Alex Davies
2008-Aug-17 11:46 UTC
[Samba] Authenticating Linux boxes against Active Directory, using Samba as a sort of AD Proxy
Hi Everyone, I'm trying to find a open source solution to authenticate a bunch of Linux machines (and, ideally, network devices etc.) against Active Directory, as unfortunately in our organization this is the primary source of account data. The complication we have is that my organization has more than one Active Directory Domain, each hosted on its own collection of domain controllers. This breaks every technique i've found for authenticating Linux machines directly against AD. In Windows, users select the relevant domain when they login to a PC and everyone is happy [there is a trust relationship between our domains]. The current setup is Fedora Directory Server, and passsync on all our (very very many) domain controllers with multiple replication agreements (one per AD domain). This seems to work - most of the time - and we then used NIS netgroups to authenticate access to machines. This is a giant mess; adding a machine or user takes a very long time and requires changes in three places. We are unable to get a FDS replica to actually work. A small but significant number of password changes do not sync AD->LDAP. If a user is disabled in AD, this does not appear in FDS. I could go on, but the summary is we really really hate this setup and are looking to improve it! I played with Samba many years ago but am aware that in recent years it has come along significantly. I know that it can become a Domain Controller (and, therefore, presumably get hold of users password hashes) but can I trivially authenticate Linux machines against this machine? Ideally without installing anything on a base RHEL machine, but I can install something if required. Any help/advice/comments would be greatly appreciated. Many thanks, Alex
Howard Wilkinson
2008-Aug-21 11:22 UTC
[Samba] Authenticating Linux boxes against Active Directory, using Samba as a sort of AD Proxy
Alex, a combination of pam_krb5, and nss_ldap with samba providing the kerberos registration of the computer will work in this situation. I did a similar set up using the Vintella/Quest product VAS for a large corporate a couple of years ago and have replicated the functionality since using the Open Source code mentioned above. Major issues are organisational, you need to have a common user name space and UID space defined for everything to work seamlessly, otherwise you have problems if you try to cross domain boundaries. But you must have those problems anyway. Alex Davies wrote:> Hi Everyone, > > I'm trying to find a open source solution to authenticate a bunch of > Linux machines (and, ideally, network devices etc.) against Active > Directory, as unfortunately in our organization this is the primary > source of account data. The complication we have is that my > organization has more than one Active Directory Domain, each hosted on > its own collection of domain controllers. This breaks every technique > i've found for authenticating Linux machines directly against AD. In > Windows, users select the relevant domain when they login to a PC and > everyone is happy [there is a trust relationship between our domains]. > > The current setup is Fedora Directory Server, and passsync on all our > (very very many) domain controllers with multiple replication > agreements (one per AD domain). This seems to work - most of the time > - and we then used NIS netgroups to authenticate access to machines. > > This is a giant mess; adding a machine or user takes a very long time > and requires changes in three places. We are unable to get a FDS > replica to actually work. A small but significant number of password > changes do not sync AD->LDAP. If a user is disabled in AD, this does > not appear in FDS. I could go on, but the summary is we really really > hate this setup and are looking to improve it! > >I have a similar setup and have built some scripts to handle this - pPerl is a great tool if you can describe what you want. So this can be made to work and could even be the right place to go. You need to include some Meta directory resources as well, as the FDS AD sync does pull some attributes you need.> I played with Samba many years ago but am aware that in recent years > it has come along significantly. I know that it can become a Domain > Controller (and, therefore, presumably get hold of users password > hashes) but can I trivially authenticate Linux machines against this > machine? Ideally without installing anything on a base RHEL machine, > but I can install something if required. > > Any help/advice/comments would be greatly appreciated. > > Many thanks, > > Alex >The big caveat to all of this is the need to have POSIX attributes on all of your AD users. This is easiest if you have W2K3 R2 or greater installed. If not you can do a schema extension to add these - again I have done this for a large Forest but not for multiple Forests, although the problem should be similar. You then need to have a provisioning engine that will allocate UID and GID values and make them unique across you environment. There are "solutions" that allow for multiple use of UID but my experience of these is limited to watching organisations fragmment into small islands where they have tried to use them. You do say whether you are running NFS (v3 or v4) across the enterprise, whether AFS or GFS is in use and what other services you have that are dependent on User authentication/authority. If you need more details please contact me and I will do what I can to help. Regards, Howard.
Reasonably Related Threads
- Windows to linux migration [PassSync.msi for 64 bit windows2003 ]
- Redhat directory server with windows2003 ads passsync error
- LDAP Implementations (was: Linking against a specifi c Berkeley DB install)
- [PATCH] lib: command: switch from select() to poll()
- Re: [PATCH] lib: command: switch from select() to poll()