Active Directory Solutions for Linux
- Samba winbind
- Microsoft SFU 3.5 and Vintela VAS
- Centrify DirectControl
Historically, the path to Linux and Windows 2000 integration at the network level can be like the search for the holy grail: elusive, and wrought with difficulty and self-sacrifice. Rather than attempting to achieve this lofty goal in your average enterprise, more often than not, Linux systems are treated as a separate island onto themselves, with their own identity management systems, administrators, accounts, and applications.
But it doesn't have to be that way. There are now a number of solutions you can use to link Linux systems with Active Directory, all with their own advantages and disadvantages.
winbind is a service that comes with the Open Source Samba client/server Windows networking/CIFS compatibility suite, which comes for free and is pre-installed with just about every Linux distribution. As of version 3.0.x of Samba, winbind not only supports Windows NT 3.x/4.x-style domains, but it also supports authentication to Active Directory.
While free, winbind is not perfect. Configuration requires fairly intensive tweaking of the /etc/smb.conf file and adjusting the /etc/nsswitch.conf to use winbind authentication. A special PAM (Pluggable Authentication Module), mkhomedir.so, also needs to be configured in /etc/pam.d/login and /etc/pam.d/gdm (on a Redhat system) to automatically create home directories for Active Directory users upon first log-on, and /etc/pam.d/system-auth needs to be changed so that the various authentication schemes used on your Linux system come up in the right order.
winbind is also not a particularly fast form of authentication, as it needs to cache the user list when it starts up. On a large Active Directory of thousands of users, this can take a while, every time a user wants to log in.
Another problem with winbind is that it does not do automatic UID/GID mapping for discrete Active Directory user accounts and groups. The "idmap" entries in the /etc/smb.conf file essentially hacks a UID and GID number range to correspond with equivalent AD user IDs and groups. There isn't a lot of granularity when using this method, however. The idmap functions can also be redirected to an LDAP server that is hosting the UNIX or Linux accounts, but this complicates matters significantly.
Alternatively, you can also manually configure winbind to map to existing Linux/UNIX accounts, but it has to be done for every single user you want to allow to log into the system.
Kerberos also needs to be configured to make winbind work, as Windows 2000/2003 uses it as its authentication mechanism. While the default Kerberos configuration may work on some systems, it's not going to work for every AD network; a bit of trial and error may be required. Kerberos is also very sensitive to time synchronization issues, so having a properly configured NTP server on your machine or your network is key to getting Kerberos with winbind to work correctly.
As with all Open Source projects, the GUI/console tools that you get with each distribution for automating the winbind configuration differ significantly, and they only go so far. More often than not, you will spend a lot of time tweaking the configuration files manually; there's no seamless integration with Microsoft Windows administration tools, per sé.
For more on configuring winbind, please refer to the following resources: