0

I have multiple CENTOS servers that are all currently working off of a local /etc/passwd for user account control and have local home folders etc.

This makes it a pain when users come on board leave etc since I have to log into each server to control the users. We currently have a 2008 AD domain and would like to leverage it to enable SSO (single signon across all servers).

I would like to allow only specific users access to log into the linux servers and would like to be able to maintain local system accounts etc on the linux boxes. The users currently have the same firstname.lastname usernames in both linux and AD.

I have found many different guides but it seems that everyone has a different way of doing it and none seem to work very well.

Can someone please offer me an up to date guide that works good with 2008 (I should point out that samba etc works now with 2008 in the latest versions)

  1. Will I have to remove the local user accounts?
  2. I take it they will get new home folders (it would be nice to keep their old ones but not a big deal) if they could access home folders through a windows share etc that would be cool.
  3. Do I have to do any configuration changes on my 2008 AD servers?
gideon
  • 1,135
  • 2
  • 13
  • 28
Luke
  • 1

3 Answers3

1

What Emory University did looks pretty promising:

Kerberos, Single Sign On and LDAP Authorization to Apache running on CentOS 5.5.

Don't forget kinit and klist commands to test your Kerberos key on your CentOS boxes.

Reaces
  • 5,547
  • 4
  • 36
  • 46
stevnewguy
  • 41
  • 1
0

Here is info about Active Directory Authentication using LDAP in details: http://en.gentoo-wiki.com/wiki/Active_Directory_Authentication_using_LDAP

It's part of Gentoo linux documentation (WiKi) but tools and mechanisms are the same for all linux distros. Hope you'll find answers for most of your questions here.

Sergey
  • 2,091
  • 15
  • 14
0

I realize that this is a bit late but I'm a big fan of using RADIUS authentication. Properly configured the users can still be administered and managed via Puppet (very important to me) but still use the account info from AD.

I like the using the RADIUS server from Microsoft - NPS a free product and works well for connecting up everything with single sign on (I also use this for my network switches and a couple appliances I deal with).

If you want to do this route install the pam_radius module (you might need to look for it but there is a RPM available). You'll only need to update two or three config files to make it function properly (which I also do via Puppet).

/etc/raddb/server

<hostname>:port <password> 3:3

system-auth-ac

auth sufficient pam_unix.so ...
auth        sufficient    pam_radius_auth.so
...
Tim Brigham
  • 15,465
  • 7
  • 72
  • 113