LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Best way to authenticate a group of servers against Windows Active Directory (http://www.linuxquestions.org/questions/linux-server-73/best-way-to-authenticate-a-group-of-servers-against-windows-active-directory-865180/)

montyny 02-26-2011 01:01 PM

Best way to authenticate a group of servers against Windows Active Directory
 
Hello,
We have a small group of linux servers, currently with local logins. I want to eliminate the local logins and authenticate against the corporate AD.

I've been looking at PAM - but winbind requires each machine to be added to the AD. This becomes a pain if we create new virtual or physical servers.

Is it possible to have one server authenticate directly with AD, and the other servers authenticate against this server, which defers to the one server that is registered in AD?

Thanks.

EricTRA 02-26-2011 01:11 PM

Hello,

I've never done it but I assume that if you set up a dedicated OpenLDAP server to authenticate your Linux users and you integrate that with your Active Directory you should be pretty close to what you want. All Linux users on your servers would migrate from using passwd, shadow and groups to the LDAP, thus providing centralized authentication. If you then integrate the OpenLDAP into the Active Directory you should be set. Mind you, never done it, this is pure theory. I'm sure someone with more experience in the field will kick in pretty soon but that's a way I'd investigate. Google turns up with links like these, old but covering pretty much the base of what you need.
http://www.linux.com/archive/feed/40983
http://www.howtoforge.com/linux_ldap_authentication

Kind regards,

Eric

Juako 03-01-2011 08:43 PM

look at pam.krb5, you can use kerberos directly to authenticate to the windows domain, no need for joining. That said, it does have a lot of advantages to have your servers fully joined, specially if you offer services to windows clients.

montyny 03-12-2011 09:05 AM

Looking very promising
 
Quote:

Originally Posted by Juako (Post 4275802)
look at pam.krb5, you can use kerberos directly to authenticate to the windows domain, no need for joining. That said, it does have a lot of advantages to have your servers fully joined, specially if you offer services to windows clients.

Thanks - I got sidetracked with some other pressing things that came up.

That said, I was able to authenticate with kerberos and check with klist. Had some issues with pam configuration, but hopefully I should be able to work those out.

I had some previous experience with kerberos, but that needeed the machine joined to the domain. Probably because it was delegating the authroization for a database. I didn't join the machine here and kerberos worked great - thanks for pointing me in the right direction!


All times are GMT -5. The time now is 12:59 PM.