Re: Linux AD Integration with consistent UID and GID

To: Russ Allbery <rra@debian.org>
Cc: Scott Rouse <grim76@grim76.net>, debian-enterprise@lists.debian.org
Subject: Re: Linux AD Integration with consistent UID and GID
From: Nico Kadel-Garcia <nkadel@gmail.com>
Date: Wed, 29 Aug 2012 19:42:45 -0400
Message-id: <[🔎] CAOCN9ryZGHKFtqEppNWGrBLRgeq5T12NsoU7OoZDupZq9f2hgg@mail.gmail.com>
In-reply-to: <[🔎] 87ehmpmla9.fsf@windlord.stanford.edu>
References: <[🔎] CACv5YAORJtZ16KrxPosxeEnm4Y69yrwm0cpgQNh6gMp42hmGuA@mail.gmail.com> <[🔎] 87ehmpmla9.fsf@windlord.stanford.edu>

On Wed, Aug 29, 2012 at 5:38 PM, Russ Allbery <rra@debian.org> wrote:
> Scott Rouse <grim76@grim76.net> writes:
>
>> I have been asked to integrate our linux systems with our AD
>> infrastructure.  I have been looking at some of the options that are
>> available, but I am concerned about UID/GID mappings.  I would like to
>> have the UIDs and GIDs be consistent across systems so NFS and other
>> such animals work properly.
>
> If extending your Active Directory schema to include the NIS schema and
> provide UIDs and GIDs is an option, that's going to be the simplest on the
> Linux side.  It's definitely possible; the question is whether your Active
> Directory admins are willing to do and maintain the work.

This is all built into the commercial "Centrify" and "Powerbroker"
tools, as well as at least Centrify supporting an AD=>NIS translation
scheme. The problem is, they're expensive for commercial use (roughly
$200/server, minimum).

There are numerous published guidelines for using Winbind and LDAP
authentication. Most of the LDAP guidelines just wave their hands at
the authentication part. If I see *one more* stupid guideline that
uses LDAP to store the passwords and ignores the last 30 years of
password management by storing them in plain text in a universally
available schema, I'm going to be very unhappy.

Proper LDAP authenticationj integrated with AD uses the built-in
Kerberos authentication of AD, which can even work on its own without
any of the LDAP. LDAP leaves you vulnerable to careless centralized
management of accounts, ignoring local locked account settings or
authorizing domain members you *do not want* to have access on default
hosts. So there are trade-offs.

> You can then use nss-pam-ldapd to read the UID/GID mappings from AD.  (You
> want the *d version, since it has a thin shim plugin and a daemon that
> does good caching.  The non-*d version embeds the full LDAP libraries into
> the process space of each application calling getpwnam() and friends,
> which causes all sorts of interesting issues.)
>
> --
> Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
>
>
> --
> To UNSUBSCRIBE, email to debian-enterprise-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 87ehmpmla9.fsf@windlord.stanford.edu">http://lists.debian.org/[🔎] 87ehmpmla9.fsf@windlord.stanford.edu
>

Reply to:

Follow-Ups:
- Re: Linux AD Integration with consistent UID and GID
  - From: Russ Allbery <rra@debian.org>

References:
- Linux AD Integration with consistent UID and GID
  - From: Scott Rouse <grim76@grim76.net>
- Re: Linux AD Integration with consistent UID and GID
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Linux AD Integration with consistent UID and GID
Next by Date: Re: Linux AD Integration with consistent UID and GID
Previous by thread: Re: Linux AD Integration with consistent UID and GID
Next by thread: Re: Linux AD Integration with consistent UID and GID
Index(es):
- Date
- Thread