[ILUG] Active Directory with Ubuntu?
Michael Watterson
watty at eircom.net
Wed Aug 8 16:41:42 IST 2007
David Dorgan wrote:
> On 8/8/07, Michael Watterson <watty at eircom.net> wrote:
>
>> Don't use Active Directory.
>>
>> It's an even more broken smoke & mirrors security than Domain
>> Controllers. I used to demonstrate how a Workstation with server tools
>> installed and simply an adminstrative account on the "system" could
>> access or change anything without Active Directory or joining a Domain
>> at all. Some people thing Domains or Active Directory adds some extra
>> magical security pixie dust, it doesn't, it's just methods of
>> centralised user account management. Lots of more Ubuntu friendly ways
>> of doing it.
>>
>
> Errr???? Active directory is mainly made up of three protocols, dns,
> ldap and kerberos, how you wish to use those with a security model you
> have is down to company/site implementation. There is nothing
> inherently wrong with active directory.
>
> And why would anybody except administrators have admin rights on a
> local workstation? Isn't that the point of the domain? Security
> delegation is often done via groups etc (whatever way you want to
> split your privileges), not giving out admin passwords :)
>
> David
>
>
>
Agreed
The point I was making that lots of people think they have to have MS
Active Directory, because on MS Servers + Workstations it is often
there by default. You don't need it, nor is even a Domain Controller
needed to have a user be lowest level rights on a Server and any level
you want on a workstation. Domain Controllers are a MS convenience, not
a necessity.
And as you say it is nothing to do with security. DNS may even be
provided by a separate Firewall appliance (I use ClarkConnect).
But if users have to access shared files, then you need user access
accounts to do that. There are many ways to achieve that.
On a local NT Workstation the user only should have ordinary user
rights. It mystfied me how many people think the user needs to be Admin
on NT4, W2K or XP. It only means things are not installed properly if
ordinary user rights don't work.
>
>
--
Mike
More information about the ILUG
mailing list