Register a domain and help support LQ
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 10-09-2009, 07:31 PM   #1
Registered: Jan 2006
Posts: 65

Rep: Reputation: 15
Question RHEL 4/5 Active Directory authentication question - can I user AD groups?

I have many RHEL 4 and 5 systems, and currently, we are using local user accounts for logon. What I would like to do, at least for the systems administrators of these boxes, is to effectively have a group in AD that contains these systems administrators. If it's possible, I would then like to configure our machines to associate those AD groups with local groups in the RHEL systems, say the wheel group, for instance. So, users of the AD SysAdmin group would be in the wheel group of the RHEL servers.

The idea is to make it easier to manage access to the systems when we bring in contractors or just hiring or removing users.

At this point, I'm trying to see if something like this is feasible, and if so, I'm curious if someone can point me to the technologies that would allow that. Does RHEL support that out of the box?
Old 10-11-2009, 02:28 PM   #2
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971Reputation: 1971
Certainly you can. You have two options, using LDAP directly against a DC, or the more complex step of adding the Linux box to the domain with Samba and winbind. I prefer the ldap version myself. To do it properly you need to use the MS SFU AD schema extensions, available from somwhere. This will give you extra attributes to AD user accounts, like automatic UID and GID values. among other things. Then you just need to configure your /etc/ldap.conf to map the AD attributes recieved over ldap to a standard posix user lists as retrieved with the "getent passwd" command - and the equivalent for groups too. Also you need to integrate the use of ldap into your authentication stack... The best way to accomplish all of this is to initially use the authconfig / system-config-authentication tool to include ldap for both info and auth (this modifies nsswitch.conf, pam.d configs etc.. as well as ldap.conf), and then once you've entered the basics in there, edit the ldap.conf directly to fine tune things.

as above, things are much easier if you do them bit by bit, and your first place to point the air is doing a successful ldapsearch against the DC machine. With no security considerations or design, the command "ldapsearch -x -h host-of-you-dc" may well be enough. Then sort out MSSFU (although TBH, there are ways of fudging this data in ldap.conf, but you won't get consistency across multiple systems this way, so wouldn't recommend it) and get to see gid's and uid's in that ldapsearch output. After that do the authconfig stuff and a "getent passwd" will show that data after having been processed by ldap.conf and the general system stack. if you get data out there, then you're just about done.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
User mapping on RHEL AS 4.6 with Samba/Winbind to Active Directory ? GoBieN Linux - Server 1 04-03-2009 06:34 AM
PAM Active Directory user authentication for Samba shares in RHEL 4 rockfx01 Linux - Server 3 12-02-2008 02:02 PM
winbind- cannot make user authentication with Active Directory chenboly Linux - Networking 1 04-12-2008 10:09 AM
samba and active directory groups kapilcool Linux - Software 1 01-16-2007 10:34 PM
Squid authentication using Active Directory Groups will not work kepler Linux - Networking 1 05-25-2004 01:54 PM

All times are GMT -5. The time now is 11:45 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration