I first will give a short high-level overview of the possibilities since you can get
lost easily in the vast amount of ways to integrate RHEL6 with AD.
On RHEL6
you have 2 main options where you can choose from. Both have about the same
features.
1) sssd
daemon (pam_sss which replaces RHEL5 combination of pam_krb5 and pam_ldap, but
does the same in the backend)
2) winbind
daemon (pam_winbind)
Which one
you choose depends on personal taste and experience.
sssd does
pure authentication, nothing more nothing less, but if it is the only thing you
require, this can perfectly suit your needs.
Winbind is
more integrated with samba and is more suited if you also want to setup a samba
fileserver.
In this
series I will use winbind, since I found it a little faster to setup, especially
because you have a whole lot of net commands to automate stuff (like joining
the network) and some other useful commands for things like special group mappings.
Off course
you can use a mix of sssd and winbind. For example: you can use winbind (in fact
the net commands) to join the domain (generate a keytab) which sssd can use.
Downside is that you need to configure both sssd and winbind.
If we continue with the winbind option, the first thing you need to decide is how Windows SIDs will be
mapped to Unix UIDs/GIDs and where they are stored (in case of an allocating backend). Winbind offers several options to achieve this. They
call it backends.
I will
describe them shortly. The most common are:
idmap_tdb,
this is default one. Not recommended if you need to integrate more then one
server, because SID to UID/GID mapping is not consistent across servers.
idmap_rid, I will use this one in this series. It will map a SID to UID/GID using a fixed algorithm (based on part of the SID, the RID). Mapping is consistent between
servers, but once setup, difficult to change. An advantage is that you need no maintenance on the SID/UID/GID mapping.
idmap_ad,
For this to work you need to install the Unix extensions (Identity Management
for UNIX role). This backend will take the UID/GID from what is set in AD.
Mapping is consistent across servers.
Others not discussed are idmap_nss, idmap_ldap (very popular in the past), there may be others too.
Next part. Using idmap_rid backend and winbind
Next part. Using idmap_rid backend and winbind
No comments:
Post a Comment