Hi, I'm looking a wiki or share experience for replace NIS authentication by an existing Active directory Server (W2003). The problem is on the management of id and gid. How to move 1000 actual NIS users to AD ? How to keep the same id and gid for this 1000 users ? What's happen with nfs linux server and acess with gid and/id ? Use the same user/password for linux and Windows clients authentification? We test a solution who work very well. It's Centrify comercial software http://www.centrify.com/directcontrol/overview.asp . But we are looking a freeware solution. (kerberos ? openldap ? pam ? ...) Does someone has already successfully replace NIS by Ad authentification with freeware solution ? Regards. __________________________ Notre adresse de messagerie ?volue pour plus de simplicit? vers : prenom.nom at ifpen.fr. La racine @ifpenergiesnouvelles.fr reste n?anmoins active. Our e-mail address is changing to firstname.surname at ifpen.fr. Nevertheless, messages sent to the domain @ifpenergiesnouvelles.fr will still be delivered. Ce message (et toutes ses pi?ces jointes ?ventuelles) est confidentiel et ?tabli ? l'intention exclusive de ses destinataires. Toute utilisation de ce message non conforme ? sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. IFP Energies nouvelles d?cline toute responsabilit? au titre de ce message. This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. IFP Energies nouvelles should not be liable for this message. Visitez notre site Web / Visit our web site : www.ifpenergiesnouvelles.fr / www.ifpenergiesnouvelles.com __________________________
On Fri, 18 Mar 2011, MOKRANI Rachid wrote:> Hi, > > I'm looking a wiki or share experience for replace NIS authentication by > an existing Active directory Server (W2003). The problem is on the > management of id and gid. > > How to move 1000 actual NIS users to AD ?Create matching accounts in AD. This is standard Active Directory stuff, there really aren't any gotchas I can think of.> How to keep the same id and gid for this 1000 users ?Make sure the SFU attributes have the correct values. You can do all this through LDAP as far as I know. Alternatively remap all your UIDs/GIDs and switch to a RID mapping scheme instead. You need to think about how you're planning on working in the future.> What's happen with nfs linux server and acess with gid and/id ?It works exactly the same as it does now.> Use the same user/password for linux and Windows clients > authentification?Feel free to use windbind or pam_krb5 for authentication, both easy to setup. You'll need nss_ldap with pam_krb5, but winbind can do the whole bag.> Does someone has already successfully replace NIS by Ad authentification > with freeware solution ?Probably the easiest it to use winbind, but we use nss_ldap and pam_krb5. There's plenty of documentation on how to do this out there. jh
Le 18/03/2011 13:31, MOKRANI Rachid a ?crit :> Hi, > > I'm looking a wiki or share experience for replace NIS authentication by > an existing Active directory Server (W2003). The problem is on the > management of id and gid.Here is a very good blog, scott Lowe, where I f found precise informations how to set up ldap/kerberos authentication over Active Directory : http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/ If you have windows 2003 R2, the schema has already unix attibutes (id, gid, user's home...) compliant with POSIX. You have to add the windows component 'unix identity management', no more SFU. It will appear a tab in user properties (users and computers management console) for 'unix attributes'.> How to move 1000 actual NIS users to AD ? > How to keep the same id and gid for this 1000 users ? > What's happen with nfs linux server and acess with gid and/id ? > Use the same user/password for linux and Windows clients > authentification?NFS will work if you add the windows component 'Microsoft Services for NFS'. If you still have NIS accounts on linux servers, the accounts should be indeed the same, with same id/gid. To create your 1000 accounts, you can use vbs scripts. See for example the very good book from O'Reilly 'Active Directory', or same author (Allen) 'Active Directory cookbook'. It is something in the lines : "objUser.msSFU30NisDomain = "AD_domain" objUser.uidNumber = intUid objUser.gidNumber = intGid objUser.loginShell = strShell objUser.homeDirectory = strHome objUser.SetInfo"> We test a solution who work very well. It's Centrify comercial software > http://www.centrify.com/directcontrol/overview.asp . But we are looking > a freeware solution. (kerberos ? openldap ? pam ? ...)The solution outlined in Scott Lowe blog is both standard and free (use both kerberos and ldap + samba).> > Does someone has already successfully replace NIS by Ad authentification > with freeware solution ?Yes, I did on CentOS. Regards, Alain> > Regards. >-- =========================================================Alain P?an - LPP/CNRS Administrateur Syst?me/R?seau Laboratoire de Physique des Plasmas - UMR 7648 Observatoire de Saint-Maur 4, av de Neptune, Bat. A 94100 Saint-Maur des Foss?s Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33 ==========================================================
Hi, Check out Likewise open. I think this is what you are looking for. http://www.likewise.com/products/likewise_open/ " Likewise Open is the open source foundation for Likewise Enterprise that joins Linux, UNIX, and Mac OS systems to Microsoft Active Directory to securely authenticate non-Windows users with AD credentials." Asya On Mar 18, 2011, at 8:31 AM, MOKRANI Rachid wrote: Hi, I'm looking a wiki or share experience for replace NIS authentication by an existing Active directory Server (W2003). The problem is on the management of id and gid. How to move 1000 actual NIS users to AD ? How to keep the same id and gid for this 1000 users ? What's happen with nfs linux server and acess with gid and/id ? Use the same user/password for linux and Windows clients authentification? We test a solution who work very well. It's Centrify comercial software http://www.centrify.com/directcontrol/overview.asp . But we are looking a freeware solution. (kerberos ? openldap ? pam ? ...) Does someone has already successfully replace NIS by Ad authentification with freeware solution ? Regards. __________________________ Notre adresse de messagerie ?volue pour plus de simplicit? vers : prenom.nom at ifpen.fr<mailto:prenom.nom at ifpen.fr>. La racine @ifpenergiesnouvelles.fr reste n?anmoins active. Our e-mail address is changing to firstname.surname at ifpen.fr<mailto:firstname.surname at ifpen.fr>. Nevertheless, messages sent to the domain @ifpenergiesnouvelles.fr will still be delivered. Ce message (et toutes ses pi?ces jointes ?ventuelles) est confidentiel et ?tabli ? l'intention exclusive de ses destinataires. Toute utilisation de ce message non conforme ? sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. IFP Energies nouvelles d?cline toute responsabilit? au titre de ce message. This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. IFP Energies nouvelles should not be liable for this message. Visitez notre site Web / Visit our web site : www.ifpenergiesnouvelles.fr<http://www.ifpenergiesnouvelles.fr> / www.ifpenergiesnouvelles.com<http://www.ifpenergiesnouvelles.com> __________________________ _______________________________________________ CentOS mailing list CentOS at centos.org<mailto:CentOS at centos.org> http://lists.centos.org/mailman/listinfo/centos -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20110318/d40d239a/attachment-0001.html>
On Fri, Mar 18, 2011 at 8:31 AM, MOKRANI Rachid <rachid.mokrani at ifpen.fr> wrote:> Hi, > > I'm looking a wiki or share experience for replace NIS authentication by > an existing Active directory Server (W2003). The problem is on the > management of id and gid. > > How to move 1000 actual NIS users to AD ? > How to keep the same id and gid for this 1000 users ? > What's happen with nfs linux server and acess with gid and/id ? > Use the same user/password for linux and Windows clients > authentification?> We test a solution who work very well. It's Centrify comercial software > http://www.centrify.com/directcontrol/overview.asp . But we are looking > a freeware solution. (kerberos ? openldap ? pam ? ...) > > Does someone has already successfully replace NIS by Ad authentification > with freeware solution ?The amount of time burned setting up the migration, which is otherwise done manually to configure uid's and gid's consistently, very much justifies the purchase of a single Centrify license for an "adnisd" server. Get *that* running, switch your NIS to point to that, and you've done all the hard integration work. That more than justifies the cost of a license or a pair of licenses. It can otherwise be done manually, but the data entry time wasted for your engineers well justifies the price of a Centrify license or two.
On Mar 18, 2011, at 8:31 AM, "MOKRANI Rachid" <rachid.mokrani at ifpen.fr> wrote:> Hi, > > I'm looking a wiki or share experience for replace NIS authentication by > an existing Active directory Server (W2003). The problem is on the > management of id and gid. > > How to move 1000 actual NIS users to AD ? > How to keep the same id and gid for this 1000 users ? > What's happen with nfs linux server and acess with gid and/id ? > Use the same user/password for linux and Windows clients > authentification? > > > We test a solution who work very well. It's Centrify comercial software > http://www.centrify.com/directcontrol/overview.asp . But we are looking > a freeware solution. (kerberos ? openldap ? pam ? ...) > > Does someone has already successfully replace NIS by Ad authentification > with freeware solution ?Instead of replacing NIS I extended it. I setup a winbind box that did RID mapping from AD and exported those into NIS maps, sans passwords. I then setup Kerberos on all boxes to authenticate against AD, samba managed the keytab files. With this I got auto UID/GID generation, my AD users and groups automatically appear and disappear from the NIS maps and I can use those maps for multiple platforms. Simple, yet effective. -Ross