[Samba] Authenticating Linux boxes against Active Directory, using Samba as a sort of AD Proxy

[Alex Davies]

Hi Everyone,

I'm trying to find a open source solution to authenticate a bunch of
Linux machines (and, ideally, network devices etc.) against Active
Directory, as unfortunately in our organization this is the primary
source of account data. The complication we have is that my
organization has more than one Active Directory Domain, each hosted on
its own collection of domain controllers. This breaks every technique
i've found for authenticating Linux machines directly against AD. In
Windows, users select the relevant domain when they login to a PC and
everyone is happy [there is a trust relationship between our domains].

The current setup is Fedora Directory Server, and passsync on all our
(very very many) domain controllers with multiple replication
agreements (one per AD domain). This seems to work - most of the time
- and we then used NIS netgroups to authenticate access to machines.

This is a giant mess; adding a machine or user takes a very long time
and requires changes in three places. We are unable to get a FDS
replica to actually work. A small but significant number of password
changes do not sync AD->LDAP. If a user is disabled in AD, this does
not appear in FDS. I could go on, but the summary is we really really
hate this setup and are looking to improve it!

I played with Samba many years ago but am aware that in recent years
it has come along significantly. I know that it can become a Domain
Controller (and, therefore, presumably get hold of users password
hashes) but can I trivially authenticate Linux machines against this
machine? Ideally without installing anything on a base RHEL machine,
but I can install something if required.

Any help/advice/comments would be greatly appreciated.

Many thanks,

Alex