Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
02-26-2011, 02:01 PM
|
#1
|
LQ Newbie
Registered: Jun 2009
Posts: 10
Rep:
|
Best way to authenticate a group of servers against Windows Active Directory
Hello,
We have a small group of linux servers, currently with local logins. I want to eliminate the local logins and authenticate against the corporate AD.
I've been looking at PAM - but winbind requires each machine to be added to the AD. This becomes a pain if we create new virtual or physical servers.
Is it possible to have one server authenticate directly with AD, and the other servers authenticate against this server, which defers to the one server that is registered in AD?
Thanks.
|
|
|
02-26-2011, 02:11 PM
|
#2
|
LQ Guru
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
|
Hello,
I've never done it but I assume that if you set up a dedicated OpenLDAP server to authenticate your Linux users and you integrate that with your Active Directory you should be pretty close to what you want. All Linux users on your servers would migrate from using passwd, shadow and groups to the LDAP, thus providing centralized authentication. If you then integrate the OpenLDAP into the Active Directory you should be set. Mind you, never done it, this is pure theory. I'm sure someone with more experience in the field will kick in pretty soon but that's a way I'd investigate. Google turns up with links like these, old but covering pretty much the base of what you need.
http://www.linux.com/archive/feed/40983
http://www.howtoforge.com/linux_ldap_authentication
Kind regards,
Eric
|
|
|
03-01-2011, 09:43 PM
|
#3
|
Member
Registered: Mar 2010
Posts: 202
Rep:
|
look at pam.krb5, you can use kerberos directly to authenticate to the windows domain, no need for joining. That said, it does have a lot of advantages to have your servers fully joined, specially if you offer services to windows clients.
|
|
1 members found this post helpful.
|
03-12-2011, 10:05 AM
|
#4
|
LQ Newbie
Registered: Jun 2009
Posts: 10
Original Poster
Rep:
|
Looking very promising
Quote:
Originally Posted by Juako
look at pam.krb5, you can use kerberos directly to authenticate to the windows domain, no need for joining. That said, it does have a lot of advantages to have your servers fully joined, specially if you offer services to windows clients.
|
Thanks - I got sidetracked with some other pressing things that came up.
That said, I was able to authenticate with kerberos and check with klist. Had some issues with pam configuration, but hopefully I should be able to work those out.
I had some previous experience with kerberos, but that needeed the machine joined to the domain. Probably because it was delegating the authroization for a database. I didn't join the machine here and kerberos worked great - thanks for pointing me in the right direction!
|
|
|
All times are GMT -5. The time now is 05:10 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|