enterprise-ubuntu team mailing list archive

["Risberg, Ove" <ove.risberg@xxxxxxxxx>]

Hi Florian,

Yes this is a bit confusing.

You have a number of commercial alternatives for AD integration:
  VAS/QAS/DAS?  - http://www.quest.com/authentication-services/
  PBIS/Likewise Enterprise - http://www.beyondtrust.com/

These companies should be able to give you commercial support but I have
not used them myself.

There are also a number of free alternatives:
  Samba/winbind - http://www.samba.org/
  PBIS/Likewise Open - http://www.powerbrokeropen.org/
  sssd - https://fedorahosted.org/sssd/

I have used winbind a few years ago and it worked fine most of the time but
was a bit slow and the cached credentials was sometimes invalid... this
might have changed by now.

We tested Likewise Open but they autogenerated/calculated the Unix UID from
some information in the AD so you can not set this yourself. This made it
impossible for us to use it.

Today we use sssd on our Ubuntu clients and it works almost perfectly.
The only problem we have it that the package is not in the main Ubuntu
repository so it is not officially supported by Canonical (?).

Most of these tools give you a Kerberos ticket so you should be able to use
this to login to your internal web pages... if the servers and your browser
is configured correctly.

We have a database where we allocate unique Unix UIDs for all users.
If you do not have filesystems where users have alredy stored files with a
specific UID it may be easier to configure your AD integration software to
calculate the UID from the AD information (just like Likewise open does).
The UID will still be unique but the UID number will probably be quite
large (above 65535) and this can cause problems on older Unix machines.

The license terms for the commercial alternatives have changed during the
last 2 years and also the owner of the Likewise product have changed.
What if they stop releasing new versions or updates?
It is not the first time a commercial company lost interrest in their Linux
version and they only focus on the the products where they make most money.

I hope this answered some of your questions.

Best regards
Ove



On Tue, Dec 4, 2012 at 4:05 PM, Florian Bieber <florian.bieber@xxxxxxxx>wrote:

>
> Hello,
>
> I am a little bit puzzled. The are solutions for ad integration of linux
> clients available, but it is hard for me to find out, what to use when.
>
> For what reason / use-cases the use of win-bind and the kerberos libs (e.g.
> described for openSUSE here
>
> http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/cha.security.ad.html
>   )are enough and when/why e.g. PowerBrokerOpen/Likewise-open (
> http://www.powerbrokeropen.org/ ) should better be used?
>
> Likewise-open has a package in ubuntu and powerbroker has or will have one,
> so one advantage I see is that you receive updates for the packages, if
> maintained.
>
> But with which solution problems like
>         offline ad login
>         single sign on to browser/share ressources
>         a pass-through-authentication
>         mapping of SID (so that you have on UID/GID on all Systems (local,
> on
> a Share, on a Windows-System etc.)
>         get access rights to files (e.g can I create a file on a NFS share
> so
> that another user sees my username instead of SID in the access field?)
>         how is the unix user ID generated
> is solved on the most sustainable way? What should you use when?
>
> What are the pros and cons for likewise/powerbroker or other solutions?
> What else is it good for?
>
> Sorry for so many question, but what are your experiences? what would you
> suggest for which case?
>
> Thanks for help in advance!
>
> regards,
> Florian
>
>
> --
> Mailing list: https://launchpad.net/~enterprise-ubuntu
> Post to     : enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~enterprise-ubuntu
> More help   : https://help.launchpad.net/ListHelp
>