When using Windows AD to authenticate users on Linux servers is there an advantage to using Winbind and "Joining the Domain" over just authenticating via Kerberos and looking up UID,GID, home dir, etc in LDAP?
Asked
Active
Viewed 1,483 times
3 Answers
1
Yes, Winbind automates setting up the object in Active Directory. I've tried setting up Kerberos to authenticate against AD manually, and it's awful. Lots of obscure commands on the Windows command line, and AD Unix extensions are needed. I never did get it to work, and the AD Unix extensions are deprecated for AD after Windows 2012.
More recently, realmd will integrate Linux servers into AD much easier. It sets up SSSD and Kerberos locally, and it creates all of the necessary objects in AD. I've used it to integrate Ubuntu, CentOS, and Fedora in an AD domain, and it works really well. CentOS and Fedora were seamless, and Ubuntu works well after all of necessary configuration steps were ironed out.
quinnr
- 429
- 1
- 4
- 8
0
You'd still need to be querying your AD for the appropriate unix attributes with or without Kerberos. Kerberos will give you SSO (if you use the same credentials to log onto your Linux servers as you do to log into your Windows workstation.)
And at least on Windows workstations, if you compare it with SSH Agents available on Windows, you would find that SSH agents on that platform don't do particularly secure things with private keys (eg. removing them out after a period of idle time, or when the screen locks, etc.)
Cameron Kerr
- 3,919
- 18
- 24
0
Active Directory does not allow anonymous LDAP bind by default. Joining a host to the domain makes the host "trusted", so it can access domain resources (such as LDAP) with its own credentials.
This doesn't translate to a lot if you allow anonymous bind in AD.
Andy
- 1,101
- 1
- 7
- 10
-
Does using `pam_krb5` to authenticate users with Kerberos rely on anonymous bind? It does not require the host to be joined to the domain. – reinierpost Jun 01 '22 at 09:52