Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In first place i would like to give you a brief about my current setup and my requirement.
I have 80% of the machines with CentOS 6.5 installed rest 20% windows 7. I have OpenLDAP v2.4 for user authentication.
In linux environment all linux machines are configured in such a way that whenever a user logs on to system with the help of OpenLDAP credentials he gets a default desktop rather Mandatory Profile is implemented in this setup. Now my goal is to enable OpenLDAP users logon to windows machines and get the same Mandatory profile setup done here. So far SambaPDC helped me to authenticate LDAP accounts on Windows clients machines but the Manadatory profile thing isn't working well at all due to posix acls issue. Now i am working with Windows Server 2012 r2 server so as to integrate with OpenLDAP for getting this Mandatory profile thing done. Is there any way i can sync all OpenLDAP accounts to Active directory or rather make my windows server a member server for OpenLDAP domain.
Windows AD uses a Kerberos foundation for logins, with LDAP for the profiles... But both Kerberos and LDAP used are "slightly different" than the standard Kerberos/LDAP protocols.
You can make Linux use AD for authentication/authorization, but I don't believe the reverse works. That is what Samba implements when it is configured to be an AD server.
Thanks for the reply, I have got a third party plugin LSC Ldap Synchronization Connector, they say this plugin helps one to sync LDAP database to MS Active Directory. I am still unsure till what extent this plugin helps me to integrate OpenLDAP with Active Directory.
Are you sure that this reverse sync won't work??
I've never heard of anyone doing that. Not that it can't be done - it might, but most of things don't as MS has a persistent NIH problem with most standardized protocols.
My primary requirement is to enable Windows clients to load a Mandatory profile. As before i discussed, my setup consists of 80% of Linux clients and OpenLDAP for
user authentication also with Mandatory profile configured so that everytime a users logs in with his credentials he get's the default profile on his linux box.
Similar way my objective is to enable OpenLDAP users to login to Windows clients which was successfully achieved by setting up SambaPDC (Samba3.6) BUT unfortunately i am not able to setup Mandatory profile for Windows, so far i went through a couple of blogs & video tutorials online and built Default profile copied that profile in my [Profiles] share on sambapdc and configured logon.bat file to mount the share at startup and configured Windows client GPO to load Profile from Network share which is not happening as expected. As of now in this setup user always logs in with a TEMP profile rather than loading Default profile from "Profiles" share. Further i went through certain blogs according to them linux posix acls are the root cause behind this issue. This is why i thought of going with OpenLDAP and Windows AD sync.
Require immediate help on this, Thanks in advance.
Unfortunately, MS doesn't want this to work. MS AD contains a modified kerberos with features not supported by the standard Kerberos. Standard kerberos clients can work with AD (as the protocol was slightly modified to "accomodate" the non-standard extensions), but not the inverse. I believe the AD version of LDAP is also slightly modified, but I don't know which way. In addition, AD requires very specific additions to their DNS configuration (every AD server is also a name server).
MOST of this has been rolled into Samba 4 (it provides the ACL translation), but I have read that the kerberos extensions are not yet available/supported.
The kerberos extensions were to turn an authentication protocol into an authentication+authorization protocol - so MS took an "unused" field and expanded it to carry authorization information; and thus made it incompatible with standard Kerberos (which didn't use the field). Since the field did have a length specification (also unused), none of the clients would work. The modification was mostly to the clients to ignore the field, and use the length value to know how much to ignore. Previously neither was used, and being a fixed size it was trivial to ignore (but broke as soon as the size was non-zero).
This should be detailed better in the Samba 4 documentation.
I think this integration thing should work.
I have facing same trouble in my case i want my OpenLDAP server to chase AD Referrals which will take me a step closer with this integration thing.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.