how can we join a linux system on active directory domain

yasir453 · 03-04-2010, 12:56 AM

Hi All,
i have installed RHEL5 on my system.i want to join my system on my organisation s active directory domain.how can i do it?suppose domain name is "abc-xyz"

acid_kewpie · 03-04-2010, 01:59 AM

Id suggest intergrating at LDAP, but you can use Samba / winbind also. What do you actually want to achieve?

yasir453 · 03-04-2010, 11:10 PM

Quote:

Originally Posted by acid_kewpie

Id suggest intergrating at LDAP, but you can use Samba / winbind also. What do you actually want to achieve?

in our organisation mostly users are window based.they authunticate from active directory domain.now some users are using linux as well.i need the solution the linux users will also authunticate from same active directory domain.

acid_kewpie · 03-05-2010, 02:09 AM

OK, well, as above, *MY* preferred solution would be for you to install the MS SFU AD Schema extentions which will add posix attributes to AD to allow a full ldap login from any device to be done against it. http://en.wikipedia.org/wiki/Microso...vices_for_UNIX

Many people prefer the samba route, which makes the machine actually "join" the AD domain, as if it were a windows machine. This way, all missing user information (i.e. info required to make a full posix account) is created automatically on a per client machine basis. This is often fine, however a user will not have a consistent UID / GID across multiple machines, which can be a pain if you're doing cleverer things.

In line with the UID data and such, if you do want to install ldap (which is very simple and clean fom the client side, as opposed to samba which can be a bit obscure) then you can fudge UID's on the client side ldap configuration in a similar way to create the data that isn't in AD.

ms233 · 03-05-2010, 12:51 PM

Quote:

Originally Posted by yasir453

in our organisation mostly users are window based.they authunticate from active directory domain.now some users are using linux as well.i need the solution the linux users will also authunticate from same active directory domain.

You can simply turn on Kerberos authentication if you just need the linux users to be able to authenticate AD.

# system-config-authentication

Authentication tab

Checkbox to Enable Kerberos Support

Configure Kerberos button

in the Realm box goes your domain name in UPPER CASE.

in KDCs and Admin Servers I put nothing.

I check both "Use DNS to resolve hosts to realms" and "Use DNS to locate KDCs for realms".

After that, if I create local accounts with the same username as an AD account, I am able to use the AD password.

acid_kewpie · 03-05-2010, 02:43 PM

You should never use DNS to resolve the KDC, big security flaw there. If you don't even know the IP of your domain controllers, you deserve everything you get. ;-)

mrsmith317 · 03-16-2010, 07:20 AM

Quote:

Originally Posted by ms233

in KDCs and Admin Servers I put nothing.

I check both "Use DNS to resolve hosts to realms" and "Use DNS to locate KDCs for realms".

You can put in your domain name eg EXAMPLE.COM in as the KDC/Admin server and it will work more effectively than using DNS to lookup realms. Using a static IP for your KDC with multiple domain controllers is a bad idea. What happens if that particular server goes down?