[CentOS] authentication loosely tied to active directory?

Tue Jun 16 03:30:16 UTC 2009
Paul Johnson <pauljohn32 at gmail.com>

On Fri, Jun 5, 2009 at 5:29 PM, Ross Walker<rswwalker at gmail.com> wrote:
> On Jun 5, 2009, at 1:00 PM, Les Mikesell <lesmikesell at gmail.com> wrote:
>
>> What's the best authentication scheme when you are dealing with an
>> active directory that someone else controls?  I've been using pam
>> configured for smb and local passwords where a local account is needed
>> for real logins (but either the domain or local password will work)
>> and
>> web services don't require a local account. That's most of the
>> functionality I want and it doesn't take pre-arrangement with the AD
>> administrator, but I have to glue mod_auth_pam into httpd and I'm not
>> sure how to duplicate it for java web services.
>>
>> Is there a way to use an LDAP proxy in a similar way so I can add
>> accounts of my own but also accept anything from one or more AD's? Or
>> some better approach entirely?
>
> We use winbind with rid mapping for user/group ids and kerberos for
> authentication where I am and it works well and provides SSO for the
> whole windows domain, even LDAP which we use as an address book.
>
> You can map ranges of user/group ids to particular domains and it
> doesn't require any local accounts or manual setting of user ids.
>
> You can map those winbind accounts to unix groups globally through NIS.
>
> If your network is large setup a couple of rid mapping servers with
> winbind that then re-export those maps through NIS to keep things
> consistent. Just make sure your NIS make maps uses getent and winbind
> is set to enumerate user/groups. Make sure no passwords are in there,
> only kerberos accounts.
>
> -Ross
>


Hey, Ross:

How do you do this without cooperation from the administrator of the
AD servers?  I can't make any progress at all as long as the
administrators tell me to go to hell.  pam_smb is the only way I can
make this work without administrator intervention

-- 
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas