Comments on: Linux, Active Directory, and Windows Server 2003 R2 Revisited

By: Christopher

Christopher — Thu, 30 Oct 2008 23:01:27 +0000

Ken,
%Linux ALL=(ALL) ALL

I think you should make %Linux be %linux

-C

By: Rupe

Rupe — Mon, 13 Oct 2008 16:07:40 +0000

Hi, Most of the above looks way over my head, but this looks like the place where knowledge resides.
We have Windows 2003 SP1with Active directory in charge of our domain.
We have one Linux RedHat (Release 4) server that is a Unix file server.
The unix files are shared out to the Windows environment via samba and in such a way that the file persmissions that samba sets controls who may and may not modify certain files.
Recently, ie in the last four weeks, for any new user added to the domain, samba no longer picks up the base info from Active Directory, so will not allow only those newer users access to files that should it should. By manually setting up the user in linux, we can overcome this, until the server is rebooted, in which case the newer users fall off the system again. samba version is 3.0.13.
Help diagnosing this would be fantastic

By: Manny Vellon

Manny Vellon — Sun, 07 Sep 2008 06:54:17 +0000

Scott,

Taking a pure LDAP approach is simpler than what we do. When you perform Kerberos authentication, you have to be prepared to deal with updating machine passwords (a machine has to be “joined” to AD in order to participate in AD authentication; this gives it a machine account), you also have to deal with refreshing user tickets (they’re only good for 10 hours or so) and this adds complexity. Additionally, if you perform LDAP authentication with AD, you can also do it with other LDAP servers, too.

The advantages of Kerberos are “single sign-on” (once you have a Kerb ticket, you can get other tickets without having to re-specify your credentials) and Kerberos-based encryption (doesn’t require any certificates).

Doing hard-core, enterprise-class, authentication against AD (or against any LDAP server) is not easy. What happens if the AD domain-controller goes down? You need to find another one, ideally, using “site awareness” in order to get the nearest one. What if you’re on a laptop w/o any connectivity? You need to implement cached credentials. How do you get reasonable performance when the user does something like “ls -l”? You need to cache results.

It’s great that you’re tackling the subject. It’s messy and very few people have the technical wherewithal to tackle PAM, nsswitch, LDAP _and_ AD. I’m sure that, by now, you’ve learned a lot about how UNIX does authentication and authorization.

Cheers

By: Solaris 10-AD Integration, Version 3 - blog.scottlowe.org - The weblog of an IT pro specializing in virtualization, storage, and servers

Fri, 05 Sep 2008 17:16:51 +0000

[...] up the login process and reduce the overall load on your DCs. (For more information, refer to the Linux-Windows Server 2003 R2 integration instructions.) It may be possible to change the attribute that Solaris is looking for, but I haven’t found [...]

By: ESX Server and the Native VLAN - blog.scottlowe.org - The weblog of an IT pro specializing in virtualization, storage, and servers

Fri, 05 Sep 2008 15:04:24 +0000

[...] that distinction falls to one of the Linux-AD integration articles, although I not sure which one right at the [...]

By: slowe

slowe — Wed, 02 Jul 2008 18:15:45 +0000

Manny,

Thank you for being open about your affiliation.

The configuration described here does allow LDAP authentication to take place in the clear; this is a problem for some readers. Using SSL or Kerberos authentication is in the works, but I haven’t yet published all the details.

Perhaps you’d be interested in discussing with me the pros and cons of using Likewise vs. this approach for a blog post? Readers may find the comparison useful.

Scott

By: Manny Vellon

Manny Vellon — Wed, 02 Jul 2008 17:20:15 +0000

I don’t mean to discourage anyone from trying Scott’s approach, but if you want an alternative, also free, mechanism for doing this, you might want to check out Likewise Open (http://www.likewisesoftware.com/community; disclaimer - I work for Likewise). Scott’s approach is more flexible (since it works off data stored in AD) but requires some work. Likewise Open doesn’t need any data in AD (it hashes SIDS to generate uidNumber and gidNumber) and, thus, is less flexible, but it’s also very easy to get running. We have a commercial version that is more flexible but, alas, not free.

Finally, I’m not 100% sure whether Scott’s configuration of OpenLDAP results in secure or clear-text LDAP requests (including visible credentials for the account used to read AD). It doesn’t appear that it’s doing Kerb-signed/sealed LDAP calls (as we do), but I’m no expert. This might be an issue for some folk.

By: StephanieAndChris

StephanieAndChris — Wed, 11 Jun 2008 19:09:54 +0000

Scott,

We have here a AD 2003 R2 multi-domain forest.

We installed Identity Management for UNIX on one of our DC.

We can now see the UNIX attributes tab, but, the NIS domain field show only “none”. Our actual domain doesn’t appear.

We’re looking for any hints, clues to resolve this issue.

Best regards

By: Ken

Ken — Tue, 20 May 2008 18:40:50 +0000

Hey Scott,

I posted awhile back on here but could not get this to work. My company really wants this so I decided to try again with Red Hat 5.1 and I got success today. SSH and sudo are working great. Thanks for you walk through.

By: Matthew Trotter

Matthew Trotter — Fri, 22 Feb 2008 04:57:17 +0000

Hey Scott,

Great article. I am just wondering if anyone who has deployed this has run into the 850 user limit? Currently we cannot add more than 850 users to the MEMBERS section of the UNIX ATTRIBUTES of a Group. It appears to be a limit of the Multi-Valued attribute in the Schema. This is a hard limit with no way to change it. The AD MEMBER section does not have this problem. I plan on migrating 5000 accounts to a new AD and don’t like the fact that I can’t put more than 850 Unix accounts into a group.

Anyone else know about this?