[wellylug] Active Directory authentication in Linux

Anton anton.list at gmail.com
Wed Nov 20 09:39:34 NZDT 2013 

On 19 November 2013 21:21, Neil Ramsay <neil.ramsay at agentnoel.geek.nz>wrote:

> Hi guys,
>
> I am looking at how to integrate Active Directory authentication in Linux.
> Many years ago, I got Linux authenticating against Kerberos/LDAP with
> great success, but it was a very manual process.
>
> Has anyone done Active Directory authentication in Linux at work, and what
> approach did you take?
>


Yep, long time winbind user here. I had previously (eg 10yrs ago) got the
standard Kerberos (pam_krb5 for authorisation) and LDAP (nss_ldap for
account info) modules working on Debian but it was a far more involved
process (not that winbind isn't somewhat brittle anyway).

Winbind (ie its PAM and NSS modules) will require some cooperation from the
Active Directory admins to get the unixy extras added to the schema.

* In WIndows 2003 and earlier that involved installing the NIS service from
MS Services For Unix 3.5 (SFU). Note: you don't actually use the NIS
service, its just that you need it to extend the schema.
* In Windows 2003 R2 and later the Unix extras are shipped with Windows
(but not installed by default).

The earlier SFU 3.5 schema extensions are non standard but winbind can be
configured to read them. The 2003R2 and later schema extensions are
standard RFC2307.

Once you've got that stuff in Active Directory, you have to give each unix
accessing user account in AD a 'NIS' domain and uid.

When its all configured right, you can do cool stuff like kerberised SSH,
and SPNEGO single sign on to intranet apps, as well as transparently
accessing SMB fileshares in Nautilus etc.

The easier to use Likewise Open library that some distros shipped by
default wasn't viable for us as it didn't support centralised uid mapping
like winbind can. Only the paid for Likewise product did that. I never
looked much into Centrify after the initial sticker shock.

-- 
Cheers
Anton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wellylug.org.nz/pipermail/wellylug/attachments/20131120/45977b30/attachment.html>

More information about the wellylug mailing list