FYI: As per Bryan J. Smith (btw thanks), he pointed me to a nice article, which prompts me revise our 4 year old winbind setup. I'm yet to figure out if I can use multiple domains and subdomains, run this on older RHEL4u4 and 4u6 and have a complete scripted approach with no windows intervention.
For those who have a less complex setup, please visit the link below: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sec-kerberos-crossrealm.html Regards ilya -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Musayev, Ilya Sent: Wednesday, April 13, 2011 4:58 PM To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list Subject: Re: [rhelv5-list] AD integration We are using winbind. Its true that its not stable, but we added "monit" daemon monitoring of the process with bunch of queries and if it finds problems with winbind daemon, it will delete the cached files and restart winbind. Once this was setup and deployed, the winbind auth issues were gone and I'm talking about a very large environment. In past year+ I haven't had to fix a single winbind linux auth issue. The other reason why we did not use LDAP+Kerberos, is that from what I recall, it did not have a concept of domain trust. If you have multiple domains and you need your users to authenticate against multiple domains, it seems like winbind is the only free/open-source solution that supports it. If your setup is simple with 1 domain, LDAP+Kerberos is your best bet. Otherwise, I'd consider winbind. Good luck -ilya -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Domenico Viggiani Sent: Wednesday, April 13, 2011 5:32 AM To: 'Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list' Subject: Re: [rhelv5-list] AD integration Troels Arvin wrote: > > Winbind is not the most stable thing I've come across > > .. > > So winbind is not without pain, but I couldn't get the other build-in > > method (using a combination of LDAP and Kerberos, but not winbind) to > > work well. And a third party tool that we used (Centrify) is too much > > of a hazzle, being a ... well ... exactly a 3rd party tool (no > > automatic updates, less well-known by search engines, no Red Hat > > support, ...) My experience with LDAP+Kerberos (without Winbind) was successful: no problem at all, "emergency" (no network, no auth servers available) login possible, etc -- DV _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
