Best practice, experience with NIS => AD migrations?
by Spike White
Sssd practitioners,
(I hope this topic is not inappropriate to this target audience.)
My company is looking at retiring NIS, in favor of AD. Altogether, there
are several thousand Linux servers (& a few UNIX servers) getting their
authentication via NIS.
There’s three components being looked up from NIS:
· Users and groups
· Automount maps
· netgroups
Additionally, there’s thousands of Linux servers getting their
authentication via our corporate AD domain. (Using commercial products).
The corporate AD domain has the rfc2307bis schema extension. Also, it has
child domains – so cross-domain authentication (between
transitively-trusted subdomains) is important to us.
We have kicked the tires on sssd on RHEL7. As long as you avoid using the
‘tokengroups’ optimization, it works great. Even does all cross-domain
authentication. We’re able to pick up users, groups and even automount
maps.
We believe that we can mostly replace the NIS netgroups with AD groups
(because these NIS netgroups are not using the “server” component).
We have a wealth of AD and some NIS expertise in-house. We have
considerable expertise in two commercial AD integration products for
Linux/UNIX.
What we do *NOT* have is any experience with a NIS => AD migration.
What problems will we encounter?
1. We know that some NIS UIDs and GIDs will conflict with
already-existing AD entries.
2. If we change these users’ UIDs to non-conflicting UIDs, then our
NFS NAS shares will break (as the directory trees are owned by the old UID,
not the new UID).
What other problems do we need to look out for?
Here’s our initial idea of how to proceed:
1. We’re thinking of standing up RHEL8 with sssd first.
2. After period of stability:
a. Forklift NIS accounts into AD, deconflicting UIDs and GIDs.
b. Stand up new NAS shares with new UIDs, GIDs?
c. retrofit RHEL7 (remove NIS, put in AD on RHEL7 clients).
3. After period of stability, do same with RHEL6 and RHEL5 – except
with commercial products. (version of sssd on RHEL5 and RHEL6 too old and
flaky – particularly for cross-domain auth).
Are we totally off on the above roll-out plan?
What are best practices?
Does anyone have experience with such a NIS => AD large corporate migration?
Spike
5 years, 2 months
Cannot use smart card auth on Ubuntu 18.04
by Orion Poplawski
I'm not having any luck using smart card auth on an IPA joined Ubuntu 18.04
system. It appears that pam is not properly configured, and in particular I
don't see "allow_missing_name" in use:
/etc/pam.d/common-auth:
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
although if I add allow_missing_name to that line, it doesn't seem to help. I
don't see any SSS_PAM_PREAUTH activity in the sssd_pam.log.
Any pointers?
Thanks!
- Orion
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
5 years, 2 months
