AD authentication

Anthony R Fletcher arif at mail.nih.gov
Thu Jan 31 16:28:35 UTC 2013


On 30 Jan 2013 at 21:36:40, aragonx at dcsnow.com wrote:
> I've just setup a pair of Fedora 18 boxes that I could use
> some help with getting them to join the active directory domain we have at
> work (2008 I think).  What I would like is for users in a particular
> group in AD be allowed to log into the Fedora 18 boxes without me having
> to create accounts (and manage passwords) on the Fedora boxes.  Is
> that possible?

It is certainly possible. Depending on how far you want to go, there is
a lot you can do.

The minimal I would suggest it you use the AD as an authentication
source via krb. You'll need to know what the AD domain controllers are
called and then use something like authconfig; it has command line
options, eg

authconfig --enablekrb5 --krb5kdc=ADdc.domain --enablekrb5kdcdns \
      --krb5realm=DOMAIN --enablecache --enableshadow

At least then you are out of the password management business.

Getting users from the AD via LDAP also works although it helps if you
can do that without authentication (unlikely). There are ldap options
for authconfig as well.

Your users will have to have the AD attributes

uidNumber: <unique-uid>
gidNumber: <unique-gid>
unixHomeDirectory: /home/<user>
loginShell: /bin/bash or zsh or tcsh, etc

added to their AD entries.

We have had success for doing this and even doing a full AD join via
samba.

I think F18 has more integration options but my experience has been with
RHEL, CentOS and earlier versions of Fedora.

		Anthony


-- 
Anthony R Fletcher        
  Room 2033, Building 12A,        http://dcb.cit.nih.gov/~arif
  National Institutes of Health,  arif at mail.nih.gov
  12A South Drive, Bethesda,      Phone: (+1) 301 402 1741.
  MD 20892-5624, USA.


More information about the users mailing list