[Beowulf] Re: Active directory with Linux

Dave Love d.love at liverpool.ac.uk
Fri Oct 24 05:48:11 PDT 2008


Chris Samuel <csamuel at vpac.org> writes:

> We were trying to do that for one of our members, but
> were told by the AD admins that we could only use the
> users credentials to bind to the AD server for queries
> as they were using lockouts on failed password attempts
> and so would not provide a "system" style account for
> queries as locking that out would stop all users from
> accessing the cluster.

I don't understand that.  If you need LDAP data, as opposed to just
Kerberos authentication, and you're not allowed anonymous access to it,
you either use a `well-known' password on a special account (which
you're probably also not allowed...) or the `machine' account.  The
latter is what you get from `joining the domain' (e.g. with Samba) and,
as far as I remember, is just the system's Kerberos host principal,
whose key you stash in a keytab.

Obviously avoid AD if you can, though.



More information about the Beowulf mailing list