[olug] Experience with joining (without likewise) to Win2000 / Win2003r1 Windows Active Directory.

Rob Townley rob.townley at gmail.com
Mon Aug 18 20:14:28 UTC 2008 

First, this is on topic because joining Linux boxes to Active Directory is
often a requirement in order to get mass deployment of Linux at work.   Mass
deployment is what we are after, right?  Otherwise, there are too many
passwords to remember for a sysadmin, let alone novices.  Feel free to
express any of your own views such as it is better to use different
passwords, but i don't see changing my mind because i am after mass
deployment.   Would like to have a meeting solely for WinAD join and
authentication issues.  Some talking points would be listed below.

Second,  i have some doubts this will work a month from now.  For about the
last 2 years, i have joined several CentOS and OpenSUSE machines to AD and
logged on using AD credentials.   The list of steps had about 30 or 40
entries, so it took a long time.   However, this would stop working after
reboot, stop working a few days later, and never work longer than a month.
However, after finding strange entries in AD's dnsHostName and
servicePrincipalName and then using ADExplorer.exe to fix them, i have more
much hope than in the past.  i also know better now to never use two Nics
when joining and using ADS without extreme caution.

Third, does your /etc/hosts file contain
"127.0.0.1        localhost.localdomain localhost hostname"
where hostname is replaced with your real hostname.   All of our windows
machines, including our dns servers simply have "127.0.0.1 localhost".
Isn't it pretty much required for Linux dns server machines?   All of my
Linux dns servers seem to need hostname first.  When it gets joined to AD,
however, the servicePrincipalName and dNSHostName both contain
localhost.localdomain.  dns will have the correct information, but LDAP
doesn't.

Fourth, how many of you dns server admins use MixedCaseDomainNames.COM and
is it still a problem?  i have had to add a bunch more entries to
/etc/krb5.conf because i setup windows dns using Hungarian notation mixed
case names.  But this doesn't seem to be as bad as it used to be.

Fifth, authentication mechanism requirements, encryption level and so on.
ldap sign and seal.

More information about the OLUG mailing list