[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linux AD Integration with consistent UID and GID

On Wed, Aug 29, 2012 at 5:38 PM, Russ Allbery <rra@debian.org> wrote:
> Scott Rouse <grim76@grim76.net> writes:
>> I have been asked to integrate our linux systems with our AD
>> infrastructure.  I have been looking at some of the options that are
>> available, but I am concerned about UID/GID mappings.  I would like to
>> have the UIDs and GIDs be consistent across systems so NFS and other
>> such animals work properly.
> If extending your Active Directory schema to include the NIS schema and
> provide UIDs and GIDs is an option, that's going to be the simplest on the
> Linux side.  It's definitely possible; the question is whether your Active
> Directory admins are willing to do and maintain the work.

This is all built into the commercial "Centrify" and "Powerbroker"
tools, as well as at least Centrify supporting an AD=>NIS translation
scheme. The problem is, they're expensive for commercial use (roughly
$200/server, minimum).

There are numerous published guidelines for using Winbind and LDAP
authentication. Most of the LDAP guidelines just wave their hands at
the authentication part. If I see *one more* stupid guideline that
uses LDAP to store the passwords and ignores the last 30 years of
password management by storing them in plain text in a universally
available schema, I'm going to be very unhappy.

Proper LDAP authenticationj integrated with AD uses the built-in
Kerberos authentication of AD, which can even work on its own without
any of the LDAP. LDAP leaves you vulnerable to careless centralized
management of accounts, ignoring local locked account settings or
authorizing domain members you *do not want* to have access on default
hosts. So there are trade-offs.

> You can then use nss-pam-ldapd to read the UID/GID mappings from AD.  (You
> want the *d version, since it has a thin shim plugin and a daemon that
> does good caching.  The non-*d version embeds the full LDAP libraries into
> the process space of each application calling getpwnam() and friends,
> which causes all sorts of interesting issues.)
> --
> Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
> --
> To UNSUBSCRIBE, email to debian-enterprise-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 87ehmpmla9.fsf@windlord.stanford.edu">http://lists.debian.org/[🔎] 87ehmpmla9.fsf@windlord.stanford.edu

Reply to: