[CentOS] Centos+AD integration (uid/gid problems)

Tue Mar 29 19:27:11 UTC 2011
Ray Van Dolson <rayvd at bludgeon.org>

On Tue, Mar 29, 2011 at 01:37:38PM -0500, Les Mikesell wrote:
> On 3/29/2011 1:29 PM, Ray Van Dolson wrote:
> >
> >>
> >> If you use something like Centrify Express or Likewise Open, the
> >> UID/GIDs are calculated the same way every time on every system that
> >> uses the software so it makes, IMO, setup&  management a lot easier.
> >>
> >> Chris
> >
> > I can vouch for Likewise Open just working.  However, it too is based
> > on Samba and based on the OP's information, he should be able to
> > achieve deterministic UID/GID numbers across his system with standard
> > OS packages only if that is his goal.
> >
> > That said, if you have a variety of platforms and OS'es to support,
> > Likewise is a great option... (never tried Centrify)
> 
> Do either/both of these let you add accounts for the Linux side that 
> don't propagate back to AD?  I'd like something to use in a lab so 
> existing users/passwords didn't take extra work but we could still add 
> accounts that don't exist (and we don't want) in AD.  Easy hooks for 
> apache and java web services to see the combined accounts would be a big 
> plus.

My understanding is you'd have to rely on local accounts or a second
centralized authentication source (probably done via NSS not via
Likewise directly).

Maybe allowing the accounts to float back to AD but somehow restricting
them for Unix login use only...

(We have a long-standing project to migrate off NIS to AD-only --
preserving UID's/GID's and defining the sort of access requirements you
describe is a bit of a challenge).

Ray