There are at least three different possible approaches for Active Directory authentication and each has its pros and cons.
- Use the new native AD integration with idmap, nss_ad and kclient, this will work with CIFS and NFS out of the box.
- Use Kerberos and LDAP (kclient, ldapclient, pam_krb5 and nss_ldap).
- Use windbind (pam_winbind and nss_winbind).
1. Native AD integration
- Pro: fully integrated and native tools only
- Cons: works only for Solaris (Openindiana) CIFS and NFS service, unless you use enable directory-based name mapping and install IDMU (Identity Management for UNIX) on the AD server like in 2.
Native AD integration
2. Kerberos and LDAP
- Pro: fully integrated with native tools only
- Cons: requires installation of additional role services (IDMU, Identity Management for UNIX) on the Active Directory side
Kerberos and LDAP
- Pro: easy setup, no AD modification
- Cons: depends on 3rd party software (Samba), group membership resolution didn't work when testing