0

i am currently messing a bit around in my workplace with AD, Netboot and Linux.

We have several PCs running MacOS and Windows which are all part of an Active Directory 2008 Domain. Most of the PCs are Dual Boot with a different hostname and AD Account for each OS.

I have started playing around with a diskless Linux Installations using iPXE combined with a Network Block Device (with Copy On Write enabled) which works surprisingly nice considering the really slow Hard Disk on the NBD Server. Hostnames for the Boxes are provided via DNS.

But i am now a bit stuck in how to make it possible for AD-Users to sign in to the Instances of the unified diskless Image. I was able to join the Domain from one Computer and "save" this to the image. (does winbindd save this somewhere? What does it save?) using this Now sometimes i am able to log in from other computer, sometimes i am not. Weirdly enough it seems to work from within sddm and gdm but not from ttys, even if they share the same PAM-Config.

Now i am rather unsure if it is possible to share one AD-Computer Account for several Instances to provide User Login.

Is the "AD-joined" State somewhere saved? Can i share one account for several instances? Can i use the Instances simultaneously without triggering some security mechanismens? Can i join several computers (with different hostnames) with one unified image? Can i somehow piggyback on the Windows Accounts already joined to the Domain?

From what i have gathered it is no problem for cloned images to have the same SID because the unique RID is generated upon joing. (Joining Linux cloned VM to Active directory).

But wouldn't the RID be the same as well if i clone an image (or use "unified image" in my case)?

Further: Is there another way to provide authentication via AD without the Linux box beeing a Member of the Domain? (e.g. just using the LDAP Feature?)

  • 1
    So now you effectively have several computers pretending to be the same computer. This isn't going to work; it wouldn't even work if they were Windows. You will have to make them somehow unique. – Michael Hampton Nov 10 '16 at 21:41

1 Answers1

0

Thank you for your reply.

In the end i just used the LDAP-Part of the AD Server using this guide (https://wiki.archlinux.org/index.php/LDAP_authentication). pam_mount was just as happy to mount the home directorys as it was with winbind.

Less hassle, same result (at least for the user).