate/authorize against Win2000 Server PDC so
> there is one login/password instead of the users currently having
> separate login/passwords: one for Windows, and one for Linux.  I
> assume the users use the same password for both the Windows and
> Linux, but I'd like to have accounts for Windows and Linux centrally
> managed, using the PDC.

We do that (PDC serving Windows, Solaris, and Linux clients) with
pam_smb. Winbind isn't particularly required, and has several
disadvantages in our situation:

* We don't want *everyone* on the domain to be able to log into the
  Unix machines. We could use pam_listfile to fix that, however.

* Winbind has no means of synchronizing UIDs across systems. So if you
  have a central NFS server like we do, ownership gets completely
  screwy. This killed winbind for us.

Disadvantages of pam_smb:

* Have to create dummy accounts for authorized users on each system. I
  think there's a way around that, too, but like I said before, we don't
  want every domain user to have Unix access.

* Tied into the previous disadvantage, dual-boot systems are
  difficult. If we add a user onto each system to use pam_smb, that
  system has to be in Unix 100% of the time. Winbind avoids this
  problem.

Personally, I've got some sort of Active Directory/LDAP idea on the
horizon, since our central IT bunch is rolling out their first AD
tree. Hopefully it's close enough to regular LDAP to make the Unix
boxes happy.

-- 
Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University -- renfro@tntech.edu





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []