i administer 40 Linux SLES 11 Sp3 servers (x64 & s390) which i currently use openldap with ppolicy for authorization & authentication.
i Was asked if i could use the existing customers AD infrustructure instead of openldap,
i successfully managed to read AD users by adding unix attributes to AD and configure nss_ldap module for user authorization
and kerberos for authentication.
the problem is that in my current openldap setup i use the host attribute to filter which user can login where,
my first question is if anyone tried to achive the same functionality with openldap/ppolicy/host attr combo with AD (ldap for nss & krb5 for auth)?
i also tried to use winbind but i faced different problems…
although i managed to join the linux server on domain, retrieve user list via wbinfo -u (net ads testjoing reports ok, kinit with a domain user also reports ok)
i cant get userlist via getent (i added winbind to nssswitch file).
my second question is if winbind can achieve my current functionality?
if i use nss_ldap for obtaining user list & attributes (from unix attributes tab in AD users & computers) and winbind
for authentication (via pam) i get the correct uid mapping & i can emulate the host attribute via log on to this computer option
inside each AD user. (i must though setup kerberos right & join the AD).
On 11/07/2013 02:04 AM, maikcat wrote:[color=blue]
I would like to share a possible solution…
if i use nss_ldap for obtaining user list & attributes (from unix
attributes tab in AD users & computers) and winbind
for authentication (via pam) i get the correct uid mapping & i can
emulate the host attribute via log on to this computer option
inside each AD user. (i must though setup kerberos right & join the
AD).
i hope this helps someone else.[/color]
It probably will. Thank-you for sharing the details of what you did.
–
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…
On 11/05/2013 10:34 AM, maikcat wrote:[color=blue]
hello all,
i administer 40 Linux SLES 11 Sp3 servers (x64 & s390) which i currently
use openldap with ppolicy for authorization & authentication.
i Was asked if i could use the existing customers AD infrustructure
instead of openldap,
i successfully managed to read AD users by adding unix attributes to AD
and configure nss_ldap module for user authorization
and kerberos for authentication.
the problem is that in my current openldap setup i use the host
attribute to filter which user can login where,
my first question is if anyone tried to achive the same functionality
with openldap/ppolicy/host attr combo with AD (ldap for nss & krb5 for
auth)?
i also tried to use winbind but i faced different problems…
although i managed to join the linux server on domain, retrieve user
list via wbinfo -u (net ads testjoing reports ok, kinit with a domain
user also reports ok)
i cant get userlist via getent (i added winbind to nssswitch file).
my second question is if winbind can achieve my current functionality?
[/color]
I usually add enum groups and enum users in the winbind section of smb.conf.
And I set default domain as well.
I’m away from the office right now… I can post more exact details.
Mine works… I can use getent passwd and see my AD accounts.
About the only I don’t like is that every platform gets a different uid mapping
for the same user. One solution is to use something else like NIS to enforce a
uid and effectively “smash” the two together. So AD can be used for the
password, and NIS is strictly there to keep the uid’s in line across platforms
(which matters quite a bit).