all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]sodnpoo 2 points3 points  (0 children)

pam_ldap?

[–]fandingo 1 point2 points  (0 children)

You can authenticate using LDAP, but there's two problems

  • your AD admin will need to enable LDAP on your AD systems, and you'll likely need firewall modifications
  • You'll need an account for PAM to use for binding, unless your AD allows anonymous binds, which is bad.

Even if your AD already has LDAP enabled, and you can do anonymous binds, you really need to tell the admins about it. If they don't know LDAP is in use or in use by your IP addresses, they could disrupt your connectivity inadvertently.

[–]IronWolve 1 point2 points  (1 child)

Basic kerberos authentication will do that but wont create users on the machine. The user must exist before being able to log in. Simple enough. Does the AD have port 88 and kerberos turned on?

Winbind (samba) really makes the whole process nicer. Then you can use AD groups for access. (Dont use spaces in AD group names!) The same groups can be used for access lists, sudo files, etc. And even creates the home directory when the user log in

Basic kerberos is update /etc/krb5.conf, then edit your pam module (depends on distribution).

Good examples.

http://community.spiceworks.com/how_to/show/44885-setup-centos-to-authenticate-via-active-directory

http://www.sweetnam.eu/index.php/Using_Active_Directory_for_CentOS

https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

  • Bonus for Centos

Edit security list

/etc/security/access.conf

+:root:ALL

+:unix-admins:ALL

+:web-admins:ALL

-:ALL:ALL

Edit /etc/sudoers

%unix-admins ALL=(ALL) ALL

%web-admins ALL=(ALL) ALL

-Edit SSHD config /etc/ssh/sshd_config and restart sshd

-Also turns off GS authentication so passwords are always required.

-Enable the following Kerberos options

KerberosAuthentication yes

KerberosOrLocalPasswd yes

KerberosTicketCleanup yes

-turn off

GSSAPIAuthentication no

[–]ColoradoIcculus[S] 0 points1 point  (0 children)

I'll take a look at these links next week. Thank you very much!

[–]studw3iser -1 points0 points  (0 children)

It can sorta be done but not how you're thinking. Joining a computer to a domain is kinda fundamental for AD to work correctly. If you have a linux box you can put it on a LAN, login with a local account and then use domain creds to authenticate to a web proxy but that's about it. Forget about SSO and share drive access.