Active Directory Authentication
I am just getting started with OpenBSD and have been doing a lot of reading, I have been through all of the FAQs and man pages. At this point I have a system which I did a base install on about a year ago (4.7 release), which I have updated to 4.7 stable. I am now looking at the process to upgrade this to 4.8, but that is for another day.
My immediate interest is being able to manage users on all platforms (Windows, Linux, BSD) from a central location. Now since Windows doesn't really offer much flexibility if I want some of the features I need I am forced into maintaining a Windows Active Directory domain. A few years back I did some extensive work in testing various methods of accomplishing the goal of authenticating Linux users to an Active Directory domain. My conclusion was that while possible to do this with only native packages (Kerberos, Samba, Winbind) the result was unreliable, more management overhead than needed, and I couldn't restrict logins by group. I did find some free third party solutions that allow me to do all of this easily and reliably (Centrify and Likewise if you are interested). Now fast forward and I am looking to add OpenBSD to the mix. None of the tools I normally use support OpenBSD.
So I did my research and found that OpenBSD supports all of the required protocols to do this natively as in Windows, but in a few postings on blogs etc. found that others reported issues with this method. I know that any information outside of the FAQ or man pages is not to be trusted, but since it seemed to fit with my prior experiences it seems reasonable. Among the articles I read was one which took a slightly different approach, using Kerberos for authentication and the passwd file for user management locally. As my previous Linux tests the problems all seemed to revolve around Samba/Winbind pulling user information from AD this seemed like a reasonable approach to the problem. So I proceeded to follow the man pages and setup a krb5.conf file, and added required SRV records to my zone file. I am now able to easily and reliably use a password stored in a Windows domain to login to my OpenBSD system. While this is not an ideal solution (I need to create local accounts for all users) it is better than using only a passwd file.
Has anyone come across any third party or native method which allows an OpenBSD system to pull user account and password information from a Windows domain, and also restrict logins based on Windows group membership? The group membership restriction is especially important as I am looking to use OpenBSD only for secured systems where only a select few will have login permission.
Thanks in advance for any insight.