I'll let you know when I get it working. Meanwhile, if anyone knows how this is accomplished please give me a hint. On Fri, Jan 29, 2010 at 3:53 PM, s u p e r n a u t <supernaut@xxxxxxx>wrote: > Thanks for the feedback. > > I'd think grouping computers in AD should work the same way. Please let > the list know when you get it working. > > > ----- Original Message ----- From: "Kenneth Holter" <kenneho.ndu@xxxxxxxxx > > > To: "General Red Hat Linux discussion list" <redhat-list@xxxxxxxxxx> > Sent: Friday, January 29, 2010 1:52 PM > > Subject: Re: Configuring RHEL servers to authenticate with Windows > Server2008Active Directory > > > Hi. >> >> >> It got it working - I can now fetch both users and groups from AD >> directly, >> and can use this information in both PAM and sudo to control access. >> >> Didn't take much tweaking to get it work, as most of the attributes in the >> document you linked to were correct. I may have made a couple of changes, >> but don't recall exactly which. I'll paste inn the mappings here for >> others >> to use: >> >> -- snip -- >> nss_base_passwd ou=linux,dc=example,dc=com >> nss_base_shadow ou=linux,dc=example,dc=com >> nss_base_group ou=linux,dc=example,dc=com >> nss_map_objectclass posixAccount user >> nss_map_objectclass shadowAccount user >> nss_map_objectclass posixGroup group >> nss_map_attribute uid sAMAccountName >> nss_map_attribute gecos name >> nss_map_attribute homeDirectory unixHomeDirectory >> nss_map_attribute uniqueMember member >> nss_map_attribute cn cn >> nss_map_attribute shadowLastChange pwdLastSet >> pam_login_attribute sAMAccountName >> pam_filter objectclass=User >> pam_password ad >> pam_member_attribute member >> -- snip -- >> >> The next issue would be to group computers, so that I can give a groups of >> users (collected in a regular AD gruop) access/privileges to a group of >> servers. I'm thinking that such groups of computers also should be >> maintained in AD. Is this how others are doing it? >> >> >> - Kenneth >> >> >> >> >> On Thu, Jan 28, 2010 at 2:00 PM, s u p e r n a u t <supernaut@xxxxxxx >> >wrote: >> >> Kenneth, >>> >>> I'd be interested to know if this worked for you. Did you have to do >>> anything specific that's different to that guide to make it work with >>> W2K8? >>> >>> Thanks. >>> >>> ----- Original Message ----- From: "s u p e r n a u t" < >>> supernaut@xxxxxxx> >>> >>> To: "General Red Hat Linux discussion list" <redhat-list@xxxxxxxxxx> >>> Sent: Wednesday, January 27, 2010 3:17 PM >>> >>> Subject: Re: Configuring RHEL servers to authenticate with Windows >>> Server2008Active Directory >>> >>> >>> I'm not sure I understand why you'd want to do that. After you've >>> >>>> installed AD Services Identity Management for UNIX, you can specify a >>>> user's >>>> primary (AD) group under his AD properties under the UNIX Attributes >>>> tab. >>>> >>>> Then you basically assign/change permissions on the Linux system as >>>> username:ad_group_name. >>>> >>>> I think the idea is that you'd use AD groups for file/folder access and >>>> not the Linux groups anymore, although the Linux groups could still be >>>> used >>>> if you wanted to. >>>> >>>> I'm a bit rusty on this but I believe that's what I wanted to achieve, >>>> anyway. >>>> >>>> ----- Original Message ----- From: "Kenneth Holter" < >>>> kenneho.ndu@xxxxxxxxx> >>>> To: "General Red Hat Linux discussion list" <redhat-list@xxxxxxxxxx> >>>> Sent: Wednesday, January 27, 2010 2:35 PM >>>> Subject: Re: Configuring RHEL servers to authenticate with Windows >>>> Server >>>> 2008Active Directory >>>> >>>> >>>> Great, thanks, I got it working. >>>> >>>>> >>>>> Currently, our linux users all are member of a posix group of the same >>>>> name >>>>> (i.e user "kenneth" is member of its own group "kenneth", which is the >>>>> default in linux as far as I know). Do you know how I can create such >>>>> groups >>>>> on AD, instead of adding users to shared groups such as "unixusers"? >>>>> >>>>> On Wed, Jan 27, 2010 at 1:39 PM, s u p e r n a u t <supernaut@xxxxxxx >>>>> >wrote: >>>>> >>>>> I've used this in the past to good effect with RHEL5.3 and W2K3. I'm >>>>> >>>>>> sure >>>>>> you'll have to make adjustments with W2K8, but it may be a good >>>>>> starting >>>>>> point. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> http://www.interopsystems.com/downloads/Native_LDAP_native_Kerberos_and_AD_services.pdf >>>>>> >>>>>> >>>>>> >>>>>> ----- Original Message ----- From: "Kenneth Holter" < >>>>>> kenneho.ndu@xxxxxxxxx >>>>>> > >>>>>> To: "General Red Hat Linux discussion list" <redhat-list@xxxxxxxxxx> >>>>>> Sent: Wednesday, January 27, 2010 7:58 AM >>>>>> Subject: Re: Configuring RHEL servers to authenticate with Windows >>>>>> Server >>>>>> 2008Active Directory >>>>>> >>>>>> >>>>>> Thanks for your reply. >>>>>> >>>>>> >>>>>>> I would like the account and group information to be maintained in >>>>>>> AD. >>>>>>> Possibly later on we'll implement kerberos too. >>>>>>> >>>>>>> >>>>>>> - Kenneth >>>>>>> >>>>>>> On Tue, Jan 26, 2010 at 5:32 PM, Marti, Robert <RJM002@xxxxxxxx> >>>>>>> wrote: >>>>>>> >>>>>>> If you just care about authentication and not accounts, I'd set up >>>>>>> >>>>>>> kerberos >>>>>>>> auth - much easier. I have no experience setting up LDAP auth, >>>>>>>> sorry. >>>>>>>> >>>>>>>> Rob Marti >>>>>>>> ________________________________________ >>>>>>>> From: redhat-list-bounces@xxxxxxxxxx [ >>>>>>>> redhat-list-bounces@xxxxxxxxxx] >>>>>>>> On >>>>>>>> Behalf Of Kenneth Holter [kenneho.ndu@xxxxxxxxx] >>>>>>>> Sent: Tuesday, January 26, 2010 10:17 >>>>>>>> To: redhat-list@xxxxxxxxxx >>>>>>>> Subject: Configuring RHEL servers to authenticate with Windows >>>>>>>> Server >>>>>>>> 2008 >>>>>>>> Active Directory >>>>>>>> >>>>>>>> Hello all. >>>>>>>> >>>>>>>> >>>>>>>> I'd like to set my RHEL 4 and 5 servers up to authenticate with our >>>>>>>> Windows >>>>>>>> server 2008 Active Directory. Using "authconfig --update >>>>>>>> --enableldap >>>>>>>> --enableldapauth >>>>>>>> --ldapserver=ldap.example.com--ldapbasedn=dn=example,dn=com" >>>>>>>> and adding "binddn" and "bindpw" to the /etc/ldap.conf file, it >>>>>>>> looks >>>>>>>> like >>>>>>>> the linux box is connecting correctly to the AD server. But running >>>>>>>> "getent >>>>>>>> passwd <some-linux-user-defined-on-AD>" doesn't return any result. >>>>>>>> >>>>>>>> I'm suspecting that maybe it's my nss_ldap attribute mappings that >>>>>>>> are >>>>>>>> not >>>>>>>> correct. I have no attribute mapping defined, since I would think >>>>>>>> that >>>>>>>> there >>>>>>>> would be some default mappings that would work. Are there any >>>>>>>> default >>>>>>>> mapping, and in case what are they? Or maybe "authconfig" set up >>>>>>>> these >>>>>>>> mappings automatically? Any advice is appreciated. >>>>>>>> >>>>>>>> Best regards, >>>>>>>> Kenneth Holter >>>>>>>> -- >>>>>>>> redhat-list mailing list >>>>>>>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx >>>>>>>> ?subject=unsubscribe >>>>>>>> https://www.redhat.com/mailman/listinfo/redhat-list >>>>>>>> >>>>>>>> -- >>>>>>>> redhat-list mailing list >>>>>>>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx >>>>>>>> ?subject=unsubscribe >>>>>>>> https://www.redhat.com/mailman/listinfo/redhat-list >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> redhat-list mailing list >>>>>>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx >>>>>>> ?subject=unsubscribe >>>>>>> https://www.redhat.com/mailman/listinfo/redhat-list >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>> redhat-list mailing list >>>>>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >>>>>> https://www.redhat.com/mailman/listinfo/redhat-list >>>>>> >>>>>> -- >>>>>> >>>>> redhat-list mailing list >>>>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >>>>> https://www.redhat.com/mailman/listinfo/redhat-list >>>>> >>>>> >>>>> >>>> -- >>>> redhat-list mailing list >>>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >>>> https://www.redhat.com/mailman/listinfo/redhat-list >>>> >>>> >>>> >>> -- >>> redhat-list mailing list >>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >>> https://www.redhat.com/mailman/listinfo/redhat-list >>> >>> -- >> redhat-list mailing list >> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >> https://www.redhat.com/mailman/listinfo/redhat-list >> >> > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
