RHEL7 Use Active Directory for authentication only
Hello,
I'm looking for a way to make my rhel7 server use the Windows' Active Directory for authentication purpose ONLY.
I already have my user defined in the /etc/passwd and /etc/group files.
So they have their own uid/gid for the rhel7 server.
If anyone has a step by step or an idea on how to accomplish this...
it will be greatly appreciated!
Thank you very much
Responses
Did you have a look into the RHEL 7 Windows Integration Guide?
Good Morning Eric,
Basically, I just want to use Windows' Active Directory to authenticate my users that I manage myself in the files /etc/passwd and /etc/group.
I'm not entierly sure but I think that's not possible. To use Active Directory for authentication you have to join your host to the Active Directory Domain and provide your Active Directory users with a gidNumber and an uidNumber to be able to use them for system logon. Once you used an user from the AD to login to your system you cannot create an usesr with the same name and UID/GID locally on your system.
If you create the user locally on your system for example with useradd the system would use the entry in /etc/passwd to authenticate this user and never look him up in Active Directory.
My statement is valid if you are using sssd for the Active Directory integration. For other ways of AD integration I don't know the exact behaviour but I doubt that you could solve your use case there.
What you have is a mapping problem. Windows uses SIDs for uid/gid-type functionality. Those SIDs have to be converted by the AD binding service (in your case, SSSD) to POSIX uids and gids (what you'd otherwise have in /etc/passwd). You'd need to do one of two things to auth against AD but have locally-managed user-attributes:
- edit your local files' uid/gid contents to match the POSIX uids/gids from your auth-service (and also some PAM kludgery)
- set up a mapping service between your auth-service and your local password system to create an equivalency between the two namespaces' uids/gids
The typical method for using remote service is to let it control all of a given user's attributes - credentials and uids/gids.
What is it that you're trying to accomplish by splitting the way you seem to want? If we knew what you were trying to accomplish, there might be a better solution than those already offered.
It's just an idea and not tested or verified, but let's give it a thought.
In Active Directory you should have the extended attributes uidNumber and gidNumber. These attributes could me set manually or by script. If you could match your user in AD and /etc/passwd by name you may grep the uid and gid from /etc/passwd and set them in AD. It will take some powershell scripting to accomplish that but it may works.
This way you could get the information into the AD and use them on other AD integrated machines.
Just my two cents.
Hello Eric,
There is a big issue in the way you wish to accomplish your authentication. You need a mapping of the uid in Linux to to the user-SID in the Windows AD. User names and/or groups names are not concepts Linux and Windows AD are sharing.
For the mapping an AD extention is needed, a LDAP schema
Regards,
Jan Gerrit
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
