Is there a way to set up a CentOS server to have it do some kind of mapping to/from Microsoft AD? I am thinking that any Linux users we start could authenticate against the CentOS server and simply have it push out some type of 'translated' permissions for those users to work with server shares currently hosted on Server '03 boxes
Michael Haworth Enterprise Systems Support Manager PAS Technologies Inc. Direct Line: (816) 556-5157 Mobile Phone: (816) 585-1033 Fax: (816) 556-5189 E-mail: michael_haworth@pas-technologies.commailto:michael_haworth@pas-technologies.com
On Wed, Nov 12, 2008 at 13:35, Haworth, Michael A. Michael_Haworth@pas-technologies.com wrote:
Is there a way to set up a CentOS server to have it do some kind of mapping to/from Microsoft AD?
Yes. There are two primary ways. Winbind, and LDAP. Winbind is subordinate to Windows proprietary authentication stuff, so its' not a boot choice if you ultimately want to do away with your windows infrastructure some day. LDAP is the "more open-ey" way to do it. I've never set up a Linux file server as a windows domain member server using LDAP though, so maybe someone can chime in on the list. If not, google a bit, give it a try, and search on whatever error message you get. Keep in mind Linux accounts, and samba accounts are separate databases. If there are less than a dozen or so users, you may find it easier to just create fresh Linux and Samba accounts, without 'connecting' authentication together.
Here's a page from the CentOS deployment guide on setting up authentication mechanisms for local unix accounts: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-authconfig.html
Samba (if you're using this for file or print serving to windows clients) also needs to be set up to use ldap against a windows AD. Samba servers choose one of a handful of security types. These define how users are authenticated. You can read about them at: http://samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html
The 'role' of a file server that authenticates users against AD is an AD 'member server'. Chapter 6 of the samba howto is dedicated to this: http://samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html
I also have a book on samba I can give you at the next meeting. I read it from front to back, and it helped a lot. Samba is immensely flexible.
If you need a distributed account database, you will eventually need to learn and use OpenLDAP. http://www.openldap.org/
Linux Weekly News just pointed people at an article Microsoft published on Authenticating Linux Clients with Active Directory: http://technet.microsoft.com/en-au/magazine/dd228986.aspx
Intentionally or not, it's a bit slanted to make Linux look like a burdon. Don't let it scare you. The author clearly has some questionable admin skills, but the explanations of how auth works, how it evolved, and how to configure it is worth a read, and will probably solve your problem. I would strongly advise going the Kerberos+LDAP approach because it will make the final switch a lot easier.
Linux.com interviewed a guy from Likewise, a company that sells and supports AD integration for GNU+Linux. Their product is GPL, and they give it away for free. The interview is a bit more fair than that Technet article, and makes the product sound pretty usable.
The Linux.com article and interview: http://www.linux.com/feature/145656
The Software product: http://www.likewisesoftware.com/products/likewise_open/
In virt-manager, install a Windows 2003 R2 Domain controller, and say, an Ubuntu and Fedora system. Then give this a shot.
On Sat, Nov 15, 2008 at 01:02, Billy Crook billycrook@gmail.com wrote:
Linux Weekly News just pointed people at an article Microsoft published on Authenticating Linux Clients with Active Directory: http://technet.microsoft.com/en-au/magazine/dd228986.aspx
Intentionally or not, it's a bit slanted to make Linux look like a burdon. Don't let it scare you. The author clearly has some questionable admin skills, but the explanations of how auth works, how it evolved, and how to configure it is worth a read, and will probably solve your problem. I would strongly advise going the Kerberos+LDAP approach because it will make the final switch a lot easier.
Will do, I was wondering what to do after the 'honey-do's' this weekend. ;)
Sent from my iPhone
On Nov 15, 2008, at 11:59 AM, "Billy Crook" billycrook@gmail.com wrote:
Linux.com interviewed a guy from Likewise, a company that sells and supports AD integration for GNU+Linux. Their product is GPL, and they give it away for free. The interview is a bit more fair than that Technet article, and makes the product sound pretty usable.
The Linux.com article and interview: http://www.linux.com/feature/145656
The Software product: http://www.likewisesoftware.com/products/likewise_open/
In virt-manager, install a Windows 2003 R2 Domain controller, and say, an Ubuntu and Fedora system. Then give this a shot.
On Sat, Nov 15, 2008 at 01:02, Billy Crook billycrook@gmail.com wrote:
Linux Weekly News just pointed people at an article Microsoft published on Authenticating Linux Clients with Active Directory: http://technet.microsoft.com/en-au/magazine/dd228986.aspx
Intentionally or not, it's a bit slanted to make Linux look like a burdon. Don't let it scare you. The author clearly has some questionable admin skills, but the explanations of how auth works, how it evolved, and how to configure it is worth a read, and will probably solve your problem. I would strongly advise going the Kerberos+LDAP approach because it will make the final switch a lot easier.
-
Billy Crook -
Haworth, Michael A.