CentOS - May 2015 - Best way to integrate CentOS in Windows AD environment

We currently use a combination of Kerberos and NIS to manage users on our CentOS
6 systems in a Windows AD environment.  NIS is provided by Windows Services for
UNIX (or something named similarly), which has some issues, and is also not
going to be supported by Microsoft in the future.  NIS supplies the passed file
as well as the auto mount map for home directories as shown by this excerpt from
our /etc/nsswitch.conf file:

  passwd:     files nis
  shadow:     files nis
  group:      files nis

 Our systems are configured using something similar to the following in our
Kickstart config file:

  authconfig --enablemd5 --passalgo=sha512 --enablenis ?nisdomain=XXX \
  --nisserver=nis.XXX.com,nis2.XXX.com --useshadow --enablekrb5 \ 
  --krb5realm=XXX.COM --krb5kdc=ldap.XXX.com --krb5adminserver=ldap.XXX.com
<http://ldap.xxx.com/>

where nis1 and nis2 are the local AD domain controllers.  With this
configuration, any user can log into any CentOS system, and their home directory
is automatically mounted over NFS with autofs.  This works great, except for
when the network is down and/or the home directory NFS server is not available,
when the systems pretty much just hang.  It?s also only good for workstations
and servers, but not laptops that may not be on the network.

I would like to move to CentOS 7 and a model where we don?t use NIS at all, the
users and (local) home directories are automatically created on login using the
UID stored on the LDAP server. Before I re-invent the wheel, has somebody done
this already?  If so, can you share the authconfig line from your Kickstart
file?  To summarize, I?d like to:

Use LDAP/Kerberos provided by Windows AD servers to authenticate users
Automatically create accounts/home directories upon first login
Not require the system to be on the network (provided the user has logged in at
least once to create the account locally)

Thanks in advance for any suggestions/examples.

Alfred

On 7 May 2015 21:49, "Alfred von Campe" <alfred at
von-campe.com> wrote:
>
> I would like to move to CentOS 7 and a model where we don?t use NIS at
all, the users and (local) home directories are automatically created on
login using the UID stored on the LDAP server. Before I re-invent the
wheel, has somebody done this already?  If so, can you share the authconfig
line from your Kickstart file?  To summarize, I?d like
to:
>
> Use LDAP/Kerberos provided by Windows AD servers to authenticate users
> Automatically create accounts/home directories upon first login
> Not require the system to be on the network (provided the user has logged
in at least once to create the account locally)
>
Someone was asking in the #rhel irc room about something similar yesterday.

I blogged about native AD authentication last year:

https://www.hogarthuk.com/?q=node/5

All our corporate Linux systems auth against our samba4 AD servers in a
similar manner.

There is good information at docs.redhat.com on such integration as well
and if you are focusing on c7 then realmd also simplifies this process (not
available on c6).

----- Original Message -----
| We currently use a combination of Kerberos and NIS to manage users on our
| CentOS 6 systems in a Windows AD environment.  NIS is provided by Windows
| Services for UNIX (or something named similarly), which has some issues, and
| is also not going to be supported by Microsoft in the future.  NIS supplies
| the passed file as well as the auto mount map for home directories as shown
| by this excerpt from our /etc/nsswitch.conf file:
| 
|   passwd:     files nis
|   shadow:     files nis
|   group:      files nis
| 
|  Our systems are configured using something similar to the following in our
|  Kickstart config file:
| 
|   authconfig --enablemd5 --passalgo=sha512 --enablenis ?nisdomain=XXX \
|   --nisserver=nis.XXX.com,nis2.XXX.com --useshadow --enablekrb5 \
|   --krb5realm=XXX.COM --krb5kdc=ldap.XXX.com --krb5adminserver=ldap.XXX.com
|   <http://ldap.xxx.com/>
| 
| where nis1 and nis2 are the local AD domain controllers.  With this
| configuration, any user can log into any CentOS system, and their home
| directory is automatically mounted over NFS with autofs.  This works great,
| except for when the network is down and/or the home directory NFS server is
| not available, when the systems pretty much just hang.  It?s also only good
| for workstations and servers, but not laptops that may not be on the
| network.
| 
| I would like to move to CentOS 7 and a model where we don?t use NIS at all,
| the users and (local) home directories are automatically created on login
| using the UID stored on the LDAP server. Before I re-invent the wheel, has
| somebody done this already?  If so, can you share the authconfig line from
| your Kickstart file?  To summarize, I?d like to:
| 
| Use LDAP/Kerberos provided by Windows AD servers to authenticate users
| Automatically create accounts/home directories upon first login
| Not require the system to be on the network (provided the user has logged in
| at least once to create the account locally)
| 
| Thanks in advance for any suggestions/examples.
| 
| Alfred
| 
| _______________________________________________
| CentOS mailing list
| CentOS at centos.org
| http://lists.centos.org/mailman/listinfo/centos
| 


You can feel free to contact me off list and we can let you know what we are
doing to keep our NIS/AD environment in sync. ;)

-- 
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone   : 604-365-6432
Fax     : 778-782-3045
E-Mail  : jpeltier at sfu.ca
Website : http://www.sfu.ca/itservices
Twitter : @sfu_rcg
Powering Engagement Through Technology