Login once to multiple linux machines
Is there anyone can help to give me idea how to solve this challenge?
I have multiple linux machines (RHEL6), all of them joined to Windows Domain (Active directory authenticated).
I want to enable any user to login to any machine (SSH), and then this user account needs to be automatically propagated to all other machines.
Thanks in advance...
Probably, what you need to do is to arrange for all of the "multiple linux machines" to employ Active Directory (nee LDAP ...) as their authentication agent. If you need for the login to occur by means of SSH (frantic hand-waving here ...), then you nevertheless need for the login-attempt to be authenticated by LDAP ... such that every other machine that the user might subsequently wish to access, would query the same LDAP-server and be given the necessary "nod."
Basically ... you need for "that initial authentication-attempt," however it may have been attempted, to be made against an LDAP authority in such a way that every subsequent access would receive a silent "nod."
Thanks for your reply.
All the machines are joined to domain and they are all using windows AD authentication.
They work fine and all user are able to login to any machine using their domain credentials.
For example we have 15 machines in a cluster, when a user login for the first time to any computer, then the new user account and his profile is created automatically also on all other 14 machines. Is it possible?
Windows' "Active Directory" technology is LDAP. :) So, yes, "it is possible."
The Linux subsystem that you need to look into is called PAM = Pluggable Authentication Modules. In any modern Linux system, all of the key "authentication" tasks are vectored through this one highly-configurable subsystem.
As the name implies, the system works by means of a series of "pluggable modules" that will be invoked by the kernel in a specified sequence. The "default" configuration is one that mimics what every stand-alone Unix-compatible system does "by default." But Linux isn't actually limited to that, thanks to PAM. One of the modules that's available is one that consults LDAP. Therefore, Linux can be configured to query an authoritative LDAP (nee AD ...) server and thus "play nicely with others."
... for example.
Certainly, if what you need is "single sign-on," this is very achievable, and this is the way to do it. ("Kerberos" is another way to do it, and of course there are PAM modules for that, too.)
I think i have implemented the PAM.
So currently all the users are able to login to any computers using their windows AD accounts and they will get an identical UID-GID across all the computers.
The one that i still have not yet understood is how can, for example:
- I have 10 computers (in 1 cluster system)
- lets say I am a new user (say user123) and never logged onto any computer (so never had any user profile on any computers).
- I, (user123), want to login on computer1 (first time) and then a "system" will automatically log me in (or create my user123 profile) on all computer1 till computer10.
The problem i have right now is, this cluster has 10 computers at the moment, and it will grow.
We have a cluster application that requires a user must exist on all the cluster members before it can run the cluster commands.
Currently the temp solution is to ask users to login to each cluster member manually (10 logins to 10 computers), if this cluster member grows (for example 100 computers), surely it's not a good idea to ask a user to login to 100 computers just to trigger the profile creation...
Please give some enlightment....
Thanks in advance...
|All times are GMT -5. The time now is 02:57 AM.|