[CentOS] Centos+AD integration (uid/gid problems)

[Les Mikesell]

On 3/29/2011 2:27 PM, Ray Van Dolson wrote:
>
>>> That said, if you have a variety of platforms and OS'es to support,
>>> Likewise is a great option... (never tried Centrify)
>>
>> Do either/both of these let you add accounts for the Linux side that
>> don't propagate back to AD?  I'd like something to use in a lab so
>> existing users/passwords didn't take extra work but we could still add
>> accounts that don't exist (and we don't want) in AD.  Easy hooks for
>> apache and java web services to see the combined accounts would be a big
>> plus.
>
> My understanding is you'd have to rely on local accounts or a second
> centralized authentication source (probably done via NSS not via
> Likewise directly).
>
> Maybe allowing the accounts to float back to AD but somehow restricting
> them for Unix login use only...
>
> (We have a long-standing project to migrate off NIS to AD-only --
> preserving UID's/GID's and defining the sort of access requirements you
> describe is a bit of a challenge).

I thought I had seen tools that can proxy LDAP services to multiple 
backends, with one of them being AD but at the time it seemed too 
complicated so I set up pam_smb and mod_auth_pam in apache (and set up 
apache to not require account info).  That lets me add local accounts to 
a machine for the people who either need login-type services or aren't 
in AD and still accept passwords that are in AD.  But, it has to be 
repeated per machine and I don't have java web services working with it. 
  What I'd like to have is an LDAP server or even a separate AD server 
to manage extra users and then a proxy service that combines the logins 
from both sources for any number of clients.  Basically I want to trust 
both authentication sources, but not add mine to the main AD or have it 
trust mine, and I want it in a way that apache, java, etc. already 
understand, besides being usable for login service.

-- 
   Les Mikesell
    lesmikesell at gmail.com