phil walker wrote:
Has anyone configured their RHEL 4.0 system to authenticate against
their active directory, to hopefully overcome the administration cost of
maintaining both Linux and Windows security.
If so, what issues did you have with regarding to:
a) telnet or ssh connectivity
b) samba connectivity
c) UniObjects connectivity
d) NFS or anything else...
We are running RHEL 3.0 and using AD authentication for ssh, telnet,
ftp, and samba. I set this up when we migrated UV from IRIX to RH in
Nov. '04, and it's been working flawlessly. It's made password
administration a non-issue. The only major caveat is that should the
winbind daemon ever die or hang, users can't log in. This doesn't
happen very often, but does happen occasionally. I'm running the
following script from cron every minute to eliminate the problem:
#!/bin/sh
#
# JAH - restart winbind if it dies
# 07-15-04
#
THISHOST=`hostname`
[EMAIL PROTECTED]
WB_STATUS=`/etc/init.d/winbind status | grep running`
if [ "$WB_STATUS" = "" ]; then
/etc/init.d/winbind restart
(
echo "winbindd hung and was restarted on server $THISHOST:"
echo "$WB_STATUS"
) | mail -s "$THISHOST: winbindd restart" $SYSADMIN
fi
Also, keep in mind that linux/UV is case sensitive, where Windows/AD is
not. If you are doing anything in UV based on login name you may have
problems if your Windows user logins aren't created with the case
convention you expect. We have always used uppercase only for the UV
server logins and have to be very careful to always use uppercase when
we add a new user to AD. Users can still log into the UV server using
lower case for their login name, but once they're in, winbind reports
their logins to the OS with the case in which they were originally
created. If a user is mistakenly set up using the wrong case, you can
still correct the problem by deleting them from AD and recreating them
correctly.
The only other caveat I can think of is that you need to be very careful
during the initial setup to make sure you don't lock yourself out of
your server. If you're going to be setting up both telnet and ssh, get
one working and tested first, then set up the other.
I'm not using winbind for UOJ authentication because we always use the
same OS level login for UOJ, then authenticate the user supplied name
and password in a BP via arguments. I don't think I could do UOJ
authentication via AD though, because I'm relying on PAM, which UOJ
doesn't use. AFAIK you can do samba/winbind/AD integration without
using PAM, but I haven't explored this.
I have the entire setup process documented and would be happy to send it
to you off-list.
-John
--
John Hester
System & Network Administrator
Momentum Group Inc.
(949) 833-8886 x623
http://memosamples.com
-------
u2-users mailing list
[email protected]
To unsubscribe please visit http://listserver.u2ug.org/
