Has anyone got their Linux systems authenticating against Active Directory without using Likewise Open?
We are close to implementing Likewise Open, but first we need to rename roughly 70 of 110 Linux servers so that their hostnames are not longer than 15 characters. This is required because Likewise Open actually joins the Linux computer to the domain, and it fails to do so if the hostname is too long due to some legacy NetBIOS naming limitation.
- Is there a way to authenticate via AD, using only LDAP perhaps?
- What are the advantages/disadvantages over doing it like that vs just using Likewise?
Yes.
Sure. This is a pretty common configuration. You can use AD as a Kerberos server for authentication, and as an LDAP server for user/group enumeration and other authorizations tasks. The configuration is basically the same as with any other Kerberos/LDAP server, and there are lots of documents out there that cover the details.
If you're using AD for more than just authentication (that is, if you want to replace your local
/etc/passwd, NIS, etc), you're AD will need the necessary Unix attributes (to identify user home directory, shell, etc).As @Tom said in his comment, Likewise gets you much tighter integration with AD policy controls. If all you want is authn/authz, you don't really need it.
Graeme,
Likewise Open 6.0 and newer join to domains just fine with a hostname longer than 15 characters. I am curious as the problem you are getting as this hasn't come up.
I am an SE with Likewise Software and you can contact me ([email protected]) and our field directly at [email protected]. We will do what we can to get you working.
Regards,
Yvo van Doorn
Here's a blog post I found helpful installing Centrify from the Canonical partner repository. http://ninjix.blogspot.com/2011/01/puppet-manifest-for-centrify-express-on.html
I'd rather not install Centrify since they replace my open source SSH daemon with some closed source proprietary daemon. Who knows what's going on in there.