Hi stroller, that was actually interesting, but it didn't help me much... I do not manage the network, neither do I have any knowledge of it's working. I asked the help desk guys to help out, but all they managed is to get me someone that knew, after a 2 hours work, to mount the directories I needed manually. If I were to ask them I will have to be sure I am quite knowing the area so I could correctly describe to the Microsoft-trained network administrators what I want. If you could point me to an article of any kind (or to the relevant part in samba's huge documentation) I would be much grateful. thanks. On Fri, Aug 8, 2008 at 2:42 PM, Stroller wrote: > > On 7 Aug 2008, at 23:04, Andrey Falko wrote: > >> ... >> As far as I know, don't take my word for it, in order to use Active >> Directory on a GNU/Linux host, you need to setup LDAP and have it talk >> to AD. Unfortunately I don't know how to do this, perhaps this will >> help: http://www.linux.com/articles/40983 . >> > > Hi there, > > I understood Active Directory to be Microsoft's implementation of LDAP + > extensions. Or maybe it's a Microsoft's entirely own way of doing a > directory service, with LDAP support bolted on afterwards. Anyway, yes, > Linux hosts should indeed be able to talk LDAP to an AD server. > > On a domain that I manage we authenticate over Samba instead. I can't > entirely recall why I chose this method instead of AD, but I'm pretty sure > there were good reasons for it at the time. Once Samba is configured to to > do winbind - it obviously needs to know the name of the domain server &c - > one installs the PAM winbind module and references it in /etc/pam.d/ for any > Linux services one wishes to authenticate off the Windows server. Samba > then, presumably, acts as a client to the domain server and says "user X, > hash(password Y) wants to log on, is this ok?"; PAM passes the response back > to the service the user is trying to use. > > I think winbind alleviates some need to deal with Active Directory. I > really know nothing about AD - all I have to do is log on to the Windows > server (SBS 2003) and add a user to the domain in the Server Management For > Idiots program Microsoft so kindly provides. The user is able to > authenticate on the Linux box immediately after restarting Samba (and the > restart is probably only required because I've fouled-up the caching > configuration, or something). I also use pam_mkhomedir so that when the user > logs on to IMAP for the first time ~ is automagically created; I had to > reject Courier-IMAP in favour of Dovecot in order to be able to do this, as > IIRC Courier doesn't use the PAM type "session", and that's required to make > pam_mkhomedir work (Dovecot doesn't actually need to use this type, but adds > an option to open a PAM session specifically to enable mkhomedir to be used. > This is a requirement of pam_mkhomedir, NOT pam_winbind). > > What I have enjoyed about winbind is that it has (so far!) made adding > additional services easy. I needed to run an ftp server (allow only > 127.0.0.1) on the Linux machine, so that Squirrelmail's vacation plugin > could upload the users' vacation messages to their homedirs. To get the ftp > service (net-ftp/vsftpd) to authenticate off the same credentials was as > easy as copying the PAM settings for the already-working IMAP server to > /etc/pam.d/ftp (although I see that each is "sufficient" instead of > "required" in this case). I was quite surprised it worked so easily, quickly > and smoothly. Anyway, any user can sit at their Windows workstation, > CTRL-ALT-DEL and change their password and the IMAP server will now respect > their new credentials, which is the important thing (for me). > > Stroller. > > >