[CentOS] authentication loosely tied to active directory?

Tue Jun 16 06:04:57 UTC 2009
Les Mikesell <lesmikesell at gmail.com>

Paul Johnson wrote:
> On Fri, Jun 5, 2009 at 5:29 PM, Ross Walker<rswwalker at gmail.com> wrote:
>> On Jun 5, 2009, at 1:00 PM, Les Mikesell <lesmikesell at gmail.com> wrote:
>>
>>> What's the best authentication scheme when you are dealing with an
>>> active directory that someone else controls?  I've been using pam
>>> configured for smb and local passwords where a local account is needed
>>> for real logins (but either the domain or local password will work)
>>> and
>>> web services don't require a local account. That's most of the
>>> functionality I want and it doesn't take pre-arrangement with the AD
>>> administrator, but I have to glue mod_auth_pam into httpd and I'm not
>>> sure how to duplicate it for java web services.
>>>
>>> Is there a way to use an LDAP proxy in a similar way so I can add
>>> accounts of my own but also accept anything from one or more AD's? Or
>>> some better approach entirely?
>> We use winbind with rid mapping for user/group ids and kerberos for
>> authentication where I am and it works well and provides SSO for the
>> whole windows domain, even LDAP which we use as an address book.
>>
>> You can map ranges of user/group ids to particular domains and it
>> doesn't require any local accounts or manual setting of user ids.
>>
>> You can map those winbind accounts to unix groups globally through NIS.
>>
>> If your network is large setup a couple of rid mapping servers with
>> winbind that then re-export those maps through NIS to keep things
>> consistent. Just make sure your NIS make maps uses getent and winbind
>> is set to enumerate user/groups. Make sure no passwords are in there,
>> only kerberos accounts.
>>
>> -Ross
>>
> 
> 
> Hey, Ross:
> 
> How do you do this without cooperation from the administrator of the
> AD servers?  I can't make any progress at all as long as the
> administrators tell me to go to hell.  pam_smb is the only way I can
> make this work without administrator intervention

Same here - which is why I raised the question.  Although I probably 
could get permission to join the domain I want to be able to add users 
on the Linux side that don't exist in AD.  Pam_smb works but I think 
something that used LDAP would be better if the ldap server could have 
local entries and proxy for the AD.

-- 
   Les Mikesell
     lesmikesell at gmail.com