[Beowulf] Re: Active directory with Linux
d.love at liverpool.ac.uk
Fri Oct 24 05:48:11 PDT 2008
Chris Samuel <csamuel at vpac.org> writes:
> We were trying to do that for one of our members, but
> were told by the AD admins that we could only use the
> users credentials to bind to the AD server for queries
> as they were using lockouts on failed password attempts
> and so would not provide a "system" style account for
> queries as locking that out would stop all users from
> accessing the cluster.
I don't understand that. If you need LDAP data, as opposed to just
Kerberos authentication, and you're not allowed anonymous access to it,
you either use a `well-known' password on a special account (which
you're probably also not allowed...) or the `machine' account. The
latter is what you get from `joining the domain' (e.g. with Samba) and,
as far as I remember, is just the system's Kerberos host principal,
whose key you stash in a keytab.
Obviously avoid AD if you can, though.
More information about the Beowulf