PDA

View Full Version : Authenting Users via AD



maikcat
05-Nov-2013, 10:34
hello all,

i administer 40 Linux SLES 11 Sp3 servers (x64 & s390) which i currently use openldap with ppolicy for authorization & authentication.

i Was asked if i could use the existing customers AD infrustructure instead of openldap,
i successfully managed to read AD users by adding unix attributes to AD and configure nss_ldap module for user authorization
and kerberos for authentication.

the problem is that in my current openldap setup i use the host attribute to filter which user can login where,
my first question is if anyone tried to achive the same functionality with openldap/ppolicy/host attr combo with AD (ldap for nss & krb5 for auth)?

i also tried to use winbind but i faced different problems...

although i managed to join the linux server on domain, retrieve user list via wbinfo -u (net ads testjoing reports ok, kinit with a domain user also reports ok)
i cant get userlist via getent (i added winbind to nssswitch file).

my second question is if winbind can achieve my current functionality?

Thank you all in advance.

Michael.

maikcat
07-Nov-2013, 09:57
I would like to share a possible solution...

if i use nss_ldap for obtaining user list & attributes (from unix attributes tab in AD users & computers) and winbind
for authentication (via pam) i get the correct uid mapping & i can emulate the host attribute via log on to this computer option
inside each AD user. (i must though setup kerberos right & join the AD).

i hope this helps someone else.

Michael.

ab
07-Nov-2013, 13:24
On 11/07/2013 02:04 AM, maikcat wrote:
>
> I would like to share a possible solution...
>
> if i use nss_ldap for obtaining user list & attributes (from unix
> attributes tab in AD users & computers) and winbind
> for authentication (via pam) i get the correct uid mapping & i can
> emulate the host attribute via log on to this computer option
> inside each AD user. (i must though setup kerberos right & join the
> AD).
>
> i hope this helps someone else.

It probably will. Thank-you for sharing the details of what you did.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

cjcox
09-Nov-2013, 07:08
On 11/05/2013 10:34 AM, maikcat wrote:
>
> hello all,
>
> i administer 40 Linux SLES 11 Sp3 servers (x64 & s390) which i currently
> use openldap with ppolicy for authorization & authentication.
>
> i Was asked if i could use the existing customers AD infrustructure
> instead of openldap,
> i successfully managed to read AD users by adding unix attributes to AD
> and configure nss_ldap module for user authorization
> and kerberos for authentication.
>
> the problem is that in my current openldap setup i use the host
> attribute to filter which user can login where,
> my first question is if anyone tried to achive the same functionality
> with openldap/ppolicy/host attr combo with AD (ldap for nss & krb5 for
> auth)?
>
> i also tried to use winbind but i faced different problems...
>
> although i managed to join the linux server on domain, retrieve user
> list via wbinfo -u (net ads testjoing reports ok, kinit with a domain
> user also reports ok)
> i cant get userlist via getent (i added winbind to nssswitch file).
>
> my second question is if winbind can achieve my current functionality?
>

I usually add enum groups and enum users in the winbind section of smb.conf.
And I set default domain as well.

I'm away from the office right now... I can post more exact details.

Mine works... I can use getent passwd and see my AD accounts.

About the only I don't like is that every platform gets a different uid mapping
for the same user. One solution is to use something else like NIS to enforce a
uid and effectively "smash" the two together. So AD can be used for the
password, and NIS is strictly there to keep the uid's in line across platforms
(which matters quite a bit).