4.2.2  Authenticating with a Windows domain


In this section we look at all technical issues that need to be considered when 


planning for authentication of Linux clients within an existing Windows domain. 


Reasons for authenticating a Linux client in an existing Windows domain include:


Network services that require domain authentication need to be accessed 


from the Linux client (network file servers, printers, etc.)


Users will have only a single user name/password combination (network 


services single sign on).


Administrators will only need to administer a single user collection.


After deciding to authenticate with a domain, the following technically driven 


decisions have to be made:


Are domain users created on all clients, or can we use winbind to enforce an 


unified login environment? (Using winbind you can force a Linux client login 


event to authenticate with a Windows domain. The end result of this is that 


the Linux client system becomes a full member of the Windows domain.)


Using winbind means carefully choosing some parameters, specifically the 


winbind separator.


Do we authenticate with an NT4 domain or natively with an Active Directory 


domain? In the latter case we also need Kerberos.


Choosing to create users locally on the client means extra administrative 


overhead. In this case when a user is added to the domain, the user ID has to 


also be added to any of the Linux clients that the user will be using to connect 


with that domain. Even though this process could be automated, it is really not 


necessary when using winbind.


Using winbind will lead to a choice for what is used as the winbind separator. 


This is the character that will separate the domain name from the user name in 


the Linux user name. For example, AD6380+Administrator is the Linux user 


name of the user Administrator in domain AD6380 when the winbind separator is 


a plus sign (+). The impact of the chosen character has to be studied in all 


applications and network services being used. Using the plus (+) character for 


separation generally is the best choice for most Linux shells and applications. 


Planning tip:


 Plan and test winbind and the winbind separator extensively to 


validate the setting prior to migrating clients.


In the case of authenticating natively with an Active Directory domain, Kerberos 


has to be configured as well as Samba.


 Chapter 4. Technical planning 


47








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      spain web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved