-Alberto

This is alberto again. We got logins working with your steps, but now are seeing slow ssh login times.
We think the cause is because we have so many OU’s in active directory.

for example, if we hardcode the base, nss_base_passwd, nss_base_shadow, and nss_base_group /etc/ldap.conf directives to the absolute path (all the way in) to the specific user’s OU, ssh logins work timely.
However, if we use the default dc=example,dc=com (replacing example w/ our domain of course), we find that the lgoins take a full minute to work.

This work around is fine for us, but we also need users from an entirely different OU (in india) to work.
So, the question is there a way to specifiy two different directives of the same type in /etc/ldap.conf ?

for example, can we somehow specify both of the following? (tried commas delimiting them already):

base ou=Test Users,ou=Test Users,ou=USA,dc=company,dc=com
and
base ou=Test Users,ou=Test Users,ou=INDIA,dc=company,dc=com

Thanks much,
-Alberto

It’s been so long since I looked at this that I don’t even remember most of it. I *think* that you can specify specific domain controllers for both Kerberos and LDAP (specify a FQDN instead of just the AD domain name), but I honestly cannot recall the specific parameters in each file that you would need to modify. Sorry!

Thanks very much for these steps, they worked great.
The only problem is, our shop has 14 domain controllers, and they will only let us put NIS on one of them.
Also, port 389 is blocked to all other domain controllers except that one for us.
The packet trace reveals that the traffic is trying to reach out to the other domain controllers that don’t have port 389 open to us, so the ssh session is just sitting there stuck.

if i try w/ the exact same settings on a network that can see all domain controllers on port 389, it works fine.
So, here’s my question:

Even though i hardcoded it to go to the single domain controller in /etc/ldap.conf that has NIS enabled and 389 is open, it still tries to reach out.
The domain admins said that the subnet listed in AD sites and services is already directing the traffic from our network to that single domain controller as well.
So, is there a switch or config i can use to tell the linux side not to reach out to these blocked domain controllers, and just go to the one we want?

Or, is the host value in /etc/ldap.conf the only directive for this?

thanks,
Alberto

Excellent blog!

Two questions –

1. if I follow these instructions will I be able to apply UNIX security on the Linux Server to AD Users and groups using chmod/chgrp etc. or will I need to use the UIDs/GIDs that were defined in the AD Schema?

2. Similarly, if I issue a ps to find a process which is being run by a user who logged on using their AD account, will I see the UID or the AD account name?

Chris

thanks

thanks

http://satish-linuxbug.blogspot.com/2009/08/linux-authentication-with-active.html

Thanks
satish