Integrating RHE3 & Windows 2k3 2005-06-01 - By Bowen, III, Clint
Back
Jason Williard wrote:
> I have 5 servers (3 RHE3; 2 Win2k3) that would like to integrate with
> a single authentication system. The 2 Win2k3 servers are currently
> connected via Active Directory and I have been experimenting with
> ways of connecting
> RHE3 to Win2k3. So far, I have tried Microsoft's Services for UNIX.
> This works, but only synchronizes the password for user's that
> already exist.
>
> I would like to be able to manage users from a single system, either
> Windows or Linux. In the ideal situation, I could add, remove or
> modify users and have the changes propagated to all systems. The
> only solution that I have been presented with so far is to use LDAP
> to connect to Active Directory and provide authentication to the
> Linux systems. However, I have run into a couple problems. With the
> documentation I have been able to find, I would need one of two
> tools; Either Vintela's VAS or AD4Unix. While VAS seems like a good
> solution, it requires a larger expense than my company can afford at
> this time. As for AD4Unix, I have been unable to find a recent
> distribution. From what I can see, the development has halted.
>
> With that, does anyone have any suggestions on what route I should
> take?
>
> ---
> Thank You
> Jason Williard
We are in the middle of a long-term migration to RHEL, and while our
auth set-up will eventually change, we do have a solution like you want,
with the caveat that ours are W2K servers. I use MS SFU's NIS server,
which upon install automatically adds the necessary fields to AD (Gecos,
shell, UID/GID, etc. It also adds new tabs to the Active Directory
Users and Groups MMC to modify these settings. This provides the
information for the user, and the authentication is provided by
kerberos. This can be easily configured on your RHEL box using
authconfig. You now have a single source for uid/gid, meaning they are
the same across the network, and get the benefit of AD's built-in
replication. You have a single password, as opposed to a synchronized
password. Your auth comes from the same source no matter the client.
Since RHEL uses pam, all services may take advantage of this setup,
including local login, SSH, apache (mod_auth_pam), vsftp, samba, etc.
When the time comes to down the AD controllers, ypcat provides a very
nice dump of the database for use in flat files or import into another
backend (eg. OpenLDAP, or the rumored to be soon released Netscape
directory server ;). Yes, the passwords may have to be reset upon such
a move - we're not that far along yet. Hope this helps,
Clint Bowen
Assistant Director of IT
Barton College
400 ACC Drive
Wilson, NC 27893
252.399.6597
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
Earn $52 per hosting referral at Lunarpages.
|
|
