LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Winbind / KRB / SSSD / Active Directory Howto? (https://www.linuxquestions.org/questions/linux-server-73/winbind-krb-sssd-active-directory-howto-947461/)

rrue 05-29-2012 03:42 PM

Winbind / KRB / SSSD / Active Directory Howto?
 
I'm trying to set up a CentOS_6.2 server to authenticate SSH/shell sessions against a 2K8R2 Active Directory. Ideally I'd like to use only the default AD features (R2 does include Unix Attributes like uidNUmber and gidNumber), have no local accounts on the linux server, and have the users get the AD values for UID and GID when they log in. Shell access and sudo rights should also be limited to specific AD groups.

I've been hammering on this for a week and can't make it work. The closest I've been able to come is using winbind/pam with a rid backend for idmapping. This gives consistent numbers for UID and GID across multiple servers, but different than our AD values and all users get a GID that maps to "Domain Users." This would work if I could find a way to map UID and GID to the AD values.

I can make KRB/pam authentication work but only if there's a local account on the machine for the user. That way I also have to hard-code their UID and GID so what's the point?

Has anyone set this up? Can you point me toward a howto or some other documentation?

Hope to hear from you,

rrue
seattle

Kustom42 05-29-2012 05:50 PM

Take a look at http://www.enterprisenetworkingplane...th-Winbind.htm and http://wiki.samba.org/index.php/Samb...tive_Directory. Those should point you in the right direction, make sure you have your krb5 packages installed krb5-libs, krb5-workstation, and samba-common. Change your /etc/krb5.conf and /etc/samba/smb.conf to point to your AD domains. Then use the net ads join command to join your workstation to the AD server.

Best of luck, if you run into something specific let us know.

rrue 10-11-2012 12:48 PM

Been away from this issue for a while and am finally getting back in.

Never managed to make winbind work using the idmap backend AD options. Can run it using a local (random) tdb file mapping for UID's and GID's, or can use the RID mapping (non-random numbers that are consistent from machine to machine but still not the AD value for UID and GID), but if I turn on the AD mapping the client can no longer identify the user at all and logins fail.

Worse, winbind in the included samba version for CentOS_6 seems to eventually go pathological and lock up the machine. For now we're running using krb5 authentication against the AD, and need to create local accounts for all users on the machine. Winbind is no longer running.

I'm currently leaning toward using SSSD with LDAP for account info and KRB5 for authentication. Have found several simple-looking howtos (i.e. http://www.beduine.de/?p=657) for this, all claiming to do exactly what I want and easy-peasy. However, none of them work.

Has anyone made this work? Can anyone point me toward a howto they know to be accurate and complete?

Hope to hear from you.


All times are GMT -5. The time now is 05:14 AM.