samba - Aug 2008 - Authenticating Linux boxes against Active Directory, using Samba as a sort of AD Proxy

Hi Everyone,

I'm trying to find a open source solution to authenticate a bunch of
Linux machines (and, ideally, network devices etc.) against Active
Directory, as unfortunately in our organization this is the primary
source of account data. The complication we have is that my
organization has more than one Active Directory Domain, each hosted on
its own collection of domain controllers. This breaks every technique
i've found for authenticating Linux machines directly against AD. In
Windows, users select the relevant domain when they login to a PC and
everyone is happy [there is a trust relationship between our domains].

The current setup is Fedora Directory Server, and passsync on all our
(very very many) domain controllers with multiple replication
agreements (one per AD domain). This seems to work - most of the time
- and we then used NIS netgroups to authenticate access to machines.

This is a giant mess; adding a machine or user takes a very long time
and requires changes in three places. We are unable to get a FDS
replica to actually work. A small but significant number of password
changes do not sync AD->LDAP. If a user is disabled in AD, this does
not appear in FDS. I could go on, but the summary is we really really
hate this setup and are looking to improve it!

I played with Samba many years ago but am aware that in recent years
it has come along significantly. I know that it can become a Domain
Controller (and, therefore, presumably get hold of users password
hashes) but can I trivially authenticate Linux machines against this
machine? Ideally without installing anything on a base RHEL machine,
but I can install something if required.

Any help/advice/comments would be greatly appreciated.

Many thanks,

Alex

Alex,

a combination of pam_krb5, and nss_ldap with samba providing the 
kerberos registration of the computer will work in this situation.

I did a similar set up using the Vintella/Quest product VAS for a large 
corporate a couple of years ago and have replicated the functionality 
since using the Open Source code mentioned above. Major issues are 
organisational, you need to have a common user name space and UID space 
defined for everything to work seamlessly, otherwise you have problems 
if you try to cross domain boundaries. But you must have those problems 
anyway.

Alex Davies wrote:
> Hi Everyone,
>
> I'm trying to find a open source solution to authenticate a bunch of
> Linux machines (and, ideally, network devices etc.) against Active
> Directory, as unfortunately in our organization this is the primary
> source of account data. The complication we have is that my
> organization has more than one Active Directory Domain, each hosted on
> its own collection of domain controllers. This breaks every technique
> i've found for authenticating Linux machines directly against AD. In
> Windows, users select the relevant domain when they login to a PC and
> everyone is happy [there is a trust relationship between our domains].
>
> The current setup is Fedora Directory Server, and passsync on all our
> (very very many) domain controllers with multiple replication
> agreements (one per AD domain). This seems to work - most of the time
> - and we then used NIS netgroups to authenticate access to machines.
>
> This is a giant mess; adding a machine or user takes a very long time
> and requires changes in three places. We are unable to get a FDS
> replica to actually work. A small but significant number of password
> changes do not sync AD->LDAP. If a user is disabled in AD, this does
> not appear in FDS. I could go on, but the summary is we really really
> hate this setup and are looking to improve it!
>
>   
I have a similar setup and have built some scripts to handle this - 
pPerl is a great tool if you can describe what you want. So this can be 
made to work and could even be the right place to go. You need to 
include some Meta directory resources as well, as the FDS AD sync does 
pull some attributes you need.
> I played with Samba many years ago but am aware that in recent years
> it has come along significantly. I know that it can become a Domain
> Controller (and, therefore, presumably get hold of users password
> hashes) but can I trivially authenticate Linux machines against this
> machine? Ideally without installing anything on a base RHEL machine,
> but I can install something if required.
>
> Any help/advice/comments would be greatly appreciated.
>
> Many thanks,
>
> Alex
>   
The big caveat to all of this is the need to have POSIX attributes on 
all of your AD users. This is easiest if you have W2K3 R2 or greater 
installed. If not you can do a schema extension to add these - again I 
have done this for a large Forest but not for multiple Forests, although 
the problem should be similar. You then need to have a provisioning 
engine that will allocate UID and GID values and make them unique across 
you environment.

There are "solutions" that allow for multiple use of UID but my 
experience of these is limited to watching organisations fragmment into 
small islands where they have tried to use them.

You do say whether you are running NFS (v3 or v4) across the enterprise, 
whether AFS or GFS is in use and what other services you have that are 
dependent on User authentication/authority.

If you need more details please contact me and I will do what I can to help.

Regards, Howard.