Linux in a Windows World/Centralized Authentication Tools
Networks with many computers frequently set aside one system as an authentication server—a computer that authenticates users for the benefit of other computers. This practice can greatly simplify account maintenance, because you need to maintain only one set of user accounts rather than separate accounts on each computer. This goal is more complex on a multi-OS network than in a single-OS environment, though, because different OSs support different protocols for performing these tasks. This part of the book looks at three protocols that can be used in a mixed Windows/Linux environment: Chapter 7 describes using an NT domain controller, Chapter 8 describes using the Lightweight Directory Access Protocol (LDAP), and Chapter 9 describes using Kerberos. Chapter 7 emphasizes Linux configuration as an authentication client; the Linux server and Windows client sides are covered in Chapter 5. Chapter 8 and Chapter 9 describe both client and server configuration for Linux and client configuration for Windows.
Which tool should you use? All can do the job, but each has its strengths and weaknesses. Broadly speaking, using an NT domain controller works well when you have an existing NT domain controller for file share access and want to apply this existing account database to other purposes. LDAP provides the best support for Linux account data and can also work well with Windows 200x/XP systems, but it doesn't support Windows 9x/Me very well. Kerberos was designed to provide a single sign-on—that is, to enable users to enter their passwords once per session, even if they log in and out of multiple servers during this session. It doesn't maintain all the necessary account data, though, and it can be tricky to use for some cross-platform tasks.