RHEL 4/5 Active Directory authentication question - can I user AD groups?
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
RHEL 4/5 Active Directory authentication question - can I user AD groups?
I have many RHEL 4 and 5 systems, and currently, we are using local user accounts for logon. What I would like to do, at least for the systems administrators of these boxes, is to effectively have a group in AD that contains these systems administrators. If it's possible, I would then like to configure our machines to associate those AD groups with local groups in the RHEL systems, say the wheel group, for instance. So, users of the AD SysAdmin group would be in the wheel group of the RHEL servers.
The idea is to make it easier to manage access to the systems when we bring in contractors or just hiring or removing users.
At this point, I'm trying to see if something like this is feasible, and if so, I'm curious if someone can point me to the technologies that would allow that. Does RHEL support that out of the box?
Certainly you can. You have two options, using LDAP directly against a DC, or the more complex step of adding the Linux box to the domain with Samba and winbind. I prefer the ldap version myself. To do it properly you need to use the MS SFU AD schema extensions, available from microsoft.com somwhere. This will give you extra attributes to AD user accounts, like automatic UID and GID values. among other things. Then you just need to configure your /etc/ldap.conf to map the AD attributes recieved over ldap to a standard posix user lists as retrieved with the "getent passwd" command - and the equivalent for groups too. Also you need to integrate the use of ldap into your authentication stack... The best way to accomplish all of this is to initially use the authconfig / system-config-authentication tool to include ldap for both info and auth (this modifies nsswitch.conf, pam.d configs etc.. as well as ldap.conf), and then once you've entered the basics in there, edit the ldap.conf directly to fine tune things.
as above, things are much easier if you do them bit by bit, and your first place to point the air is doing a successful ldapsearch against the DC machine. With no security considerations or design, the command "ldapsearch -x -h host-of-you-dc" may well be enough. Then sort out MSSFU (although TBH, there are ways of fudging this data in ldap.conf, but you won't get consistency across multiple systems this way, so wouldn't recommend it) and get to see gid's and uid's in that ldapsearch output. After that do the authconfig stuff and a "getent passwd" will show that data after having been processed by ldap.conf and the general system stack. if you get data out there, then you're just about done.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.