[KLUG Members] LDAP and Active Directory

Adam Tauno Williams members@kalamazoolinux.org
Tue, 11 Dec 2001 16:38:31 -0500 (EST) 

>I have on my practice network, a Windows 2000 Server and a Linux box 
>running roughly SuSE 7.1.  I would like the Linux box to act like an
>Active  Directory Domain Controller and synchronize with the 2000 server. 
>Since Active Directory sits on top of LDAP and Kerberos, and both of the 
>above can run on Linux, I think this should be possible, but I have almost 

One would think it would be.  But one must distinguish between LDAP and M$-LDAP
as well as Kerberos (MIT) and M$-Kerberos.

1. Kerberos defined an empty field in the ticket for use in the future. 
M$-Kerberos uses this standard emtpy field (which isn't so bad) but it stuffs a
proprietary PAC in there.  And it refuses to document what this PAC means,  and
it only means things to M$-WInY2k and higher anyway.  A Linux KDC (Kerberos
Server) obviously can't manage the PAC so, while it will work for a WinY2k to
join a "UNIX" Kerberos Domain, you will need to manually create local users on
each workstation and associtate them with the principle.  Very ugly.  A Linux
box can join a WinY2k Kerberos domian, no problems there (oh, yipeee....)

2. Active Directory is only sort of an LDAP server.  It provides LDAP protocol
access to ***SOME*** of it's data structures.  It handles replication via it's
own proprietary protocol.  So while OpenLDAP will replicate and chat with
Novel-NDS, Netscape server, IBM's LDAP server, etc...  you can't really do all
that much with Active Directory.  Client side PAM and NSS support AD, but you
need to tweak AD to get even that to work.

>no idea how to make it work.  Dynamic DNS is running on the Linux server,
>and appears to be taking updates from the Windows machine, but that's as far

Yes, bind and M$-DNS does work perfectly.  In fact, M$'s push on the use of SRV
records is a GREAT thing and a good idea.  Kudoos to them,  those frumpy UNIX
guys where just sitting there like dolts, happily twiddling millions of little
text files.

>as I've gotten.  Anybody else out there tried a stunt like this, or have 
>suggestions on how to make it happen?  

M$'s tech notes website has several interesting documents concerning this
topic,  primarily concerning mixed Kerberos networks.  I'll send you the URLs if
your still interested in chasing this down.

Systems and Network Administrator
Morrison Industries
1825 Monroe Ave NW
Grand Rapids, MI. 49505