We run a group of ~30 SLED12 SP1 workstations with a SLES12 SP1 server providing a NIS and NFS server. The NIS server handles passwords, groups, automount and netgroups.
Every user has their home directory on their own machine and this is exported via NFS to all the other machines so that all users can access their home directory from all machines.
I would like to retain all the NIS functionality but remove from NIS the password map for security reasons. Instead, I would like to authenticate users against our organisation’s Active Directory. I would also like to be able to limit which AD users can login to the machines. Can anyone provide any advice or point me at any resources that would help?
We run a group of ~30 SLED12 SP1 workstations with a SLES12 SP1 server
providing a NIS and NFS server. The NIS server handles passwords,
groups, automount and netgroups.
Every user has their home directory on their own machine and this is
exported via NFS to all the other machines so that all users can access
their home directory from all machines.
I would like to retain all the NIS functionality but remove from NIS the
password map for security reasons. Instead, I would like to authenticate
users against our organisation’s Active Directory. I would also like to
be able to limit which AD users can login to the machines. Can anyone
provide any advice or point me at any resources that would help?
[/color]
Since user’s home directories are mounted. Don’t login via password, but use
ssh key instead. Then you can nuke the NIS password with some illegal base64
string. That way you can use NIS for users (keeping the passwd map) and still
not have exposed passwords there.
Just me, but if one Windows domain, I’d smash the users from AD to Linux
(default domain). Thus a Windows AD user called “theuser” corresponds directly
to “theuser” inside of NIS.
If you do this right, when a user logs into AD, you can have their private ssh
key loaded so that they can go straight into every Linux host without typing a
password. This of course, is primarily when the end user machines are Windows.
We run a group of ~30 SLED12 SP1 workstations with a SLES12 SP1 server
providing a NIS and NFS server. The NIS server handles passwords,
groups, automount and netgroups.
Every user has their home directory on their own machine and this is
exported via NFS to all the other machines so that all users can access
their home directory from all machines.
I would like to retain all the NIS functionality but remove from NIS the
password map for security reasons. Instead, I would like to authenticate
users against our organisation’s Active Directory. I would also like to
be able to limit which AD users can login to the machines. Can anyone
provide any advice or point me at any resources that would help?
[/color]
Since user’s home directories are mounted. Don’t login via password, but use
ssh key instead. Then you can nuke the NIS password with some illegal base64
string. That way you can use NIS for users (keeping the passwd map) and still
not have exposed passwords there.
Just me, but if one Windows domain, I’d smash the users from AD to Linux
(default domain). Thus a Windows AD user called “theuser” corresponds directly
to “theuser” inside of NIS.
If you do this right, when a user logs into AD, you can have their private ssh
key loaded so that they can go straight into every Linux host without typing a
password. This of course, is primarily when the end user machines are Windows.
[/color]
Let me add a bit more. My assumption is that you control Linux/Unix access via
NIS. The *ix hosts do not have to be joined to the domain. With that said,
you can certainly do this if you wanted (for example) to easily mount the user’s
home dir SMB style on login from the Windows clients. But don’t do anything
like auto user setup on the Samba side for the AD logins. Thus, they can’t
really “log in” to the *ix hosts unless the NIS for them has been setup.
On 02/07/2017 04:44 AM, ttrcf wrote:[color=darkred]
We run a group of ~30 SLED12 SP1 workstations with a SLES12 SP1 server
providing a NIS and NFS server. The NIS server handles passwords,
groups, automount and netgroups.
Every user has their home directory on their own machine and this is
exported via NFS to all the other machines so that all users can access
their home directory from all machines.
I would like to retain all the NIS functionality but remove from NIS the
password map for security reasons. Instead, I would like to authenticate
users against our organisation’s Active Directory. I would also like to
be able to limit which AD users can login to the machines. Can anyone
provide any advice or point me at any resources that would help?
[/color]
Since user’s home directories are mounted. Don’t login via password, but use
ssh key instead. Then you can nuke the NIS password with some illegal base64
string. That way you can use NIS for users (keeping the passwd map) and still
not have exposed passwords there.
Just me, but if one Windows domain, I’d smash the users from AD to Linux
(default domain). Thus a Windows AD user called “theuser” corresponds directly
to “theuser” inside of NIS.
If you do this right, when a user logs into AD, you can have their private ssh
key loaded so that they can go straight into every Linux host without typing a
password. This of course, is primarily when the end user machines are Windows.
[/color]
Let me add a bit more. My assumption is that you control Linux/Unix access via
NIS. The *ix hosts do not have to be joined to the domain. With that said,
you can certainly do this if you wanted (for example) to easily mount the user’s
home dir SMB style on login from the Windows clients. But don’t do anything
like auto user setup on the Samba side for the AD logins. Thus, they can’t
really “log in” to the *ix hosts unless the NIS for them has been setup.
[/color]
Sorry, one more thing. If you were to architect your *ix homes centrally,
you could house the user’s .ssh private key normally, then just make that
central host joined to the domain such that their *ix home dir can be mounted to
AD, their .ssh key could be loaded, etc on AD login from the Windows host.
Sorry, one more thing. If you were to architect your *ix homes centrally,