Mircosoft Active Directory authentification

Latest response

Hi

 

My Linux box actually use the AD which is for Europe zone but I have
the users which dependent on Asia Zone.

Is it possible that the Linux Redhat point to two Microsoft Active Directory (Asie and Europe) for the users authentification ?

 

Thanks

Responses

Hi Kazem. I've moved this discussion to the RHEL group. The Customer Portal group is for feedback and issues relating to this website.

Going to need a little information about your AD realms.

  • For starters, are they two, completely-separate realms or are they members of a common forest? What kinds of cross-realm trusts have you established?
  • Also, what tool are you using for your AD integration (if using the built in winbind, "which version"; if using something else - like Centrify or PowerBroker/Likewise - we'd need to know which version).

Hi

As he explain the AD administrator, the domaines are in the common forest whithout the users synchronization between.

We use the Winbind and kerbrose 

samba3x-winbind.i386                     3.5.4-0.70.el5            RHEL5.6-64

mod_auth_kerb.x86_64                     5.1-3.el5                 RHEL5.6-64

Actually the authentification work nicely for the windows system  but I dont know how to the the same en Linux.

 

Thanks

 

Kazem

You state that you're using samba3x version of Winbind - that should make you compatible with AD servers up through 2008. Can't remember whether it breaks the authentication GUI, though.

Generally, the system-config-authentication GUI is good about walking you through a basic setup and getting you to the point where AD-based authentication "just works". Basically, just fire it up, click on "create home directories" box on the options tab and "Enable winbind support" on the "user information" and "authentication" tabs and, click on the "configure winbind" button and follow the prompts.

Is this tool not working for you? If so, what errors is it throwing?

I *do* sorta recall that some of the RHEL components don't like the very high userids that can result if you use RID-mapping, though - but that was two-plus years ago since I ran into that problem.

There are three methods for authenticating RHEL - 5 to Active Directory, All three methods are completely different & should be configured as per the requirement & environment.

nss_ldap
nss_ldap will authenticate against Active Directory using the LDAP/Kerberos method, if you have Unix Service for Windows configured Unix Attributes set for windows user.

SSSD
SSSD works in similar way like nss_ldap, but it tries to cache the user credentials to provide authentication in case Authentication server is unavailable. It also requires unix service for windows & unix attributes for users.

WinBind  Method
It configures system to authenticate against Active directory using samba. It doesnt need any configuration on windows side, but need a "Domain Admin" group user to join RHEL to Active Directory.

Can you tell us if you have unix attributes for windows installed & configured on your Active directory system.

For SSSD with RHEL-5 https://access.redhat.com/knowledge/solutions/60450

For nss_ldap with RHEL-5 https://access.redhat.com/knowledge/solutions/29908

For winbind with RHEL-5 https://access.redhat.com/knowledge/solutions/43065 (This works on RHEL5 & RHEL6 both)