[CentOS] authentication loosely tied to active directory?

Tue Jun 16 21:46:43 UTC 2009
Ross Walker <rswwalker at gmail.com>

On Jun 16, 2009, at 2:04 AM, Les Mikesell <lesmikesell at gmail.com> wrote:

> Paul Johnson wrote:
>> On Fri, Jun 5, 2009 at 5:29 PM, Ross Walker<rswwalker at gmail.com>  
>> wrote:
>>> On Jun 5, 2009, at 1:00 PM, Les Mikesell <lesmikesell at gmail.com>  
>>> wrote:
>>>
>>>> What's the best authentication scheme when you are dealing with an
>>>> active directory that someone else controls?  I've been using pam
>>>> configured for smb and local passwords where a local account is  
>>>> needed
>>>> for real logins (but either the domain or local password will work)
>>>> and
>>>> web services don't require a local account. That's most of the
>>>> functionality I want and it doesn't take pre-arrangement with the  
>>>> AD
>>>> administrator, but I have to glue mod_auth_pam into httpd and I'm  
>>>> not
>>>> sure how to duplicate it for java web services.
>>>>
>>>> Is there a way to use an LDAP proxy in a similar way so I can add
>>>> accounts of my own but also accept anything from one or more  
>>>> AD's? Or
>>>> some better approach entirely?
>>> We use winbind with rid mapping for user/group ids and kerberos for
>>> authentication where I am and it works well and provides SSO for the
>>> whole windows domain, even LDAP which we use as an address book.
>>>
>>> You can map ranges of user/group ids to particular domains and it
>>> doesn't require any local accounts or manual setting of user ids.
>>>
>>> You can map those winbind accounts to unix groups globally through  
>>> NIS.
>>>
>>> If your network is large setup a couple of rid mapping servers with
>>> winbind that then re-export those maps through NIS to keep things
>>> consistent. Just make sure your NIS make maps uses getent and  
>>> winbind
>>> is set to enumerate user/groups. Make sure no passwords are in  
>>> there,
>>> only kerberos accounts.
>>>
>>> -Ross
>>>
>>
>>
>> Hey, Ross:
>>
>> How do you do this without cooperation from the administrator of the
>> AD servers?  I can't make any progress at all as long as the
>> administrators tell me to go to hell.  pam_smb is the only way I can
>> make this work without administrator intervention
>
> Same here - which is why I raised the question.  Although I probably
> could get permission to join the domain I want to be able to add users
> on the Linux side that don't exist in AD.  Pam_smb works but I think
> something that used LDAP would be better if the ldap server could have
> local entries and proxy for the AD.

To use LDAP there needs to be uid/gid/home/shell attributes set first,  
which if it isn't available probably won't be.

To use winbind+kerberos you need a machine account in the domain that  
you have the rights to modify the attributes of (samba list can get  
you the specific ones).

If you can get that, then set up kerberos per your domain, then join  
the domain with a 'net ads join -U <username>'

If all you want is local user accounts with domain rights you could  
just setup kerberos and pam_krb5 to authenticate against the domain.  
Then you'll get a TGT on login which most apps can use for SSO.

I can post specifics if you let me know your setup.

-Ross