One of the problems with running a network that contains both Linux and Windows systems is maintaining multiple account databases. One way to integrate these disparate systems is to use the Windows account database maintained on a Windows NT domain controller (or a Windows Active Directory controller or a Samba server) for both Windows and Linux systems. Unifying accounts is fairly easy for the Windows systems, but for Linux, you must make several configuration changes. However, the result can work reasonably well, and greatly simplifies cross-platform account maintenance.
" />
One of the problems with running a network that contains both Linux and Windows systems is maintaining multiple account databases. One way to integrate these disparate systems is to use the Windows account database maintained on a Windows NT domain controller (or a Windows Active Directory controller or a Samba server) for both Windows and Linux systems. Unifying accounts is fairly easy for the Windows systems, but for Linux, you must make several configuration changes. However, the result can work reasonably well, and greatly simplifies cross-platform account maintenance.
Tuesday, February 1st, 2005
Share This:
Before proceeding further, be aware that modifying how Linux deals with accounts can be dangerous. A mistake can make it impossible to log in, even as root! When changing Linux accounts, it’s best to leave a root login running at all times on a virtual terminal or from a remote system. Moreover, always save a copy of each system configuration file before making any changes. That way, you can undo any mistakes you might make.
What Does Winbind Do?
Linux authentication is a multi-layered thing. Two components are particularly important:
*The Pluggable Authentication Modules (PAM) system is a way to modularize password verification, account setup, and similar features. Using PAM, programs that need to authenticate users (such as the login tool) call PAM rather than checking /etc/passwd themselves. With PAM acting as a layer of abstraction, you can reconfigure PAM to use a new authentication tool (such as an NT domain controller rather than /etc/passwd and /etc/shadow) without modifying any user programs.
*The Name Service Switch (NSS) system verifies the existence of an account (among other things). By telling NSS to use an NT domain controller, you won’t need to maintain non-password account information in /etc/passwd. If NSS doesn’t know about the NT domain controller, PAM could still use the domain controller for authentication, but you’d still need valid account data in /etc/passwd, even if you didn’t store passwords locally.
Winbind is a set of libraries that works with PAM…
Please log in to view this content.
Not Yet a Member?
Register with LinuxMagazine.com and get free access to the entire archive, including:
