[CentOS] Best way to integrate CentOS in Windows AD environment
James A. Peltier
jpeltier at sfu.ca
Fri May 8 16:29:19 UTC 2015
----- Original Message -----
| We currently use a combination of Kerberos and NIS to manage users on our
| CentOS 6 systems in a Windows AD environment. NIS is provided by Windows
| Services for UNIX (or something named similarly), which has some issues, and
| is also not going to be supported by Microsoft in the future. NIS supplies
| the passed file as well as the auto mount map for home directories as shown
| by this excerpt from our /etc/nsswitch.conf file:
|
| passwd: files nis
| shadow: files nis
| group: files nis
|
| Our systems are configured using something similar to the following in our
| Kickstart config file:
|
| authconfig --enablemd5 --passalgo=sha512 --enablenis —nisdomain=XXX \
| --nisserver=nis.XXX.com,nis2.XXX.com --useshadow --enablekrb5 \
| --krb5realm=XXX.COM --krb5kdc=ldap.XXX.com --krb5adminserver=ldap.XXX.com
| <http://ldap.xxx.com/>
|
| where nis1 and nis2 are the local AD domain controllers. With this
| configuration, any user can log into any CentOS system, and their home
| directory is automatically mounted over NFS with autofs. This works great,
| except for when the network is down and/or the home directory NFS server is
| not available, when the systems pretty much just hang. It’s also only good
| for workstations and servers, but not laptops that may not be on the
| network.
|
| I would like to move to CentOS 7 and a model where we don’t use NIS at all,
| the users and (local) home directories are automatically created on login
| using the UID stored on the LDAP server. Before I re-invent the wheel, has
| somebody done this already? If so, can you share the authconfig line from
| your Kickstart file? To summarize, I’d like to:
|
| Use LDAP/Kerberos provided by Windows AD servers to authenticate users
| Automatically create accounts/home directories upon first login
| Not require the system to be on the network (provided the user has logged in
| at least once to create the account locally)
|
| Thanks in advance for any suggestions/examples.
|
| Alfred
|
| _______________________________________________
| CentOS mailing list
| CentOS at centos.org
| http://lists.centos.org/mailman/listinfo/centos
|
You can feel free to contact me off list and we can let you know what we are doing to keep our NIS/AD environment in sync. ;)
--
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 604-365-6432
Fax : 778-782-3045
E-Mail : jpeltier at sfu.ca
Website : http://www.sfu.ca/itservices
Twitter : @sfu_rcg
Powering Engagement Through Technology
More information about the CentOS
mailing list