Configuring RHEL servers to authenticate with Windows Server2008Active Directory

Kenneth Holter kenneho.ndu at gmail.com
Fri Jan 29 13:52:09 UTC 2010 

Hi.


It got it working - I can now fetch both users and groups from AD directly,
and can use this information in both PAM and sudo to control access.

Didn't take much tweaking to get it work, as most of the attributes in the
document you linked to were correct. I may have made a couple of changes,
but don't recall exactly which. I'll paste inn the mappings here for others
to use:

-- snip --
nss_base_passwd ou=linux,dc=example,dc=com
nss_base_shadow ou=linux,dc=example,dc=com
nss_base_group ou=linux,dc=example,dc=com
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute gecos name
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute cn cn
nss_map_attribute shadowLastChange pwdLastSet
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
pam_member_attribute member
-- snip --

The next issue would be to group computers, so that I can give a groups of
users (collected in a regular AD gruop) access/privileges to a group of
servers. I'm thinking that such groups of computers also should be
maintained in AD. Is this how others are doing it?


- Kenneth




On Thu, Jan 28, 2010 at 2:00 PM, s u p e r n a u t <supernaut at gmx.com>wrote:

> Kenneth,
>
> I'd be interested to know if this worked for you.  Did you have to do
> anything specific that's different to that guide to make it work with W2K8?
>
> Thanks.
>
> ----- Original Message ----- From: "s u p e r n a u t" <supernaut at gmx.com>
>
> To: "General Red Hat Linux discussion list" <redhat-list at redhat.com>
> Sent: Wednesday, January 27, 2010 3:17 PM
>
> Subject: Re: Configuring RHEL servers to authenticate with Windows
> Server2008Active Directory
>
>
>  I'm not sure I understand why you'd want to do that.  After you've
>> installed AD Services Identity Management for UNIX, you can specify a user's
>> primary (AD) group under his AD properties under the UNIX Attributes tab.
>>
>> Then you basically assign/change permissions on the Linux system as
>> username:ad_group_name.
>>
>> I think the idea is that you'd use AD groups for file/folder access and
>> not the Linux groups anymore, although the Linux groups could still be used
>> if you wanted to.
>>
>> I'm a bit rusty on this but I believe that's what I wanted to achieve,
>> anyway.
>>
>> ----- Original Message ----- From: "Kenneth Holter" <
>> kenneho.ndu at gmail.com>
>> To: "General Red Hat Linux discussion list" <redhat-list at redhat.com>
>> Sent: Wednesday, January 27, 2010 2:35 PM
>> Subject: Re: Configuring RHEL servers to authenticate with Windows Server
>> 2008Active Directory
>>
>>
>>  Great, thanks, I got it working.
>>>
>>> Currently, our linux users all are member of a posix group of the same
>>> name
>>> (i.e user "kenneth" is member of its own group "kenneth", which is the
>>> default in linux as far as I know). Do you know how I can create such
>>> groups
>>> on AD, instead of adding users to shared groups such as "unixusers"?
>>>
>>> On Wed, Jan 27, 2010 at 1:39 PM, s u p e r n a u t <supernaut at gmx.com
>>> >wrote:
>>>
>>>  I've used this in the past to good effect with RHEL5.3 and W2K3.  I'm
>>>> sure
>>>> you'll have to make adjustments with W2K8, but it may be a good starting
>>>> point.
>>>>
>>>>
>>>>
>>>> http://www.interopsystems.com/downloads/Native_LDAP_native_Kerberos_and_AD_services.pdf
>>>>
>>>>
>>>>
>>>> ----- Original Message ----- From: "Kenneth Holter" <
>>>> kenneho.ndu at gmail.com
>>>> >
>>>> To: "General Red Hat Linux discussion list" <redhat-list at redhat.com>
>>>> Sent: Wednesday, January 27, 2010 7:58 AM
>>>> Subject: Re: Configuring RHEL servers to authenticate with Windows
>>>> Server
>>>> 2008Active Directory
>>>>
>>>>
>>>>  Thanks for your reply.
>>>>
>>>>>
>>>>> I would like the account and group information to be maintained in AD.
>>>>> Possibly later on we'll implement kerberos too.
>>>>>
>>>>>
>>>>> - Kenneth
>>>>>
>>>>> On Tue, Jan 26, 2010 at 5:32 PM, Marti, Robert <RJM002 at shsu.edu>
>>>>> wrote:
>>>>>
>>>>>  If you just care about authentication and not accounts, I'd set up
>>>>>
>>>>>> kerberos
>>>>>> auth - much easier.  I have no experience setting up LDAP auth, sorry.
>>>>>>
>>>>>> Rob Marti
>>>>>> ________________________________________
>>>>>> From: redhat-list-bounces at redhat.com [redhat-list-bounces at redhat.com]
>>>>>> On
>>>>>> Behalf Of Kenneth Holter [kenneho.ndu at gmail.com]
>>>>>> Sent: Tuesday, January 26, 2010 10:17
>>>>>> To: redhat-list at redhat.com
>>>>>> Subject: Configuring RHEL servers to authenticate with Windows Server
>>>>>> 2008
>>>>>>    Active Directory
>>>>>>
>>>>>> Hello all.
>>>>>>
>>>>>>
>>>>>> I'd like to set my RHEL 4 and 5 servers up to authenticate with our
>>>>>> Windows
>>>>>> server 2008 Active Directory. Using "authconfig --update --enableldap
>>>>>> --enableldapauth
>>>>>> --ldapserver=ldap.example.com--ldapbasedn=dn=example,dn=com"
>>>>>> and adding "binddn" and "bindpw" to the /etc/ldap.conf file, it looks
>>>>>> like
>>>>>> the linux box is connecting correctly to the AD server. But running
>>>>>> "getent
>>>>>> passwd <some-linux-user-defined-on-AD>" doesn't return any result.
>>>>>>
>>>>>> I'm suspecting that maybe it's my nss_ldap attribute mappings that are
>>>>>> not
>>>>>> correct. I have no attribute mapping defined, since I would think that
>>>>>> there
>>>>>> would be some default mappings that would work. Are there any default
>>>>>> mapping, and in case what are they? Or maybe "authconfig" set up these
>>>>>> mappings automatically? Any advice is appreciated.
>>>>>>
>>>>>> Best regards,
>>>>>> Kenneth Holter
>>>>>> --
>>>>>> redhat-list mailing list
>>>>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>>
>>>>>> --
>>>>>> redhat-list mailing list
>>>>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>>
>>>>>>  --
>>>>>>
>>>>> redhat-list mailing list
>>>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>
>>>>>
>>>>>
>>>> --
>>>> redhat-list mailing list
>>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>
>>>>  --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>>
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>>
>>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list