[Beowulf] Re: Active directory with Linux

Dave Love d.love at liverpool.ac.uk
Tue Nov 11 06:26:51 PST 2008


Chris Samuel <csamuel at vpac.org> writes:

> Well we were told that AD doesn't permit anonymous access.

<URL:http://www.novell.com/coolsolutions/appnote/15120.html>, for
example, has instructions for 2000 and 2003 servers.

> Bear in mind we're Linux geeks here, not Windows geeks.. ;-)

I hope you don't think I'm a Windows geek!  Just passing on what I know
from having had to tangle with AD admin previously and having to get
things working here eventually post-eDirectory; I guess plenty of us are
in similar boats with this.

>> or the `machine' account.  The latter is what you get from
>> `joining the domain' (e.g. with Samba)
>
> Whilst I couldn't be certain I suspect their security
> policy would have classed that as just being an implementation
> of the former, and it too would have been locked out after
> N failed attempts and hence locked out all users.

It would be the same on Windows boxes, surely, allowing a DoS attack.

> We got the impression that AD didn't permit them to
> make an exception to this policy either.. :-(

I think you can control the lockout policy with fairly fine granularity,
and I think it's actually off by default, but don't have a system to
check.  I guess it's documented OTW somewhere.

-- 
IBM^WMicrosoft is not a necessary evil; IBM^WMicrosoft is not
necessary.  -- Ted Nelson updated



More information about the Beowulf mailing list