Linux integration with Active Directory
Skočit na navigaci
Skočit na vyhledávání
We may think whatever we want about Microsoft Active Directory, however, the truth is that MS AD is world wide used system for computer management. It works and it is possible to use it for both Windows and Linux authentication and authorisation.
There are several ways of how to integrate Linux system into AD [1]. When direct integration is chosen, several methods may be used.
- Comupter is domain member
- Samba4 + winbind
- SSSD
- SSSD + realmd
- Computer is not domain member
- LDAP + Kerberos
- SSSD
Samba + winbind
LDAP + Kerberos
LDAP is used for obtaining information about account, Kerberos is used to provide authentication. The first is managed by libnss-ldap, the latter one by libpam-krb5.
libnss-ldap
# Replace windc.example.com with your Windows DC uri ldap://windc.example.com/ base dc=example,dc=com ldap_version 3 # Add a user to AD, that can read the container # with the users, that you want use. binddn ldap-connect@example.com bindpw ldapconnectpassword scope sub timelimit 30 pam_filter objectclass=User pam_login_attribute sAMAccountName pam_lookup_policy yes # Modify cn=User,dc=e... to your container with your users. nss_base_passwd cn=Users,dc=example,dc=com?sub nss_base_shadow cn=Users,dc=example,dc=com?sub nss_base_group cn=Users,dc=example,dc=com?sub # For MSSFU: nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User #nss_map_attribute uid uid nss_map_attribute uniqueMember primaryGroupID #nss_map_attribute uidNumber uidNumber #nss_map_attribute gidNumber gidNumber nss_map_attribute userPassword unixUserPassword nss_map_attribute homeDirectory unixHomeDirectory #nss_map_attribute loginShell loginShell nss_map_attribute gecos name nss_map_attribute cn sAMAccountName