[clug] Linux user authentication - integrating with Windows environments
Troy Heland
troyjh at gmail.com
Tue Jul 12 05:31:29 MDT 2011
On 08/07/11 10:00, Andrew Bartlett wrote:
> On Thu, 2011-07-07 at 10:18 +1000, Dale Shaw wrote:
>> Hi all,
>>
>> It's been an embarrassingly long time since I've dug into this sort of
>> thing so I thought I'd tap into the collective wisdom of CLUG.
>> Disclaimer: this message is the first thing I've done in finding a
>> solution to this.
>>
>> Like many organisations, we have a mix of host and device types in the
>> network. We manage little "enclaves" of hosts which typically run Red
>> Hat Enterprise Linux or Windows, depending on application
>> requirements.
>>
>> At the moment we manage user accounts on Linux hosts in a fairly
>> manual basis; even between Linux hosts we're not using any centralised
>> authentication or access control mechanism. Our Windows systems are
>> part of an Active Directory domain, so there's a single centralised
>> repository of user account information.
>>
>> I'd like to improve the way we manage user accounts and host access.
>> I'd like to continue to use the Windows domain as the authoritative
>> source for user information and access controls.
>>
>> Wants:
>>
>> - Logon access to Linux hosts to be authenticated against AD (don't
>> care if it's LDAP or "native"); ticks the "single password, single
>> password policy" box
>> - Logon access to Linux hosts to be authorised based on AD group
>> membership (e.g. "user dale is member of group LinuxHost1, access is
>> granted")
>> - Unique per-user UIDs maintained across Linux hosts
>> - Strong preference for not having to pre-create user accounts on Linux hosts
>> - Needs to work on RHEL4
>> - Needs to work with 'sudo'
>>
>> Possible? PAM or other?
>>
>> Has anyone done this? Dragons?
> Aside from the per-host stuff, this is all pretty standard for Samba and
> winbind, with the right configuration.
>
> http://www.enterprise-samba.org/index.php?id=64 has RHEL4 RPMs.
>
> Andrew Bartlett
>
Yep Samba is the way to go.
Probably no need to change your AD environment which makes things much
easier.
More information about the linux
mailing list