Alex,
a combination of pam_krb5, and nss_ldap with samba providing the
kerberos registration of the computer will work in this situation.
I did a similar set up using the Vintella/Quest product VAS for a large
corporate a couple of years ago and have replicated the functionality
since using the Open Source code mentioned above. Major issues are
organisational, you need to have a common user name space and UID space
defined for everything to work seamlessly, otherwise you have problems
if you try to cross domain boundaries. But you must have those problems
anyway.
Alex Davies wrote:
Hi Everyone,
I'm trying to find a open source solution to authenticate a bunch of
Linux machines (and, ideally, network devices etc.) against Active
Directory, as unfortunately in our organization this is the primary
source of account data. The complication we have is that my
organization has more than one Active Directory Domain, each hosted on
its own collection of domain controllers. This breaks every technique
i've found for authenticating Linux machines directly against AD. In
Windows, users select the relevant domain when they login to a PC and
everyone is happy [there is a trust relationship between our domains].
The current setup is Fedora Directory Server, and passsync on all our
(very very many) domain controllers with multiple replication
agreements (one per AD domain). This seems to work - most of the time
- and we then used NIS netgroups to authenticate access to machines.
This is a giant mess; adding a machine or user takes a very long time
and requires changes in three places. We are unable to get a FDS
replica to actually work. A small but significant number of password
changes do not sync AD-LDAP. If a user is disabled in AD, this does
not appear in FDS. I could go on, but the summary is we really really
hate this setup and are looking to improve it!
I have a similar setup and have built some scripts to handle this -
pPerl is a great tool if you can describe what you want. So this can be
made to work and could even be the right place to go. You need to
include some Meta directory resources as well, as the FDS AD sync does
pull some attributes you need.
I played with Samba many years ago but am aware that in recent years
it has come along significantly. I know that it can become a Domain
Controller (and, therefore, presumably get hold of users password
hashes) but can I trivially authenticate Linux machines against this
machine? Ideally without installing anything on a base RHEL machine,
but I can install something if required.
Any help/advice/comments would be greatly appreciated.
Many thanks,
Alex
The big caveat to all of this is the need to have POSIX attributes on
all of your AD users. This is easiest if you have W2K3 R2 or greater
installed. If not you can do a schema extension to add these - again I
have done this for a large Forest but not for multiple Forests, although
the problem should be similar. You then need to have a provisioning
engine that will allocate UID and GID values and make them unique across
you environment.
There are solutions that allow for multiple use of UID but my
experience of these is limited to watching organisations fragmment into
small islands where they have tried to use them.
You do say whether you are running NFS (v3 or v4) across the enterprise,
whether AFS or GFS is in use and what other services you have that are
dependent on User authentication/authority.
If you need more details please contact me and I will do what I can to help.
Regards, Howard.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba