Integrate Linux with Active Directory Domain Services
There are several ways to integrate Linux VMs with Active Directory. Three main options are based on built-in or freely available components:
- LDAP Authentication / Authorization. LDAP Authentication and Authorization use the compliance of Active Directory with LDAP standards. Applications that implement NSS (Name Service Switch) and PAM (Pluggable Authentication Module), can use LDAP modules to communicate with the LDAP endpoint of Active Directory. LDAP Authentication users can't change their password from the Linux client. Consider a password change process that conforms to your password expiration policy, either by providing users an alternative method to change their password, or by having an automated password refresh mechanism in place.
- Kerberos 5 Authentication / LDAP Authorization. With Kerberos Authentication, NSS still uses LDAP, and works the same as with LDAP Authentication, but PAM makes use of the pam_krb5 module to authenticate against the Kerberos Key Distribution Center (KDC) implemented in Active Directory. This is a popular configuration because it works with out-of-the-box components in a secure way that provides password change capabilities.
- Winbind Authentication / Authorization. Winbind is a more complex solution, requiring a Winbind daemon to run on the Linux systems. Winbind provides more advanced technical capabilities, such as support for RPC and NTLM, and doesn't require any specific components (such as Services for UNIX) to be installed on authenticating AD DS domain controllers. Winbind is part of the Samba interoperability suite, which also provides file sharing capabilities using the SMB protocol. If you plan to use SMB, using Winbind is a logical choice.