[clug] Linux user authentication - integrating with Windows environments

Andrew Bartlett abartlet at samba.org
Thu Jul 7 18:00:51 MDT 2011

On Thu, 2011-07-07 at 10:18 +1000, Dale Shaw wrote:
> Hi all,
> It's been an embarrassingly long time since I've dug into this sort of
> thing so I thought I'd tap into the collective wisdom of CLUG.
> Disclaimer: this message is the first thing I've done in finding a
> solution to this.
> Like many organisations, we have a mix of host and device types in the
> network. We manage little "enclaves" of hosts which typically run Red
> Hat Enterprise Linux or Windows, depending on application
> requirements.
> At the moment we manage user accounts on Linux hosts in a fairly
> manual basis; even between Linux hosts we're not using any centralised
> authentication or access control mechanism. Our Windows systems are
> part of an Active Directory domain, so there's a single centralised
> repository of user account information.
> I'd like to improve the way we manage user accounts and host access.
> I'd like to continue to use the Windows domain as the authoritative
> source for user information and access controls.
> Wants:
> - Logon access to Linux hosts to be authenticated against AD (don't
> care if it's LDAP or "native"); ticks the "single password, single
> password policy" box
> - Logon access to Linux hosts to be authorised based on AD group
> membership (e.g. "user dale is member of group LinuxHost1, access is
> granted")
> - Unique per-user UIDs maintained across Linux hosts
> - Strong preference for not having to pre-create user accounts on Linux hosts
> - Needs to work on RHEL4
> - Needs to work with 'sudo'
> Possible? PAM or other?
> Has anyone done this? Dragons?

Aside from the per-host stuff, this is all pretty standard for Samba and
winbind, with the right configuration.  

http://www.enterprise-samba.org/index.php?id=64 has RHEL4 RPMs.

Andrew Bartlett

Andrew Bartlett <abartlet at samba.org>

More information about the linux mailing list