We have around 70% linux users, all of which are configured to authenticate against Active Directory through LDAP. In order for this to work, we used the "Windows Services for Unix" under Windows Server 2003, and it all works fine.
We are now at a point where the server running this contraption is getting a bit tired and will be replaced with a newer machine, running Windows Server 2008 (where the relevant services such as user name mapping and password changes, etc., are integrated with the OS).
And here's the rub: If a new user is configured through the Win2k3 server, then it all works fine. If the same thing is done through the Win2k8 server, then :
- The ADS plugin on the 2k3 server does not recognize it and behaves as if the UNIX attributes were never set.
- The user cannot authenticate against ADS using LDAP.
Has anybody encountered this problem? If so, how did you overcome this?
If you need any additional information to provide further help, just ask and I shall provide it.
The LDAP name mapping has changed between Win2K3 and 2K8. The new mapping (to apply in /etc/ldap.conf) is:
Please let me know if that helps. You may have to migrate the old users as well-- I'd use ldapsearch and compare new and old users (but I think they will just have both attributes, if I recall)
I've decided to post another answer here, since this is usually the place where people find the information they are looking for.
Whilst the above is all still very valid and true, I have now found a much, much easier way to connect my clients via AD. Debian squeeze (the latest stable release) contains sssd (a package that originates in the redhat/fedora environment), which makes all of this a complete breeze. Upon installation it finds and suggests domain controllers, and I only needed to change very few things in the config file to make it work for me. It works perfectly fine with Windows Server 2008, and it can also cache passwords (important for laptop users).