[olug] local groups and Active Directory

Phil Brutsche phil at brutsche.us
Tue Feb 13 09:15:04 UTC 2007

Sean Kelly wrote:
> I know very little about this, but supposedly a lot of this was 
> supposed to be rolled into Windows 2003 R2. Anybody have any 
> specifics on what R2 provides in this area?

SFU is bundled with R2 as an add on.

Windows Server 2003 R2 is 2 disks:

Disk 1 = Server 2003 SP1
Disk 2 = the add-ons (the enhanced R2 DFS, SFU, etc)

> I'm not a big fan of winbindd. We have it on some systems at work, 
> and the thing seems to explode quite often, leaving the machine with 
> only local user awareness.

Similar to my experience. Reportedly the latest revisions behave better.

Either way, winbindd is an added level of complexity that isn't necessary.

> Not entirely good for a web server with user pages on it where the 
> users come from AD... I would encourage the SFU route, with a dash of
> Kerberos to do the actual password authentication part.

You could argue that kerberizing your web server doesn't gain you much
unless your web browser has a ticket from one of the KDCs in your realm.

> I know FreeBSD now has nss_ldap/pam_ldap. I can login to one of my
> FreeBSD desktops at work using my AD credentials becuase of pam_krb5
> as well.

Last I looked (FreeBSD 6.0) nsswitch was statically linked with libc
(aka no possibility of a dynamically loaded nss_ldap) and your choices
were the traditional /etc/passwd and NIS; NetBSD and OpenBSD were even
farther behind (aka somewhere on the "it would be nice to have" list).


Phil Brutsche
phil at brutsche.us

More information about the OLUG mailing list