Authenticating Linux against AD
-
I've not used Linux against AD much, when I did it was with Centrify.
-
I've set up centrify on my company laptop .
-
@coliver said:
Setting it up to authenticate is pretty easy. Ubuntu has an automated process and the CentOS one has a lot of guides available. The one thing I haven't been able to get working yet is setting up SUDO with AD.
This blog post appears to show how to get winbind to handle sudo in AD: https://mikrocentillion.wordpress.com/2013/06/05/centos-6-authenticate-and-sudo-active-directory-users/.
-
Centrify Express or the paid option?
-
I used centrify express I believe...
edit: it was express, I didnt pay anything.
-
this only works with red hat systems, but is one thing we will be doing in the future. Their Identity Management system will integrate with AD. IdM is set up as its own forest and you can have a trust between the two (pardon my windows jargon if it's incorrect). You can then set up host and user based sudo permissions.
-
@johnhooks said:
this only works with red hat systems, but is one thing we will be doing in the future. Their Identity Management system will integrate with AD. IdM is set up as its own forest and you can have a trust between the two (pardon my windows jargon if it's incorrect). You can then set up host and user based sudo permissions.
Is that for RHEL only, or the derived distros too?
-
@Kelly said:
@johnhooks said:
this only works with red hat systems, but is one thing we will be doing in the future. Their Identity Management system will integrate with AD. IdM is set up as its own forest and you can have a trust between the two (pardon my windows jargon if it's incorrect). You can then set up host and user based sudo permissions.
Is that for RHEL only, or the derived distros too?
All RHEL based as far as I know. I've only tried RHEL, CentOS and Fedora though.
-
@johnhooks said:
@Kelly said:
@johnhooks said:
this only works with red hat systems, but is one thing we will be doing in the future. Their Identity Management system will integrate with AD. IdM is set up as its own forest and you can have a trust between the two (pardon my windows jargon if it's incorrect). You can then set up host and user based sudo permissions.
Is that for RHEL only, or the derived distros too?
All RHEL based as far as I know. I've only tried RHEL, CentOS and Fedora though.
Now I have an interesting quandary. Do I go with something more universally supported so the scientists that love Ubuntu can stay on it, or push for unification on CentOS...
Probably the former given internal culture.
-
@Kelly said:
@johnhooks said:
@Kelly said:
@johnhooks said:
this only works with red hat systems, but is one thing we will be doing in the future. Their Identity Management system will integrate with AD. IdM is set up as its own forest and you can have a trust between the two (pardon my windows jargon if it's incorrect). You can then set up host and user based sudo permissions.
Is that for RHEL only, or the derived distros too?
All RHEL based as far as I know. I've only tried RHEL, CentOS and Fedora though.
Now I have an interesting quandary. Do I go with something more universally supported so the scientists that love Ubuntu can stay on it, or push for unification on CentOS...
Probably the former given internal culture.
Ya we are an all Red Hat shop so it's easy for us.
I don't remember but Landscape might give you this ability for Ubuntu also.
-
-
FWIW on RHEL systems with Cockpit installed, there is a button named Join Domain. What it does I don't know, but I'm guessing it's for this function. I never looked it up.
-
@johnhooks said:
FWIW on RHEL systems with Cockpit installed, there is a button named Join Domain. What it does I don't know, but I'm guessing it's for this function. I never looked it up.
Interesting, never noticed that it had a button like that. have only demo'd it once so have not used Cockpit much, that would be a neat feature.
-
@scottalanmiller said:
@johnhooks said:
FWIW on RHEL systems with Cockpit installed, there is a button named Join Domain. What it does I don't know, but I'm guessing it's for this function. I never looked it up.
Interesting, never noticed that it had a button like that. have only demo'd it once so have not used Cockpit much, that would be a neat feature.
Just got in. Here's what comes up when you click it:
-
@johnhooks So it works as expected (or at least it appears to).
Did you join this system to your domain?
-
@DustinB3403 said:
@johnhooks So it works as expected (or at least it appears to).
Did you join this system to your domain?
No I dont have anything to do with the domain stuff. This pc is also on a different network so I can't join it to our normal domain anyway.
If I feel ambitious I'll try it at home.
-
I've also been looking at PowerBroker Identity Services from BeyondTrust. It is where Likewise ended up after a series of acquisitions. It looks like I'm going to have to be building a virtual network and trying some of this.
Have any of you ever tried Zentyal (for the authentication portion, not the email)?
-
No, keep meaning to look at Zentyal but never get around to it.
-
@Kelly said:
I've also been looking at PowerBroker Identity Services from BeyondTrust. It is where Likewise ended up after a series of acquisitions. It looks like I'm going to have to be building a virtual network and trying some of this.
Have any of you ever tried Zentyal (for the authentication portion, not the email)?
I did it one time with a Zentyal VM and an old windows 7 laptop. All I did was join the domain, so other than saying yes it will join I have no idea what management and everything else is like.
-
@Kelly Zentyal uses samba 4, so you basically end up with a compatible Active Directory domain controller. You would still need to use pbis or sssd to authenticate your linux machines to the domain controller. Centrify does not work with a samba 4 domain controller, but as I mentioned before either pbis or setting up sssd works ok.
As for the managment aspect of Zentyal, you can use the web interface to set most of the things your are used to when managing an ad dc except group policy settings, in order to also have groups policy settings you can use RSAT and manage it exactly the same as a windows ad dc.