We've concentrated on the authentication task, without looking closely at how to keep account management synchronized between Linux and Microsoft Windows. Not surprisingly, this is a difficult task. To help, an important feature of Active Directory is its LDAP interface.
In theory, Linux could use the LDAP interface to obtain account information. In practice, however, this is less than useful. Via PAM, there is a module called pam_ldap that can use an LDAP directory, but it expects certain attributes that aren't available by default in Active Directory's LDAP interface. The default schema in the Active Directory is not immediately useful for a Unix host, which has no concept of Unix groups, user IDs, group IDs or even Unix password hashes.
To do this properly, we would install Microsoft's Windows 2000 Services for Unix (SFU) on the PDC, which is an add-on product and is usually purchased separately.
But we need to be concerned about the effect this will have on our PDC. SFU bolts onto an Active Directory domain by installing the domain on the PDC. Once installed, the domain modifies the directory schema to make it more Unix-friendly. (In theory, one could modify the directory by hand.)
SFU provides more than schema changes. It also would let us fall back to the standard mechanism for large-scale account management in Unix, known as NIS (Network Information Services).
Besides the schema enhancements and an NIS service, SFU provides other services, such as client, server and gateway for NFS; user-name mapping; server for NFS authentication; password synchronization; ActiveState ActivePerl; and some Unix utilities.
Also note that if this article were being written six months from now, a major part of it probably would cover something called winbind. It comes from the Samba project, and its goal is to let Linux and other Unix platforms be first-class citizens in a Windows domain. By first-class citizen, we mean it will allow users with valid user IDs in the domain to log into the Unix platform, with that platform never previously knowing anything about that user. The Unix box queries all relevant information from the domain, creates a local user and lets the user in. When user accounts are deleted from the domain, they get deleted from the Unix platform. Winbind exists and works, but it isn't yet ready for production use. See http://www.samba.org for more information.
REPORTS
ANALYTICS
Follow 
