Skip to end of metadata
Go to start of metadata


There are at least three different possible approaches for Active Directory authentication and each has its pros and cons.

  1. Use the new native AD integration with idmap, nss_ad and kclient, this will work with CIFS and NFS out of the box.
  2. Use Kerberos and LDAP (kclient, ldapclient, pam_krb5 and nss_ldap).
  3. Use windbind (pam_winbind and nss_winbind).

1. Native AD integration

  • Pro: fully integrated and native tools only
  • Cons: works only for Solaris (Openindiana) CIFS and NFS service, unless you use enable directory-based name mapping and install IDMU (Identity Management for UNIX) on the AD server like in 2.

Native AD integration

2. Kerberos and LDAP

  • Pro: fully integrated with native tools only
  • Cons: requires installation of additional role services (IDMU, Identity Management for UNIX) on the Active Directory side

Kerberos and LDAP

3. winbind

  • Pro: easy setup, no AD modification
  • Cons: depends on 3rd party software (Samba), group membership resolution didn't work when testing


  • No labels