[Beowulf] Re: Active directory with Linux

Dave Love d.love at liverpool.ac.uk
Fri Oct 24 06:01:28 PDT 2008

Prentice Bisbal <prentice at ias.edu> writes:

> The trust is that if you already have and AD installation and the AD
> controllers have Microsoft Services for Unix (MSSFU, or just SFU) 3.5 or
> later, you have everything you need to use your AD servers as Kerberos
> and LDAP masters for your Linux clients.

You only need that stuff for the NSS databases (passwd, group), not for
Kerberos.  [I never managed to get the add-on SFE stuff to install --
even after recovering from the server being 0wned whilst it was getting
security-patched -- but I guess that's not a general problem.]

> If you want to go the other way around, have Linux serve as the AD
> controllers, you'll need to use Samba, and I haven't had much success
> with it.

Samba as an actual AD controller is a Samba 4 thing, which isn't ready
yet, as far as I know -- has that changed recently?  The canonical way
to DTRT is to have a master Kerberos server in the POSIX world, which AD
trusts, and populate the POSIX and AD worlds' LDAP separately from one
or more accounts databases.  Basically you want to keep AD in its own
world, and in a network subdomain with a sensible DNS arrangement, since
AD wants to control DNS.

More information about the Beowulf mailing list