Hi,
I've just setup a pair of Fedora 18 boxes that I could use some help with getting them to join the active directory domain we have at work (2008 I think). What I would like is for users in a particular group in AD be allowed to log into the Fedora 18 boxes without me having to create accounts (and manage passwords) on the Fedora boxes. Is that possible?
Thanks for any help!
--- Will
On 30 Jan 2013 at 21:36:40, aragonx@dcsnow.com wrote:
I've just setup a pair of Fedora 18 boxes that I could use some help with getting them to join the active directory domain we have at work (2008 I think). What I would like is for users in a particular group in AD be allowed to log into the Fedora 18 boxes without me having to create accounts (and manage passwords) on the Fedora boxes. Is that possible?
It is certainly possible. Depending on how far you want to go, there is a lot you can do.
The minimal I would suggest it you use the AD as an authentication source via krb. You'll need to know what the AD domain controllers are called and then use something like authconfig; it has command line options, eg
authconfig --enablekrb5 --krb5kdc=ADdc.domain --enablekrb5kdcdns \ --krb5realm=DOMAIN --enablecache --enableshadow
At least then you are out of the password management business.
Getting users from the AD via LDAP also works although it helps if you can do that without authentication (unlikely). There are ldap options for authconfig as well.
Your users will have to have the AD attributes
uidNumber: <unique-uid> gidNumber: <unique-gid> unixHomeDirectory: /home/<user> loginShell: /bin/bash or zsh or tcsh, etc
added to their AD entries.
We have had success for doing this and even doing a full AD join via samba.
I think F18 has more integration options but my experience has been with RHEL, CentOS and earlier versions of Fedora.
Anthony
Anthony R Fletcher wrote:
I think F18 has more integration options but my experience has been with RHEL, CentOS and earlier versions of Fedora.
Yes, none of your previous steps are valid any longer.
SSSD and Gnome provide all the AD support required now.
Feel free to read the feature pages and documentation since this is all different than what you have done in the past.
http://fedoraproject.org/wiki/Features/ActiveDirectory http://fedoraproject.org/wiki/Features/ActiveDirectory#Documentation
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/30/2013 04:36 PM, aragonx@dcsnow.com wrote:
Hi,
I've just setup a pair of Fedora 18 boxes that I could use some help with getting them to join the active directory domain we have at work (2008 I think). What I would like is for users in a particular group in AD be allowed to log into the Fedora 18 boxes without me having to create accounts (and manage passwords) on the Fedora boxes. Is that possible?
I'd suggest taking a look at realmd, which will help you enroll your Fedora 18 systems into the Active Directory domain.
http://www.freedesktop.org/software/realmd/docs/
-
Anthony R Fletcher -
Michael Cronenworth -
Stephen Gallagher -
Will Yonker