[CentOS] Best way to integrate CentOS in Windows AD environment

Fri May 8 16:29:19 UTC 2015
James A. Peltier <jpeltier at sfu.ca>


----- Original Message -----
| We currently use a combination of Kerberos and NIS to manage users on our
| CentOS 6 systems in a Windows AD environment.  NIS is provided by Windows
| Services for UNIX (or something named similarly), which has some issues, and
| is also not going to be supported by Microsoft in the future.  NIS supplies
| the passed file as well as the auto mount map for home directories as shown
| by this excerpt from our /etc/nsswitch.conf file:
| 
|   passwd:     files nis
|   shadow:     files nis
|   group:      files nis
| 
|  Our systems are configured using something similar to the following in our
|  Kickstart config file:
| 
|   authconfig --enablemd5 --passalgo=sha512 --enablenis —nisdomain=XXX \
|   --nisserver=nis.XXX.com,nis2.XXX.com --useshadow --enablekrb5 \
|   --krb5realm=XXX.COM --krb5kdc=ldap.XXX.com --krb5adminserver=ldap.XXX.com
|   <http://ldap.xxx.com/>
| 
| where nis1 and nis2 are the local AD domain controllers.  With this
| configuration, any user can log into any CentOS system, and their home
| directory is automatically mounted over NFS with autofs.  This works great,
| except for when the network is down and/or the home directory NFS server is
| not available, when the systems pretty much just hang.  It’s also only good
| for workstations and servers, but not laptops that may not be on the
| network.
| 
| I would like to move to CentOS 7 and a model where we don’t use NIS at all,
| the users and (local) home directories are automatically created on login
| using the UID stored on the LDAP server. Before I re-invent the wheel, has
| somebody done this already?  If so, can you share the authconfig line from
| your Kickstart file?  To summarize, I’d like to:
| 
| Use LDAP/Kerberos provided by Windows AD servers to authenticate users
| Automatically create accounts/home directories upon first login
| Not require the system to be on the network (provided the user has logged in
| at least once to create the account locally)
| 
| Thanks in advance for any suggestions/examples.
| 
| Alfred
| 
| _______________________________________________
| CentOS mailing list
| CentOS at centos.org
| http://lists.centos.org/mailman/listinfo/centos
| 


You can feel free to contact me off list and we can let you know what we are doing to keep our NIS/AD environment in sync. ;)

-- 
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone   : 604-365-6432
Fax     : 778-782-3045
E-Mail  : jpeltier at sfu.ca
Website : http://www.sfu.ca/itservices
Twitter : @sfu_rcg
Powering Engagement Through Technology