[CentOS] Replace NIS by Active Directory

Fri Mar 18 13:05:51 UTC 2011
Alain Péan <alain.pean at lpp.polytechnique.fr>

Le 18/03/2011 13:31, MOKRANI Rachid a écrit :
> Hi,
>
> I'm looking a wiki or share experience for replace NIS authentication by
> an existing Active directory Server (W2003). The problem is on the
> management of id and gid.

Here is a very good blog, scott Lowe, where I f found precise 
informations how to set up ldap/kerberos authentication over
Active Directory :
http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/

If you have windows 2003 R2, the schema has already unix attibutes (id, 
gid, user's home...) compliant with POSIX.
You have to add the windows component 'unix identity management', no 
more SFU. It will appear a tab in user properties (users and computers 
management console) for 'unix attributes'.

> How to move 1000 actual NIS users to AD ?
> How to keep the same id and gid for this 1000 users ?
> What's happen with nfs linux server and acess with gid and/id ?
> Use the same user/password for linux and Windows clients
> authentification?

NFS will work if you add the windows component 'Microsoft Services for 
NFS'. If you still have NIS accounts on linux servers, the accounts 
should be indeed the same, with same id/gid.

To create your 1000 accounts, you can use vbs scripts. See for example 
the very good book from O'Reilly 'Active Directory', or same author 
(Allen) 'Active Directory cookbook'. It is something in the lines :

"objUser.msSFU30NisDomain = "AD_domain"
objUser.uidNumber = intUid
objUser.gidNumber = intGid
objUser.loginShell = strShell
objUser.homeDirectory = strHome

objUser.SetInfo"

> We test a solution who work very well. It's Centrify comercial software
> http://www.centrify.com/directcontrol/overview.asp . But we are looking
> a freeware solution. (kerberos ? openldap ? pam ? ...)

The solution outlined in Scott Lowe blog is both standard and free (use 
both kerberos and ldap + samba).

>
> Does someone has already successfully replace NIS by Ad authentification
> with freeware solution ?

Yes, I did on CentOS.

Regards,
Alain
>
> Regards.
>


-- 
==========================================================
Alain Péan - LPP/CNRS
Administrateur Système/Réseau
Laboratoire de Physique des Plasmas - UMR 7648
Observatoire de Saint-Maur
4, av de Neptune, Bat. A
94100 Saint-Maur des Fossés
Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33
==========================================================