[clug] Linux user authentication - integrating with Windows environments

Troy Heland troyjh at gmail.com
Tue Jul 12 05:31:29 MDT 2011

On 08/07/11 10:00, Andrew Bartlett wrote:
> On Thu, 2011-07-07 at 10:18 +1000, Dale Shaw wrote:
>> Hi all,
>> It's been an embarrassingly long time since I've dug into this sort of
>> thing so I thought I'd tap into the collective wisdom of CLUG.
>> Disclaimer: this message is the first thing I've done in finding a
>> solution to this.
>> Like many organisations, we have a mix of host and device types in the
>> network. We manage little "enclaves" of hosts which typically run Red
>> Hat Enterprise Linux or Windows, depending on application
>> requirements.
>> At the moment we manage user accounts on Linux hosts in a fairly
>> manual basis; even between Linux hosts we're not using any centralised
>> authentication or access control mechanism. Our Windows systems are
>> part of an Active Directory domain, so there's a single centralised
>> repository of user account information.
>> I'd like to improve the way we manage user accounts and host access.
>> I'd like to continue to use the Windows domain as the authoritative
>> source for user information and access controls.
>> Wants:
>> - Logon access to Linux hosts to be authenticated against AD (don't
>> care if it's LDAP or "native"); ticks the "single password, single
>> password policy" box
>> - Logon access to Linux hosts to be authorised based on AD group
>> membership (e.g. "user dale is member of group LinuxHost1, access is
>> granted")
>> - Unique per-user UIDs maintained across Linux hosts
>> - Strong preference for not having to pre-create user accounts on Linux hosts
>> - Needs to work on RHEL4
>> - Needs to work with 'sudo'
>> Possible? PAM or other?
>> Has anyone done this? Dragons?
> Aside from the per-host stuff, this is all pretty standard for Samba and
> winbind, with the right configuration.
> http://www.enterprise-samba.org/index.php?id=64 has RHEL4 RPMs.
> Andrew Bartlett
Yep Samba is the way to go.

Probably no need to change your AD environment which makes things much 

More information about the linux mailing list