Re: Linux AD Integration with consistent UID and GID

To: debian-enterprise@lists.debian.org, grim76@grim76.net
Subject: Re: Linux AD Integration with consistent UID and GID
From: Robert Freeman-Day <presgas@gmail.com>
Date: Fri, 31 Aug 2012 16:10:30 -0400
Message-id: <[🔎] 50411A36.9050902@gmail.com>
In-reply-to: <[🔎] 87k3whjm2z.fsf@windlord.stanford.edu>
References: <[🔎] CACv5YAORJtZ16KrxPosxeEnm4Y69yrwm0cpgQNh6gMp42hmGuA@mail.gmail.com> <[🔎] 87ehmpmla9.fsf@windlord.stanford.edu> <[🔎] CAOCN9ryZGHKFtqEppNWGrBLRgeq5T12NsoU7OoZDupZq9f2hgg@mail.gmail.com> <[🔎] 87k3whjm2z.fsf@windlord.stanford.edu>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nico,

I have some chicken scratches on consistent UID/GID mapping with
idmap_hash,  which takes the Windows SID (Security ID) and makes a
Linux readable hash.  This works if your AD people have not/will
not/messed up implementation the schema extensions for UID/GID.

Check it out to see if it works for you:

"https://uisapp2.iu.edu/confluence-prd/display/~rmday/Linux+Integration+with+Active+Directory";

Robert

On 08/29/2012 07:49 PM, Russ Allbery wrote:
> Nico Kadel-Garcia <nkadel@gmail.com> writes:
> 
>> There are numerous published guidelines for using Winbind and
>> LDAP authentication. Most of the LDAP guidelines just wave their
>> hands at the authentication part. If I see *one more* stupid
>> guideline that uses LDAP to store the passwords and ignores the
>> last 30 years of password management by storing them in plain
>> text in a universally available schema, I'm going to be very
>> unhappy.
> 
> For authentication you almost certainly want to use just a normal,
> vanilla Kerberos PAM module.  Active Directory is a perfectly
> functional Kerberos KDC that you can authenticate to just like you
> would with any other Kerberos KDC.  The only real question is how
> you get NSS data onto the system (UIDs and GIDs), which is where
> nss-pam-ldapd comes in.
> 
> Yes, it has a PAM component, which is sometimes still useful in 
> combination with a Kerberos PAM module to do LDAP-based access
> control, but you don't care about its authentication component with
> AD.  There's really no reason to ever use password binds to LDAP
> for authentication when something much better, like Kerberos, is
> available.
> 


- -- 
________

Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlBBGjYACgkQup357T5MfTb7hQCffZ+ulzpoRZTZ8e5uEZTQinIq
2TkAn08eoafwknu4qIu0OILqLz+kLgFH
=OyCp
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Linux AD Integration with consistent UID and GID
  - From: Nico Kadel-Garcia <nkadel@gmail.com>

References:
- Linux AD Integration with consistent UID and GID
  - From: Scott Rouse <grim76@grim76.net>
- Re: Linux AD Integration with consistent UID and GID
  - From: Russ Allbery <rra@debian.org>
- Re: Linux AD Integration with consistent UID and GID
  - From: Nico Kadel-Garcia <nkadel@gmail.com>
- Re: Linux AD Integration with consistent UID and GID
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Linux AD Integration with consistent UID and GID
Next by Date: Re: Linux AD Integration with consistent UID and GID
Previous by thread: Re: Linux AD Integration with consistent UID and GID
Next by thread: Re: Linux AD Integration with consistent UID and GID
Index(es):
- Date
- Thread