The company where I work is mostly a Windows shop, but I run a few CentOS servers and desktops. I have configured my systems as follows with Kickstart:
authconfig --enablemd5 --passalgo=sha512 --enablenis --nisdomain=XXX \ --nisserver=nis1.XXX.com,nis2.XXX.com --useshadow --enablekrb5 \ --krb5realm=XXX.COM --krb5kdc=ldap.XXX.com --krb5adminserver=ldap.XXX.com
The /etc/nsswitch.conf file looks like this:
passwd: files nis shadow: files nis group: files nis
The NIS services are provided by the Windows Domain controllers using Windows Unix Services (or something similarly named). This allows anyone that’s in the NIS database to log into any CentOS system with their Windows username and password. Home directories are automounted from a big NAS box (and are also available on Windows). This all works great most of the time. However, if the network or the NIS server goes down, the CentOS system just hangs.
For CentOS 7 I'd like to make the systems more robust to network failures. I could create local accounts (I believe there is a way to autocreate an account and a home directory upon login), but I'm not sure how to go about it. This also implies that the home directories will not be shared among the systems, so ssh keys will have to be manually copied to the local home directories. Ideally, I'd like to get rid of NIS altogether and use LDAP and Kerberos for everything, but I don't know if that is feasible. I think these are the only services that we currently rely on NIS for:
- passwd file - group file - automount maps (including auto.home for home directories)
Before I go re-inventing the wheel, I'd like to find out how others manage multiple users on multiple systems using a central service. And in case it wasn’t obvious, I want to use the same usernames and passwords that are used in the Windows environment.
Thanks, Alfred
Integrated linux domain controller -> http://www.freeipa.org/
Its brilliant!
ta,
Andrew
On 11 June 2014 00:28, Alfred von Campe alfred@von-campe.com wrote:
The company where I work is mostly a Windows shop, but I run a few CentOS servers and desktops. I have configured my systems as follows with Kickstart:
authconfig --enablemd5 --passalgo=sha512 --enablenis --nisdomain=XXX \ --nisserver=nis1.XXX.com,nis2.XXX.com --useshadow --enablekrb5 \ --krb5realm=XXX.COM --krb5kdc=ldap.XXX.com --krb5adminserver= ldap.XXX.com
The /etc/nsswitch.conf file looks like this:
passwd: files nis shadow: files nis group: files nis
The NIS services are provided by the Windows Domain controllers using Windows Unix Services (or something similarly named). This allows anyone that’s in the NIS database to log into any CentOS system with their Windows username and password. Home directories are automounted from a big NAS box (and are also available on Windows). This all works great most of the time. However, if the network or the NIS server goes down, the CentOS system just hangs.
For CentOS 7 I'd like to make the systems more robust to network failures. I could create local accounts (I believe there is a way to autocreate an account and a home directory upon login), but I'm not sure how to go about it. This also implies that the home directories will not be shared among the systems, so ssh keys will have to be manually copied to the local home directories. Ideally, I'd like to get rid of NIS altogether and use LDAP and Kerberos for everything, but I don't know if that is feasible. I think these are the only services that we currently rely on NIS for:
- passwd file
- group file
- automount maps (including auto.home for home directories)
Before I go re-inventing the wheel, I'd like to find out how others manage multiple users on multiple systems using a central service. And in case it wasn’t obvious, I want to use the same usernames and passwords that are used in the Windows environment.
Thanks, Alfred
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Jun 10, 2014, at 18:39, Andrew Holway andrew.holway@gmail.com wrote:
Integrated linux domain controller -> http://www.freeipa.org/
I’ll look into this, but I was hoping for a solution that can be configured via kickstart (similar to what I am doing now with NIS/Kerberos) without the need for external software and/or services.
It’s ironic that I posted my question today, the same day that RHEL 7 was released, which has "support for direct use of Microsoft's Active Directory”. I’ve been meaning to post this question for a while, but as usual, other things got in the way. Anyway, I wonder if with CentOS 7 it will be easier to coexist in a Windows environment. I’ll start perusing the RHEL 7 release notes one of these days. In the mean time, if this problem has already been solved with RHEL/CentOS 6, I’ve love to know.
Thanks, Alfred
2014-06-11 4:01 GMT+03:00 Alfred von Campe alfred@von-campe.com:
On Jun 10, 2014, at 18:39, Andrew Holway andrew.holway@gmail.com wrote:
Integrated linux domain controller -> http://www.freeipa.org/
I’ll look into this, but I was hoping for a solution that can be configured via kickstart (similar to what I am doing now with NIS/Kerberos) without the need for external software and/or services.
ipa-client and server is part of RHEL same way as NIS or Winbind.
-- Eero
2014-06-11 1:28 GMT+03:00 Alfred von Campe alfred@von-campe.com:
The company where I work is mostly a Windows shop, but I run a few CentOS servers and desktops. I have configured my systems as follows with Kickstart:
authconfig --enablemd5 --passalgo=sha512 --enablenis --nisdomain=XXX \ --nisserver=nis1.XXX.com,nis2.XXX.com --useshadow --enablekrb5 \ --krb5realm=XXX.COM --krb5kdc=ldap.XXX.com --krb5adminserver= ldap.XXX.com
The /etc/nsswitch.conf file looks like this:
passwd: files nis shadow: files nis group: files nis
The NIS services are provided by the Windows Domain controllers using Windows Unix Services (or something similarly named). This allows anyone that’s in the NIS database to log into any CentOS system with their Windows username and password. Home directories are automounted from a big NAS box (and are also available on Windows). This all works great most of the time. However, if the network or the NIS server goes down, the CentOS system just hangs.
For CentOS 7 I'd like to make the systems more robust to network failures. I could create local accounts (I believe there is a way to autocreate an account and a home directory upon login), but I'm not sure how to go about it. This also implies that the home directories will not be shared among the systems, so ssh keys will have to be manually copied to the local home directories. Ideally, I'd like to get rid of NIS altogether and use LDAP and Kerberos for everything, but I don't know if that is feasible. I think these are the only services that we currently rely on NIS for:
Well, you can just authenticate against AD, it works fine on RHEL 5/6 ..
See your private mail for instructions.
-- Eero
-
Alfred von Campe -
Andrew Holway -
Eero Volotinen