Results 1 to 4 of 4

Thread: Authenting Users via AD

Hybrid View

  1. #1
    Join Date
    Sep 2013
    Location
    Athens,Greece
    Posts
    51

    Authenting Users via AD

    hello all,

    i administer 40 Linux SLES 11 Sp3 servers (x64 & s390) which i currently use openldap with ppolicy for authorization & authentication.

    i Was asked if i could use the existing customers AD infrustructure instead of openldap,
    i successfully managed to read AD users by adding unix attributes to AD and configure nss_ldap module for user authorization
    and kerberos for authentication.

    the problem is that in my current openldap setup i use the host attribute to filter which user can login where,
    my first question is if anyone tried to achive the same functionality with openldap/ppolicy/host attr combo with AD (ldap for nss & krb5 for auth)?

    i also tried to use winbind but i faced different problems...

    although i managed to join the linux server on domain, retrieve user list via wbinfo -u (net ads testjoing reports ok, kinit with a domain user also reports ok)
    i cant get userlist via getent (i added winbind to nssswitch file).

    my second question is if winbind can achieve my current functionality?

    Thank you all in advance.

    Michael.

  2. #2
    Join Date
    Sep 2013
    Location
    Athens,Greece
    Posts
    51

    Re: Authenting Users via AD

    I would like to share a possible solution...

    if i use nss_ldap for obtaining user list & attributes (from unix attributes tab in AD users & computers) and winbind
    for authentication (via pam) i get the correct uid mapping & i can emulate the host attribute via log on to this computer option
    inside each AD user. (i must though setup kerberos right & join the AD).

    i hope this helps someone else.

    Michael.

  3. #3

    Re: Authenting Users via AD

    On 11/07/2013 02:04 AM, maikcat wrote:
    >
    > I would like to share a possible solution...
    >
    > if i use nss_ldap for obtaining user list & attributes (from unix
    > attributes tab in AD users & computers) and winbind
    > for authentication (via pam) i get the correct uid mapping & i can
    > emulate the host attribute via log on to this computer option
    > inside each AD user. (i must though setup kerberos right & join the
    > AD).
    >
    > i hope this helps someone else.


    It probably will. Thank-you for sharing the details of what you did.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  4. #4
    cjcox NNTP User

    Re: Authenting Users via AD

    On 11/05/2013 10:34 AM, maikcat wrote:
    >
    > hello all,
    >
    > i administer 40 Linux SLES 11 Sp3 servers (x64 & s390) which i currently
    > use openldap with ppolicy for authorization & authentication.
    >
    > i Was asked if i could use the existing customers AD infrustructure
    > instead of openldap,
    > i successfully managed to read AD users by adding unix attributes to AD
    > and configure nss_ldap module for user authorization
    > and kerberos for authentication.
    >
    > the problem is that in my current openldap setup i use the host
    > attribute to filter which user can login where,
    > my first question is if anyone tried to achive the same functionality
    > with openldap/ppolicy/host attr combo with AD (ldap for nss & krb5 for
    > auth)?
    >
    > i also tried to use winbind but i faced different problems...
    >
    > although i managed to join the linux server on domain, retrieve user
    > list via wbinfo -u (net ads testjoing reports ok, kinit with a domain
    > user also reports ok)
    > i cant get userlist via getent (i added winbind to nssswitch file).
    >
    > my second question is if winbind can achieve my current functionality?
    >


    I usually add enum groups and enum users in the winbind section of smb.conf.
    And I set default domain as well.

    I'm away from the office right now... I can post more exact details.

    Mine works... I can use getent passwd and see my AD accounts.

    About the only I don't like is that every platform gets a different uid mapping
    for the same user. One solution is to use something else like NIS to enforce a
    uid and effectively "smash" the two together. So AD can be used for the
    password, and NIS is strictly there to keep the uid's in line across platforms
    (which matters quite a bit).



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •