Minimum required to check passwords against Windows AD?
 

I'm wondering if it's possible to configure a Linux server (RHEL 4, but I suspect this is a general question) to check users' passwords against Windows AD, while minimizing the integration with AD.

I know there is a lot of detailed information out there about getting a Linux box to join an AD domain and allow logins for AD accounts (using Winbind, etc.). But, I really don't want my Linux box so closely linked to AD. I want to continue to manage accounts and groups normally on the Linux machine, and merely check passwords against AD rather than against the local shadow file.

My reasons for not wanting to do the full integration are twofold: (1) it seems like a lot of work for features I don't need and (2) our Windows domain is managed by a different group, and I want to minimize the need for coordination between the groups and changes on the Windows side.

There are a lot of apps out there that will do this kind of thing with their internal application accounts (Wordpress and Zimbra are two that I've implemented myself). Does anyone know a way to do such a thing with normal Linux accounts?

I was also baffled by what to do about integrating a bunch of Linux servers to authenticate and authorize using AD. It took me a while but I did it and it works great. I had to read a bunch of books and brainstorm a bunch of links (some good, some misleading). You will need to brainstorm it because troubleshooting is a totally different ballpark and when things arise then you'll know what to do - and things will arise.

Hint: Novell and Redhat have some very good articles about it.

Thanks...All the articles I'm finding are describing a much tighter level of LDAP/AD integration than I want. I really only care about passwords -- I do not want to join my Linux box to the Active Directory, or even to pull UID, GID, /etc/group, etc. information from the AD servers (because that means someone has to maintain this information in AD, and I don't want to go down that road).

Ideally what I would like is the ability to configure certain Linux users so that instead of checking their password against the hash in /etc/shadow, Linux will attempt an LDAP bind to AD with their supplied password, and grant them access if it succeeds. Beyond that, I'd like everything to behave like standard Linux.

I've looked at the code that Wordpress (specifically, a Wordpress plugin) uses to do this with Wordpress accounts and it's quite simple, with no need for any AD schema extensions or additional field population, because it's doing nothing more than checking passwords.

I'm starting to think this can't be done with Linux accounts, but it just seems like it should be so simple...

Never heard of the Wordpress plugin. You should keep both accounts and passwords in one place and not split like that. You will have to have an account in Windows and not just the password. Windows will not let you login with an external account but a local password (that sounds very weird). If you create the accounts in AD then you'll have one place to do all your LDAP administration. AD is very powerful and very easy to use once you get it configured well. I run a bunch of Linux servers this way and all the users access them via their AD account. Everything from databases to web home directories via ftp. You can also integrate file and group permissions using AD. So it does both the authentication and the authorization. Linux to Windows integration is a big topic right now.

My users do have accounts in AD. The problem is that in my organization, I don't manage AD accounts, and I suspect the people who do have little interest in tailoring things to work with Linux. That's why I want to avoid joining the domain, adding UID/GID attributes to AD users, etc. I want what I'm doing to be basically invisible to the Windows admins.

The scenario I'm imagining is this. Suppose Bob, username "bob", has an account in Windows AD that he uses to access files on Windows servers, and separately, he has an account on my Linux box that he uses to access files on that machine. When Bob tries to log in to Linux, I would like the Linux box to go through a normal login process (verify that the user exists in /etc/passwd, etc.) with one exception: instead of checking Bob's password against the hash in /etc/shadow, Linux attempts a Windows login (could be via LDAP, or Kerberos, or whatever) using username "bob" and the password Bob provided. If this Windows login succeeds, Bob is granted access to his Linux account.

The key point here is that Bob is still essentially logging in to Linux, not to Windows. He has an entry in /etc/passwd, a home directory, group information in /etc/group, etc. The Windows login is being used *only* to verify his password and not for any other purpose. This way, all group and user information for my Linux system is still managed in the normal way and AD does not need to be aware of any of it.

I think I'm going to try setting up a test server with the PAM Kerberos module and see what happens if I use Windows as the Kerberos authentication source. I'm not sure, but I think this may do what I want.