Configuring RHEL servers to authenticate with Windows Server2008Active Directory

Fri Jan 29 14:53:48 UTC 2010

Thanks for the feedback.

I'd think grouping computers in AD should work the same way.  Please let the 
list know when you get it working.

----- Original Message ----- 
From: "Kenneth Holter" <kenneho.ndu at gmail.com>
To: "General Red Hat Linux discussion list" <redhat-list at redhat.com>
Sent: Friday, January 29, 2010 1:52 PM
Subject: Re: Configuring RHEL servers to authenticate with Windows 
Server2008Active Directory

> Hi.
>
>
> It got it working - I can now fetch both users and groups from AD 
> directly,
> and can use this information in both PAM and sudo to control access.
>
> Didn't take much tweaking to get it work, as most of the attributes in the
> document you linked to were correct. I may have made a couple of changes,
> but don't recall exactly which. I'll paste inn the mappings here for 
> others
> to use:
>
> -- snip --
> nss_base_passwd ou=linux,dc=example,dc=com
> nss_base_shadow ou=linux,dc=example,dc=com
> nss_base_group ou=linux,dc=example,dc=com
> nss_map_objectclass posixAccount user
> nss_map_objectclass shadowAccount user
> nss_map_objectclass posixGroup group
> nss_map_attribute uid sAMAccountName
> nss_map_attribute gecos name
> nss_map_attribute homeDirectory unixHomeDirectory
> nss_map_attribute uniqueMember member
> nss_map_attribute cn cn
> nss_map_attribute shadowLastChange pwdLastSet
> pam_login_attribute sAMAccountName
> pam_filter objectclass=User
> pam_password ad
> pam_member_attribute member
> -- snip --
>
> The next issue would be to group computers, so that I can give a groups of
> users (collected in a regular AD gruop) access/privileges to a group of
> servers. I'm thinking that such groups of computers also should be
> maintained in AD. Is this how others are doing it?
>
>
> - Kenneth
>
>
>
>
> On Thu, Jan 28, 2010 at 2:00 PM, s u p e r n a u t 
> <supernaut at gmx.com>wrote:
>
>> Kenneth,
>>
>> I'd be interested to know if this worked for you.  Did you have to do
>> anything specific that's different to that guide to make it work with 
>> W2K8?
>>
>> Thanks.
>>
>> ----- Original Message ----- From: "s u p e r n a u t" 
>> <supernaut at gmx.com>
>>
>> To: "General Red Hat Linux discussion list" <redhat-list at redhat.com>
>> Sent: Wednesday, January 27, 2010 3:17 PM
>>
>> Subject: Re: Configuring RHEL servers to authenticate with Windows
>> Server2008Active Directory
>>
>>
>>  I'm not sure I understand why you'd want to do that.  After you've
>>> installed AD Services Identity Management for UNIX, you can specify a 
>>> user's
>>> primary (AD) group under his AD properties under the UNIX Attributes 
>>> tab.
>>>
>>> Then you basically assign/change permissions on the Linux system as
>>> username:ad_group_name.
>>>
>>> I think the idea is that you'd use AD groups for file/folder access and
>>> not the Linux groups anymore, although the Linux groups could still be 
>>> used
>>> if you wanted to.
>>>
>>> I'm a bit rusty on this but I believe that's what I wanted to achieve,
>>> anyway.
>>>
>>> ----- Original Message ----- From: "Kenneth Holter" <
>>> kenneho.ndu at gmail.com>
>>> To: "General Red Hat Linux discussion list" <redhat-list at redhat.com>
>>> Sent: Wednesday, January 27, 2010 2:35 PM
>>> Subject: Re: Configuring RHEL servers to authenticate with Windows 
>>> Server
>>> 2008Active Directory
>>>
>>>
>>>  Great, thanks, I got it working.
>>>>
>>>> Currently, our linux users all are member of a posix group of the same
>>>> name
>>>> (i.e user "kenneth" is member of its own group "kenneth", which is the
>>>> default in linux as far as I know). Do you know how I can create such
>>>> groups
>>>> on AD, instead of adding users to shared groups such as "unixusers"?
>>>>
>>>> On Wed, Jan 27, 2010 at 1:39 PM, s u p e r n a u t <supernaut at gmx.com
>>>> >wrote:
>>>>
>>>>  I've used this in the past to good effect with RHEL5.3 and W2K3.  I'm
>>>>> sure
>>>>> you'll have to make adjustments with W2K8, but it may be a good 
>>>>> starting
>>>>> point.
>>>>>
>>>>>
>>>>>
>>>>> http://www.interopsystems.com/downloads/Native_LDAP_native_Kerberos_and_AD_services.pdf
>>>>>
>>>>>
>>>>>
>>>>> ----- Original Message ----- From: "Kenneth Holter" <
>>>>> kenneho.ndu at gmail.com
>>>>> >
>>>>> To: "General Red Hat Linux discussion list" <redhat-list at redhat.com>
>>>>> Sent: Wednesday, January 27, 2010 7:58 AM
>>>>> Subject: Re: Configuring RHEL servers to authenticate with Windows
>>>>> Server
>>>>> 2008Active Directory
>>>>>
>>>>>
>>>>>  Thanks for your reply.
>>>>>
>>>>>>
>>>>>> I would like the account and group information to be maintained in 
>>>>>> AD.
>>>>>> Possibly later on we'll implement kerberos too.
>>>>>>
>>>>>>
>>>>>> - Kenneth
>>>>>>
>>>>>> On Tue, Jan 26, 2010 at 5:32 PM, Marti, Robert <RJM002 at shsu.edu>
>>>>>> wrote:
>>>>>>
>>>>>>  If you just care about authentication and not accounts, I'd set up
>>>>>>
>>>>>>> kerberos
>>>>>>> auth - much easier.  I have no experience setting up LDAP auth, 
>>>>>>> sorry.
>>>>>>>
>>>>>>> Rob Marti
>>>>>>> ________________________________________
>>>>>>> From: redhat-list-bounces at redhat.com 
>>>>>>> [redhat-list-bounces at redhat.com]
>>>>>>> On
>>>>>>> Behalf Of Kenneth Holter [kenneho.ndu at gmail.com]
>>>>>>> Sent: Tuesday, January 26, 2010 10:17
>>>>>>> To: redhat-list at redhat.com
>>>>>>> Subject: Configuring RHEL servers to authenticate with Windows 
>>>>>>> Server
>>>>>>> 2008
>>>>>>>    Active Directory
>>>>>>>
>>>>>>> Hello all.
>>>>>>>
>>>>>>>
>>>>>>> I'd like to set my RHEL 4 and 5 servers up to authenticate with our
>>>>>>> Windows
>>>>>>> server 2008 Active Directory. Using 
>>>>>>> "authconfig --update --enableldap
>>>>>>> --enableldapauth
>>>>>>> --ldapserver=ldap.example.com--ldapbasedn=dn=example,dn=com"
>>>>>>> and adding "binddn" and "bindpw" to the /etc/ldap.conf file, it 
>>>>>>> looks
>>>>>>> like
>>>>>>> the linux box is connecting correctly to the AD server. But running
>>>>>>> "getent
>>>>>>> passwd <some-linux-user-defined-on-AD>" doesn't return any result.
>>>>>>>
>>>>>>> I'm suspecting that maybe it's my nss_ldap attribute mappings that 
>>>>>>> are
>>>>>>> not
>>>>>>> correct. I have no attribute mapping defined, since I would think 
>>>>>>> that
>>>>>>> there
>>>>>>> would be some default mappings that would work. Are there any 
>>>>>>> default
>>>>>>> mapping, and in case what are they? Or maybe "authconfig" set up 
>>>>>>> these
>>>>>>> mappings automatically? Any advice is appreciated.
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Kenneth Holter
>>>>>>> --
>>>>>>> redhat-list mailing list
>>>>>>> unsubscribe 
>>>>>>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>>>
>>>>>>> --
>>>>>>> redhat-list mailing list
>>>>>>> unsubscribe 
>>>>>>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>>>
>>>>>>>  --
>>>>>>>
>>>>>> redhat-list mailing list
>>>>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>>
>>>>>>
>>>>>>
>>>>> --
>>>>> redhat-list mailing list
>>>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>
>>>>>  --
>>>> redhat-list mailing list
>>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>
>>>>
>>>
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>>
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>>
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 