[Freeipa-devel] Multiple Active Directory Domains authentication - is freeIPA my solution?

Alex Davies alex at davz.net
Mon Aug 18 20:51:57 UTC 2008 

Hi Rich,

We think the problem is actually with some of our DCs in remote
locations that have all sorts of funny security things installed on
them which break the Passsync service from time to time, with no
obvious cause in the log files.

For us however the solution we currently have really sucks - if only
because of the amount of configuration it takes to add a machine or
ensure that no user accounts have been disabled - and we are really
looking for a replacement!

Any suggestions would be much appreciated.

Best wishes,

Alex

On Mon, Aug 18, 2008 at 4:14 PM, Rich Megginson <rmeggins at redhat.com> wrote:
> Alex Davies wrote:
>>
>> Hi Everyone,
>>
>> I'm trying to find a open source solution to authenticate a bunch of
>> Linux machines (and, ideally, network devices etc.) against Active
>> Directory. The complication we have is that my organization has more
>> than one Active Directory Domain, each hosted on its own collection of
>> domain controllers. In windows, users select the relevant domain when
>> they login to a PC and everyone is happy [there is a trust
>> relationship between our domains]. I can not for the life of me get
>> this to work properly on Linux.
>>
>> We setup Fedora Directory Server, and passsync on all our (very very
>> many) domain controllers. We then setup multiple replication
>> agreements (one per AD domain), and this seems to work - most of the
>> time however sometimes passwords are not synced.
>
> Can you provide passsync logs or Fedora DS logs showing failures?
>>
>> We then used NIS
>> netgroups to authenticate access to machines, and finally a centrally
>> managed sudoers file (via Satellite) to allow users who have logged in
>> to work as role accounts if required (such as "oracle").
>>
>> This is a giant mess; adding a machine or user takes a very long time
>> and requires changes in three places. We are unable to get a FDS
>> replica to actually work. A small but significant number of password
>> changes do not sync AD->LDAP. If a user is disabled in AD, this does
>> not appear in FDS. I could go on, but the summary is we really really
>> hate this setup.
>>
>> Can I ask if freeIPA will help me here? If not, can anyone point me in
>> the direction of something that will? I suspect that the multiple AD
>> domains thing will be a problem.
>>
>> Many thanks,
>>
>> Alex
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>
>



-- 
Alex Davies

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately by e-mail and delete this e-mail permanently.

More information about the Freeipa-devel mailing list