Authenticating Linux against AD

brianlittlejohn

I used centrify express I believe...

edit: it was express, I didnt pay anything.

stacksofplates

this only works with red hat systems, but is one thing we will be doing in the future. Their Identity Management system will integrate with AD. IdM is set up as its own forest and you can have a trust between the two (pardon my windows jargon if it's incorrect). You can then set up host and user based sudo permissions.

Kelly

@johnhooks said:

this only works with red hat systems, but is one thing we will be doing in the future. Their Identity Management system will integrate with AD. IdM is set up as its own forest and you can have a trust between the two (pardon my windows jargon if it's incorrect). You can then set up host and user based sudo permissions.

Is that for RHEL only, or the derived distros too?

stacksofplates

@Kelly said:

@johnhooks said:

this only works with red hat systems, but is one thing we will be doing in the future. Their Identity Management system will integrate with AD. IdM is set up as its own forest and you can have a trust between the two (pardon my windows jargon if it's incorrect). You can then set up host and user based sudo permissions.

Is that for RHEL only, or the derived distros too?

All RHEL based as far as I know. I've only tried RHEL, CentOS and Fedora though.

Kelly

@johnhooks said:

@Kelly said:

@johnhooks said:

this only works with red hat systems, but is one thing we will be doing in the future. Their Identity Management system will integrate with AD. IdM is set up as its own forest and you can have a trust between the two (pardon my windows jargon if it's incorrect). You can then set up host and user based sudo permissions.

Is that for RHEL only, or the derived distros too?

All RHEL based as far as I know. I've only tried RHEL, CentOS and Fedora though.

Now I have an interesting quandary. Do I go with something more universally supported so the scientists that love Ubuntu can stay on it, or push for unification on CentOS...

Probably the former given internal culture.

stacksofplates

@Kelly said:

@johnhooks said:

@Kelly said:

@johnhooks said:

this only works with red hat systems, but is one thing we will be doing in the future. Their Identity Management system will integrate with AD. IdM is set up as its own forest and you can have a trust between the two (pardon my windows jargon if it's incorrect). You can then set up host and user based sudo permissions.

Is that for RHEL only, or the derived distros too?

All RHEL based as far as I know. I've only tried RHEL, CentOS and Fedora though.

Now I have an interesting quandary. Do I go with something more universally supported so the scientists that love Ubuntu can stay on it, or push for unification on CentOS...

Probably the former given internal culture.

Ya we are an all Red Hat shop so it's easy for us.

I don't remember but Landscape might give you this ability for Ubuntu also.

scottalanmiller

@Kelly said:

Centrify Express or the paid option?

Paid. It was a large installation.

stacksofplates

FWIW on RHEL systems with Cockpit installed, there is a button named Join Domain. What it does I don't know, but I'm guessing it's for this function. I never looked it up.

scottalanmiller

@johnhooks said:

FWIW on RHEL systems with Cockpit installed, there is a button named Join Domain. What it does I don't know, but I'm guessing it's for this function. I never looked it up.

Interesting, never noticed that it had a button like that. have only demo'd it once so have not used Cockpit much, that would be a neat feature.

stacksofplates

@scottalanmiller said:

@johnhooks said:

FWIW on RHEL systems with Cockpit installed, there is a button named Join Domain. What it does I don't know, but I'm guessing it's for this function. I never looked it up.

Interesting, never noticed that it had a button like that. have only demo'd it once so have not used Cockpit much, that would be a neat feature.

Just got in. Here's what comes up when you click it:

DustinB3403

@johnhooks So it works as expected (or at least it appears to).

Did you join this system to your domain?

stacksofplates

@DustinB3403 said:

@johnhooks So it works as expected (or at least it appears to).

Did you join this system to your domain?

No I dont have anything to do with the domain stuff. This pc is also on a different network so I can't join it to our normal domain anyway.

If I feel ambitious I'll try it at home.

Kelly

I've also been looking at PowerBroker Identity Services from BeyondTrust. It is where Likewise ended up after a series of acquisitions. It looks like I'm going to have to be building a virtual network and trying some of this.

Have any of you ever tried Zentyal (for the authentication portion, not the email)?

scottalanmiller

No, keep meaning to look at Zentyal but never get around to it.

stacksofplates

@Kelly said:

I've also been looking at PowerBroker Identity Services from BeyondTrust. It is where Likewise ended up after a series of acquisitions. It looks like I'm going to have to be building a virtual network and trying some of this.

Have any of you ever tried Zentyal (for the authentication portion, not the email)?

I did it one time with a Zentyal VM and an old windows 7 laptop. All I did was join the domain, so other than saying yes it will join I have no idea what management and everything else is like.

Romo

@Kelly Zentyal uses samba 4, so you basically end up with a compatible Active Directory domain controller. You would still need to use pbis or sssd to authenticate your linux machines to the domain controller. Centrify does not work with a samba 4 domain controller, but as I mentioned before either pbis or setting up sssd works ok.

As for the managment aspect of Zentyal, you can use the web interface to set most of the things your are used to when managing an ad dc except group policy settings, in order to also have groups policy settings you can use RSAT and manage it exactly the same as a windows ad dc.

PSX_Defector

@Kelly said:

I've also been looking at PowerBroker Identity Services from BeyondTrust. It is where Likewise ended up after a series of acquisitions. It looks like I'm going to have to be building a virtual network and trying some of this.

I've used this in multiple companies, from an airline in America to an oil exploration company.

Works like a champ, it's built on Winbind, but now has actual support versus calling RedHat and hoping for the best.

Kelly

@PSX_Defector said:

@Kelly said:

I've also been looking at PowerBroker Identity Services from BeyondTrust. It is where Likewise ended up after a series of acquisitions. It looks like I'm going to have to be building a virtual network and trying some of this.

I've used this in multiple companies, from an airline in America to an oil exploration company.

Works like a champ, it's built on Winbind, but now has actual support versus calling RedHat and hoping for the best.

Did you use PBIS Open or the paid version? The paid version is significantly more than I can afford at about $1,600 per server instance.

dafyre

Any particular reason winbind won't work? That is what we use here.

Kelly

@dafyre said:

Any particular reason winbind won't work? That is what we use here.

Nope, I'm just trying to do due diligence and evaluate all the options and what we gain/lose from them. At this point Winbind is looking like a strong contender due to its ability to work with sudo, but I'd like to compare all the possibilities that are in my price range.