A little history lesson:
- My goal was single-sign on on our Linux-, OSX- and Windows Boxes
- It did not work very well
- So I turned it off and forgot about it. Or better: I had it in it’s sort-of-working state until I had to upgrade SASL for Cyrus Imapd which in turn brought the OpenLDAP-Replica server to a state where it would consume 100% of CPU time and not respond to any requests. This is where I’ve given up. Talk DLL-Hell ;-)
Then came the time with our Exchange-Trial which turned out to be working quite nicely.
And finally, yesterday, Jonas asked for a shell-account on one of the Linux boxes – Samba-Access was already working (by using security = domain and password server = * in smb.conf). This is where I really wanted to rethink the whole single-sign-on-thing – even more that I really want to create users just once so I don’t forget to remove them at different places, should I have to remove (or disable) one once in a while.
LDAP was no alternative (as you can read here on gnegg.ch).
I haven’t tried out winbind back then, which is what I’ve set up this morning.
And it’s funny: It just worked. First I was joining the Samba-Servers to the ADS-Domain following this quide. No problems (which I could not believe at first). Then I followed this guide and the manpage of smb.conf to get winbind to work and as before: It runs flawlessly (after adding UsePAM yes to sshd.conf). Even more interesting: Here on the Gentoo box I was trying this out first, it worked even without any PAM-configuration at all.
Nice.
What do I have?
I can manage my users at a central place – this time on the Windows Server with quite good looking GUI tools. This is what I’ve always wanted to do. Nothing more, nothing less.
I’m a bit afraid from trying to configure our Mac OS X-computer, but we’ll see.
Very nice and satisfying.
gnegg 