i administer 40 Linux SLES 11 Sp3 servers (x64 & s390) which i currently use openldap with ppolicy for authorization & authentication.
i Was asked if i could use the existing customers AD infrustructure instead of openldap,
i successfully managed to read AD users by adding unix attributes to AD and configure nss_ldap module for user authorization
and kerberos for authentication.
the problem is that in my current openldap setup i use the host attribute to filter which user can login where,
my first question is if anyone tried to achive the same functionality with openldap/ppolicy/host attr combo with AD (ldap for nss & krb5 for auth)?
i also tried to use winbind but i faced different problems...
although i managed to join the linux server on domain, retrieve user list via wbinfo -u (net ads testjoing reports ok, kinit with a domain user also reports ok)
i cant get userlist via getent (i added winbind to nssswitch file).
my second question is if winbind can achieve my current functionality?