Configuring RHEL servers to authenticate with Windows Server2008Active Directory

Kenneth Holter kenneho.ndu at gmail.com
Mon Feb 1 14:29:42 UTC 2010 

I'll let you know when I get it working. Meanwhile, if anyone knows how this
is accomplished please give me a hint.

On Fri, Jan 29, 2010 at 3:53 PM, s u p e r n a u t <supernaut at gmx.com>wrote:

> Thanks for the feedback.
>
> I'd think grouping computers in AD should work the same way.  Please let
> the list know when you get it working.
>
>
> ----- Original Message ----- From: "Kenneth Holter" <kenneho.ndu at gmail.com
> >
> To: "General Red Hat Linux discussion list" <redhat-list at redhat.com>
> Sent: Friday, January 29, 2010 1:52 PM
>
> Subject: Re: Configuring RHEL servers to authenticate with Windows
> Server2008Active Directory
>
>
>  Hi.
>>
>>
>> It got it working - I can now fetch both users and groups from AD
>> directly,
>> and can use this information in both PAM and sudo to control access.
>>
>> Didn't take much tweaking to get it work, as most of the attributes in the
>> document you linked to were correct. I may have made a couple of changes,
>> but don't recall exactly which. I'll paste inn the mappings here for
>> others
>> to use:
>>
>> -- snip --
>> nss_base_passwd ou=linux,dc=example,dc=com
>> nss_base_shadow ou=linux,dc=example,dc=com
>> nss_base_group ou=linux,dc=example,dc=com
>> nss_map_objectclass posixAccount user
>> nss_map_objectclass shadowAccount user
>> nss_map_objectclass posixGroup group
>> nss_map_attribute uid sAMAccountName
>> nss_map_attribute gecos name
>> nss_map_attribute homeDirectory unixHomeDirectory
>> nss_map_attribute uniqueMember member
>> nss_map_attribute cn cn
>> nss_map_attribute shadowLastChange pwdLastSet
>> pam_login_attribute sAMAccountName
>> pam_filter objectclass=User
>> pam_password ad
>> pam_member_attribute member
>> -- snip --
>>
>> The next issue would be to group computers, so that I can give a groups of
>> users (collected in a regular AD gruop) access/privileges to a group of
>> servers. I'm thinking that such groups of computers also should be
>> maintained in AD. Is this how others are doing it?
>>
>>
>> - Kenneth
>>
>>
>>
>>
>> On Thu, Jan 28, 2010 at 2:00 PM, s u p e r n a u t <supernaut at gmx.com
>> >wrote:
>>
>>  Kenneth,
>>>
>>> I'd be interested to know if this worked for you.  Did you have to do
>>> anything specific that's different to that guide to make it work with
>>> W2K8?
>>>
>>> Thanks.
>>>
>>> ----- Original Message ----- From: "s u p e r n a u t" <
>>> supernaut at gmx.com>
>>>
>>> To: "General Red Hat Linux discussion list" <redhat-list at redhat.com>
>>> Sent: Wednesday, January 27, 2010 3:17 PM
>>>
>>> Subject: Re: Configuring RHEL servers to authenticate with Windows
>>> Server2008Active Directory
>>>
>>>
>>>  I'm not sure I understand why you'd want to do that.  After you've
>>>
>>>> installed AD Services Identity Management for UNIX, you can specify a
>>>> user's
>>>> primary (AD) group under his AD properties under the UNIX Attributes
>>>> tab.
>>>>
>>>> Then you basically assign/change permissions on the Linux system as
>>>> username:ad_group_name.
>>>>
>>>> I think the idea is that you'd use AD groups for file/folder access and
>>>> not the Linux groups anymore, although the Linux groups could still be
>>>> used
>>>> if you wanted to.
>>>>
>>>> I'm a bit rusty on this but I believe that's what I wanted to achieve,
>>>> anyway.
>>>>
>>>> ----- Original Message ----- From: "Kenneth Holter" <
>>>> kenneho.ndu at gmail.com>
>>>> To: "General Red Hat Linux discussion list" <redhat-list at redhat.com>
>>>> Sent: Wednesday, January 27, 2010 2:35 PM
>>>> Subject: Re: Configuring RHEL servers to authenticate with Windows
>>>> Server
>>>> 2008Active Directory
>>>>
>>>>
>>>>  Great, thanks, I got it working.
>>>>
>>>>>
>>>>> Currently, our linux users all are member of a posix group of the same
>>>>> name
>>>>> (i.e user "kenneth" is member of its own group "kenneth", which is the
>>>>> default in linux as far as I know). Do you know how I can create such
>>>>> groups
>>>>> on AD, instead of adding users to shared groups such as "unixusers"?
>>>>>
>>>>> On Wed, Jan 27, 2010 at 1:39 PM, s u p e r n a u t <supernaut at gmx.com
>>>>> >wrote:
>>>>>
>>>>>  I've used this in the past to good effect with RHEL5.3 and W2K3.  I'm
>>>>>
>>>>>> sure
>>>>>> you'll have to make adjustments with W2K8, but it may be a good
>>>>>> starting
>>>>>> point.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> http://www.interopsystems.com/downloads/Native_LDAP_native_Kerberos_and_AD_services.pdf
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----- Original Message ----- From: "Kenneth Holter" <
>>>>>> kenneho.ndu at gmail.com
>>>>>> >
>>>>>> To: "General Red Hat Linux discussion list" <redhat-list at redhat.com>
>>>>>> Sent: Wednesday, January 27, 2010 7:58 AM
>>>>>> Subject: Re: Configuring RHEL servers to authenticate with Windows
>>>>>> Server
>>>>>> 2008Active Directory
>>>>>>
>>>>>>
>>>>>>  Thanks for your reply.
>>>>>>
>>>>>>
>>>>>>> I would like the account and group information to be maintained in
>>>>>>> AD.
>>>>>>> Possibly later on we'll implement kerberos too.
>>>>>>>
>>>>>>>
>>>>>>> - Kenneth
>>>>>>>
>>>>>>> On Tue, Jan 26, 2010 at 5:32 PM, Marti, Robert <RJM002 at shsu.edu>
>>>>>>> wrote:
>>>>>>>
>>>>>>>  If you just care about authentication and not accounts, I'd set up
>>>>>>>
>>>>>>>  kerberos
>>>>>>>> auth - much easier.  I have no experience setting up LDAP auth,
>>>>>>>> sorry.
>>>>>>>>
>>>>>>>> Rob Marti
>>>>>>>> ________________________________________
>>>>>>>> From: redhat-list-bounces at redhat.com [
>>>>>>>> redhat-list-bounces at redhat.com]
>>>>>>>> On
>>>>>>>> Behalf Of Kenneth Holter [kenneho.ndu at gmail.com]
>>>>>>>> Sent: Tuesday, January 26, 2010 10:17
>>>>>>>> To: redhat-list at redhat.com
>>>>>>>> Subject: Configuring RHEL servers to authenticate with Windows
>>>>>>>> Server
>>>>>>>> 2008
>>>>>>>>   Active Directory
>>>>>>>>
>>>>>>>> Hello all.
>>>>>>>>
>>>>>>>>
>>>>>>>> I'd like to set my RHEL 4 and 5 servers up to authenticate with our
>>>>>>>> Windows
>>>>>>>> server 2008 Active Directory. Using "authconfig --update
>>>>>>>> --enableldap
>>>>>>>> --enableldapauth
>>>>>>>> --ldapserver=ldap.example.com--ldapbasedn=dn=example,dn=com"
>>>>>>>> and adding "binddn" and "bindpw" to the /etc/ldap.conf file, it
>>>>>>>> looks
>>>>>>>> like
>>>>>>>> the linux box is connecting correctly to the AD server. But running
>>>>>>>> "getent
>>>>>>>> passwd <some-linux-user-defined-on-AD>" doesn't return any result.
>>>>>>>>
>>>>>>>> I'm suspecting that maybe it's my nss_ldap attribute mappings that
>>>>>>>> are
>>>>>>>> not
>>>>>>>> correct. I have no attribute mapping defined, since I would think
>>>>>>>> that
>>>>>>>> there
>>>>>>>> would be some default mappings that would work. Are there any
>>>>>>>> default
>>>>>>>> mapping, and in case what are they? Or maybe "authconfig" set up
>>>>>>>> these
>>>>>>>> mappings automatically? Any advice is appreciated.
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>> Kenneth Holter
>>>>>>>> --
>>>>>>>> redhat-list mailing list
>>>>>>>> unsubscribe mailto:redhat-list-request at redhat.com
>>>>>>>> ?subject=unsubscribe
>>>>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>>>>
>>>>>>>> --
>>>>>>>> redhat-list mailing list
>>>>>>>> unsubscribe mailto:redhat-list-request at redhat.com
>>>>>>>> ?subject=unsubscribe
>>>>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>>>>
>>>>>>>>  --
>>>>>>>>
>>>>>>>>  redhat-list mailing list
>>>>>>> unsubscribe mailto:redhat-list-request at redhat.com
>>>>>>> ?subject=unsubscribe
>>>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>  --
>>>>>> redhat-list mailing list
>>>>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>>
>>>>>>  --
>>>>>>
>>>>> redhat-list mailing list
>>>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>
>>>>>
>>>>>
>>>> --
>>>> redhat-list mailing list
>>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>
>>>>
>>>>
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>>  --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>>
>>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list