RHEL 4/5 Active Directory authentication question - can I user AD groups?
I have many RHEL 4 and 5 systems, and currently, we are using local user accounts for logon. What I would like to do, at least for the systems administrators of these boxes, is to effectively have a group in AD that contains these systems administrators. If it's possible, I would then like to configure our machines to associate those AD groups with local groups in the RHEL systems, say the wheel group, for instance. So, users of the AD SysAdmin group would be in the wheel group of the RHEL servers.
The idea is to make it easier to manage access to the systems when we bring in contractors or just hiring or removing users.
At this point, I'm trying to see if something like this is feasible, and if so, I'm curious if someone can point me to the technologies that would allow that. Does RHEL support that out of the box?
Certainly you can. You have two options, using LDAP directly against a DC, or the more complex step of adding the Linux box to the domain with Samba and winbind. I prefer the ldap version myself. To do it properly you need to use the MS SFU AD schema extensions, available from microsoft.com somwhere. This will give you extra attributes to AD user accounts, like automatic UID and GID values. among other things. Then you just need to configure your /etc/ldap.conf to map the AD attributes recieved over ldap to a standard posix user lists as retrieved with the "getent passwd" command - and the equivalent for groups too. Also you need to integrate the use of ldap into your authentication stack... The best way to accomplish all of this is to initially use the authconfig / system-config-authentication tool to include ldap for both info and auth (this modifies nsswitch.conf, pam.d configs etc.. as well as ldap.conf), and then once you've entered the basics in there, edit the ldap.conf directly to fine tune things.
as above, things are much easier if you do them bit by bit, and your first place to point the air is doing a successful ldapsearch against the DC machine. With no security considerations or design, the command "ldapsearch -x -h host-of-you-dc" may well be enough. Then sort out MSSFU (although TBH, there are ways of fudging this data in ldap.conf, but you won't get consistency across multiple systems this way, so wouldn't recommend it) and get to see gid's and uid's in that ldapsearch output. After that do the authconfig stuff and a "getent passwd" will show that data after having been processed by ldap.conf and the general system stack. if you get data out there, then you're just about done.
|All times are GMT -5. The time now is 05:33 AM.|