[rhelv6-list] winbind for logon when lost networking
Red Hat Enterprise Linux 6 (Santiago) discussion mailing-list
rhelv6-list at redhat.com
Thu Feb 7 18:06:03 UTC 2013
On Thu, Feb 7, 2013 at 12:51 PM, Red Hat Enterprise Linux 6 (Santiago)
discussion mailing-list <rhelv6-list at redhat.com> wrote:
> Hello,
> I'm currently using winbind to allow users to login via their AD
> credentials. When it works, it works.
> However, if DNS or networking on the machine fails, simple things like
> listing files becomes impossible, and many applications fail.
> There must be a simple setting I missed to allow group/user enumeration
> while offline. I see there are offline and cached options in smb.conf and
> pam_winbind.conf, any tips on how to best make use of those and if they'll
> resolve my issue?
There are numerous scenarios that can be used with AD and RHEL6,
including your case where your AD admins do not maintain the required
Identity Management for UNIX (aka IETF RFC2307), and you must use a
local (non-centralized) POSIX attribute mapping solution like Winbindd
on individual NSS/PAM-capable client like Linux (or Solaris). Red Hat
covers these in its details (and rather extensive) Integration
Reference Architecture document. [1]
Now SSSD in RHEL6 (and RHEL5.6+, 5.7+errata recommended) _should_ be
able to cache Winbindd mapped credentials as well, but it will vary
based on your AD implementation. If you can send me your sssd.conf
off-line, I could possibly assist.
Do know that in RHEL6.4, SSSD 1.9 is included, which has the
capability to replace Winbindd for even local (non-centralized) POSIX
attribute mapping. I.e., SSSD no longer requires centralized POSIX
attribute storage (e.g., IdM for UNIX in AD), and can do local
(non-centralized) POSIX attribute mapping like Winbindd. That
naturally gives automagic caching thanx to SSSD.
Now, again and Ideally back to my earlier hint, if your AD admins
could store your POSIX attributes in AD itself with the _built-in_ IdM
for UNIX (2003R2 and later, 2008+ recommended), that would solve this
altogether. You wouldn't need Winbindd for this, SSSD could access
them directly, _regardless_ of SSSD version (including in RHEL5). But
most AD admins don't understand NTuser v. POSIX attributes, so they
won't follow this concept.
In fact, you can have more Microsoft certs than them, let alone helped
write a Samba book, and they will still tell you that Samba is always
the solution, without knowing anything about it.
-- bjs
[1] http://www.redhat.com/resourcelibrary/reference-architectures/integrating-red-hat-enterprise-linux-6-with-active-directory
--
Bryan J Smith - Professional, Technical Annoyance
b.j.smith at ieee.org - http://www.linkedin.com/in/bjsmith
------------------------------------------------------------
American Libertarism died in the '70s with the invention of
sensationalist US mass media. Two great casualties have been
the NRA and Planned Parenthood; demonized by opposing media,
all while ignoring their history and the 97% they really do.
More information about the rhelv6-list
mailing list