Does anyone here authenticate against Active Directory?

  • humbletech99
  • Proficient
  • Proficient
  • User avatar
  • Posts: 300

Post 3+ Months Ago


I'd like to know if anyone here authenticates their servers against active directory? I did this a couple of years ago, but never rolled it out to my servers for a few reasons.

Now I'm thinking of this again, but the main thing I'd really like to know is how stable and maintainable this is across lots of servers and through upgrades. I've noticed that when there are upgrades, occasionally pam files are changed/upgraded. Since this generally relies on you fiddling the pam stacks I figure that sooner or later this brittle solution will snap in an upgrade, locking people out of the server.

I suspect that the main problem is that most people do not change pams and therefore there is included user-defined stack that is kept referenced through rolling upgrades...

Does anyone have an experience with how stable it is to authenicate lots of servers against AD for single-sign-on?
  • kc0tma
  • o|||||||o
  • Web Master
  • User avatar
  • Posts: 3314
  • Loc: Trout Creek, MT

Post 3+ Months Ago

The first link is an article about the product, featured in the second link (they are the same product). Basically, it adds a tab into the properties for users in AD users & computers to configure stuff for users like home path on the linux server, default shell, and that kind of stuff. Of course the server has to be a member of the domain for that to work. You can even manage a user's groups they belong to on the linux server from that AD thing. This is something you would have to buy, but I think it is what you might be looking for. We've been toying with the idea of this for our couple of red hat application servers lately.
  • this213
  • Guru
  • Guru
  • User avatar
  • Posts: 1258
  • Loc: ./

Post 3+ Months Ago

Instability comes from the Windows side of things, not the Linux side of things, though a lot can be dependent upon which distro you're using. In any case, updates *shouldn't* be overwriting *changed* pam files. Rather, depending on your distro, you should get the new pam file with an extension like .new or .rpmnew. This allows updates to occur without breaking anything.

In any case, the {much} better (more stable, license free, more resource-friendly) option is to use Samba with Kerberos and LDAP.

For the record, I use Gentoo and RedHat family distros (RHEL, Fedora, CentOS) for anything production.

Post Information

  • Total Posts in this topic: 3 posts
  • Users browsing this forum: No registered users and 25 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum

© 1998-2017. Ozzu® is a registered trademark of Unmelted, LLC.