Hi,
I'm looking a wiki or share experience for replace NIS authentication by an existing Active directory Server (W2003). The problem is on the management of id and gid.
How to move 1000 actual NIS users to AD ? How to keep the same id and gid for this 1000 users ? What's happen with nfs linux server and acess with gid and/id ? Use the same user/password for linux and Windows clients authentification?
We test a solution who work very well. It's Centrify comercial software http://www.centrify.com/directcontrol/overview.asp . But we are looking a freeware solution. (kerberos ? openldap ? pam ? ...)
Does someone has already successfully replace NIS by Ad authentification with freeware solution ?
Regards. __________________________ Notre adresse de messagerie évolue pour plus de simplicité vers : prenom.nom@ifpen.fr. La racine @ifpenergiesnouvelles.fr reste néanmoins active.
Our e-mail address is changing to firstname.surname@ifpen.fr. Nevertheless, messages sent to the domain @ifpenergiesnouvelles.fr will still be delivered.
Ce message (et toutes ses pièces jointes éventuelles) est confidentiel et établi à l'intention exclusive de ses destinataires. Toute utilisation de ce message non conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. IFP Energies nouvelles décline toute responsabilité au titre de ce message. This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. IFP Energies nouvelles should not be liable for this message.
Visitez notre site Web / Visit our web site : www.ifpenergiesnouvelles.fr / www.ifpenergiesnouvelles.com __________________________
On Fri, 18 Mar 2011, MOKRANI Rachid wrote:
Hi,
I'm looking a wiki or share experience for replace NIS authentication by an existing Active directory Server (W2003). The problem is on the management of id and gid.
How to move 1000 actual NIS users to AD ?
Create matching accounts in AD. This is standard Active Directory stuff, there really aren't any gotchas I can think of.
How to keep the same id and gid for this 1000 users ?
Make sure the SFU attributes have the correct values. You can do all this through LDAP as far as I know. Alternatively remap all your UIDs/GIDs and switch to a RID mapping scheme instead. You need to think about how you're planning on working in the future.
What's happen with nfs linux server and acess with gid and/id ?
It works exactly the same as it does now.
Use the same user/password for linux and Windows clients authentification?
Feel free to use windbind or pam_krb5 for authentication, both easy to setup. You'll need nss_ldap with pam_krb5, but winbind can do the whole bag.
Does someone has already successfully replace NIS by Ad authentification with freeware solution ?
Probably the easiest it to use winbind, but we use nss_ldap and pam_krb5. There's plenty of documentation on how to do this out there.
jh
Le 18/03/2011 13:31, MOKRANI Rachid a écrit :
Hi,
I'm looking a wiki or share experience for replace NIS authentication by an existing Active directory Server (W2003). The problem is on the management of id and gid.
Here is a very good blog, scott Lowe, where I f found precise informations how to set up ldap/kerberos authentication over Active Directory : http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/
If you have windows 2003 R2, the schema has already unix attibutes (id, gid, user's home...) compliant with POSIX. You have to add the windows component 'unix identity management', no more SFU. It will appear a tab in user properties (users and computers management console) for 'unix attributes'.
How to move 1000 actual NIS users to AD ? How to keep the same id and gid for this 1000 users ? What's happen with nfs linux server and acess with gid and/id ? Use the same user/password for linux and Windows clients authentification?
NFS will work if you add the windows component 'Microsoft Services for NFS'. If you still have NIS accounts on linux servers, the accounts should be indeed the same, with same id/gid.
To create your 1000 accounts, you can use vbs scripts. See for example the very good book from O'Reilly 'Active Directory', or same author (Allen) 'Active Directory cookbook'. It is something in the lines :
"objUser.msSFU30NisDomain = "AD_domain" objUser.uidNumber = intUid objUser.gidNumber = intGid objUser.loginShell = strShell objUser.homeDirectory = strHome
objUser.SetInfo"
We test a solution who work very well. It's Centrify comercial software http://www.centrify.com/directcontrol/overview.asp . But we are looking a freeware solution. (kerberos ? openldap ? pam ? ...)
The solution outlined in Scott Lowe blog is both standard and free (use both kerberos and ldap + samba).
Does someone has already successfully replace NIS by Ad authentification with freeware solution ?
Yes, I did on CentOS.
Regards, Alain
Regards.
Hi,
Check out Likewise open. I think this is what you are looking for.
http://www.likewise.com/products/likewise_open/
" Likewise Open is the open source foundation for Likewise Enterprise that joins Linux, UNIX, and Mac OS systems to Microsoft Active Directory to securely authenticate non-Windows users with AD credentials."
Asya
On Mar 18, 2011, at 8:31 AM, MOKRANI Rachid wrote:
Hi,
I'm looking a wiki or share experience for replace NIS authentication by an existing Active directory Server (W2003). The problem is on the management of id and gid.
How to move 1000 actual NIS users to AD ? How to keep the same id and gid for this 1000 users ? What's happen with nfs linux server and acess with gid and/id ? Use the same user/password for linux and Windows clients authentification?
We test a solution who work very well. It's Centrify comercial software http://www.centrify.com/directcontrol/overview.asp . But we are looking a freeware solution. (kerberos ? openldap ? pam ? ...)
Does someone has already successfully replace NIS by Ad authentification with freeware solution ?
Regards. __________________________ Notre adresse de messagerie évolue pour plus de simplicité vers : prenom.nom@ifpen.frmailto:prenom.nom@ifpen.fr. La racine @ifpenergiesnouvelles.fr reste néanmoins active.
Our e-mail address is changing to firstname.surname@ifpen.frmailto:firstname.surname@ifpen.fr. Nevertheless, messages sent to the domain @ifpenergiesnouvelles.fr will still be delivered.
Ce message (et toutes ses pièces jointes éventuelles) est confidentiel et établi à l'intention exclusive de ses destinataires. Toute utilisation de ce message non conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. IFP Energies nouvelles décline toute responsabilité au titre de ce message. This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. IFP Energies nouvelles should not be liable for this message.
Visitez notre site Web / Visit our web site : www.ifpenergiesnouvelles.frhttp://www.ifpenergiesnouvelles.fr / www.ifpenergiesnouvelles.comhttp://www.ifpenergiesnouvelles.com __________________________ _______________________________________________ CentOS mailing list CentOS@centos.orgmailto:CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Le 18/03/2011 14:06, Dvorkin, Asya a écrit :
Hi,
Check out Likewise open. I think this is what you are looking for.
http://www.likewise.com/products/likewise_open/
" Likewise Open is the open source foundation for Likewise Enterprise that joins Linux, UNIX, and Mac OS systems to Microsoft Active Directory to securely authenticate non-Windows users with AD credentials."
Asya
But the free edition use hash to generate id and gid, not the POSIX compliant id and gid already included in 2003 R2. The non free version do it. It is not in my opinion the solution you would like to use...
Alain
On Fri, Mar 18, 2011 at 8:31 AM, MOKRANI Rachid rachid.mokrani@ifpen.fr wrote:
Hi,
I'm looking a wiki or share experience for replace NIS authentication by an existing Active directory Server (W2003). The problem is on the management of id and gid.
How to move 1000 actual NIS users to AD ? How to keep the same id and gid for this 1000 users ? What's happen with nfs linux server and acess with gid and/id ? Use the same user/password for linux and Windows clients authentification?
We test a solution who work very well. It's Centrify comercial software http://www.centrify.com/directcontrol/overview.asp . But we are looking a freeware solution. (kerberos ? openldap ? pam ? ...)
Does someone has already successfully replace NIS by Ad authentification with freeware solution ?
The amount of time burned setting up the migration, which is otherwise done manually to configure uid's and gid's consistently, very much justifies the purchase of a single Centrify license for an "adnisd" server. Get *that* running, switch your NIS to point to that, and you've done all the hard integration work. That more than justifies the cost of a license or a pair of licenses.
It can otherwise be done manually, but the data entry time wasted for your engineers well justifies the price of a Centrify license or two.
On Fri, 18 Mar 2011, Nico Kadel-Garcia wrote:
It can otherwise be done manually, but the data entry time wasted for your engineers well justifies the price of a Centrify license or two.
What do you mean by manually? Can't this all be done with ypcat, ldapmodify and a shell script? After which, you are entirely liberated from NIS.
jh
On Fri, Mar 18, 2011 at 10:42 AM, John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Fri, 18 Mar 2011, Nico Kadel-Garcia wrote:
It can otherwise be done manually, but the data entry time wasted for your engineers well justifies the price of a Centrify license or two.
What do you mean by manually? Can't this all be done with ypcat, ldapmodify and a shell script? After which, you are entirely liberated from NIS.
jh
In theory, yes. In practice........ I've done that. Getting the buy-in from the Active Directory owners to manually run ldapmodify against their hosts can be politically painful. The nice GUI from Centrify, that has the NIS import facility, does a pretty good job, and can be very helpful to remind you that mixed case groups and usernames are problematic, that some systems don't deal well with non-alphanumeric characters such as '_' or '-', that the default maximum group or username is 8 characters, that there's a maximum number of characters in an NIS or POSIX compatible line such as a group membership list and they need to be split up to multiple entries with the same gid, etc., etc., etc.
It gets very expensive in engineering time, very fast, especially if people have been "clever" and already created correspondence between AD groups and NIS groups or users of various sorts, but weren't consistent about their naming schemes.
Le 18/03/2011 16:07, Nico Kadel-Garcia a écrit :
<snip> ... that the default maximum group or username is 8 characters,... <snip>
It was the case with solaris, but fortunately not on Linux. I don't remember what is the maximum length, but I think it could be up to 128 characters...
Alain
On Fri, Mar 18, 2011 at 11:19 AM, Alain Péan alain.pean@lpp.polytechnique.fr wrote:
Le 18/03/2011 16:07, Nico Kadel-Garcia a écrit :
<snip> ... that the default maximum group or username is 8 characters,... <snip>
It was the case with solaris, but fortunately not on Linux. I don't remember what is the maximum length, but I think it could be up to 128 characters...
Alain
Well, yes. Centrify reasonably says "are you sure about this????" when you try to set such long names, and can even mangle the names into the shorter structure for you. (I don't recommend this.)
The boobytraps arise when someone's login in Active Directory is, for example, "NKadel", and you have your NIS/LDAP/whatever mapping think that your home directory and username is "NKadel", but your old NIS setup thought your login name was "nkadel".
This way lies mixed case support madness, which is why "just write a shell script with ldapmodify" gets..... nastier than you might realize.
On Mar 18, 2011, at 8:31 AM, "MOKRANI Rachid" rachid.mokrani@ifpen.fr wrote:
Hi,
I'm looking a wiki or share experience for replace NIS authentication by an existing Active directory Server (W2003). The problem is on the management of id and gid.
How to move 1000 actual NIS users to AD ? How to keep the same id and gid for this 1000 users ? What's happen with nfs linux server and acess with gid and/id ? Use the same user/password for linux and Windows clients authentification?
We test a solution who work very well. It's Centrify comercial software http://www.centrify.com/directcontrol/overview.asp . But we are looking a freeware solution. (kerberos ? openldap ? pam ? ...)
Does someone has already successfully replace NIS by Ad authentification with freeware solution ?
Instead of replacing NIS I extended it.
I setup a winbind box that did RID mapping from AD and exported those into NIS maps, sans passwords.
I then setup Kerberos on all boxes to authenticate against AD, samba managed the keytab files.
With this I got auto UID/GID generation, my AD users and groups automatically appear and disappear from the NIS maps and I can use those maps for multiple platforms.
Simple, yet effective.
-Ross
-
Alain Péan -
Dvorkin, Asya -
John Hodrien -
MOKRANI Rachid -
Nico Kadel-Garcia -
Ross Walker