What is the best, or most reliable, way to manage my Unix/Linux user accounts with ActiveDirectory? Or, is this even feasible?
Asked
Active
Viewed 1,409 times
6 Answers
4
I highly highly highly (highly) recommend using Likewise Open to do this. Every time I talk about them, I sound like a paid shill, but I'm not. It's just really that good.
Essentially, you install the software (painless, there's an RPM and DEB intaller), run "domainjoin-cli domain.com adminuser", type the password for "adminuser", and then your machine is part of the AD domain.
The one thing that I do change is in the configuration, I turn on the the assume default domain setting, because I don't want my users to have to type their domain every time they connect to the machine.
The benefits are huge. When you log in with AD credentials, your UID and GIDs are assigned based on a hash, which means that they're the same across the entire infrastructure. This means that things like NFS work. In addition, it's simple to get things like Samba and Apache to authenticate, since Likewise configures PAM.
Thanks to Likewise Open, there is not a single network-based service that I offer that isn't authenticated against AD.
Matt Simmons
- 1,070
- 1
- 8
- 14
4
Because we are talking about AD, I am going to assume an enterprise environment here.
I have a couple of hundred RHEL3, 4 and 5 boxes running with Active Directory based user-accounts. All of them run the same configuration, using nss_ldap and pam_krb5. It works brilliantly, it is supported by all commercial Linux vendors in the standard support option, because it uses out-of-the-box tools and it is rock solid. In the end, AD is just Kerberos and LDAP and and to vendors, those are standardized, easily supportable protocols.
I have yet to run into a problem with this way of using AD that I cannot solve. Scott Lowe's documentation here helped me quite a bit when initially designing our solution. It's not perfect, but it'll help you get underway. Scott's idea is to create a bind account for LDAP, which I'm not that fond of. A machine that is joined in AD can do LDAP queries with its own credentials, which is a lot saner, if you ask me.
Depending on your requirements, you might want to take a step back and consider whether you need a supported solution or not. Because nice as Likewise may be, it is fairly expensive. Using the tools that come with every Linux distro by default and are thus supported, might be a tiny bit more complicated (but that shouldn't scare off a good Linux admin) but is just as good (or maybe better, depending on your requirements).
I could write up in a bit more detail about how I did this, but I don't have time for that right now. Would that be of help?
wzzrd
- 3,720
2
Not exactly AD, but I got a nice answer to a similar question over here:
0
I'll spare you the marketing speak, but try Centrify Express. It's a free tool to join your Linux and Macs to AD. http://www.centrify.com/express/download-centrify-express.asp
0
It's quite feasible, and already done.
As someone has already mentioned, Likewise will give you direct integration. However...
If you want to take the plunge, you could also install winbind from the Samba project, which would give you the same experience. Using winbind, your machine will become a domain member...and user accounts in Active Directory can be transparently mapped and assigned UID/GID settings.
Avery Payne
- 996
- 8
- 8
Using a hashed SID as the basis for UID's and GID's (I think that is what they do) has it's downside too: I don't think cross-realm trusts work very well with this.
What is cool about this, is that it transparant: AD does not have to be changed for this.
– wzzrd Aug 12 '10 at 09:26