Current Best Practice for using AD to auth Linux (2013)

Question

As far as I'm aware, there are 3 (common) ways to use Active Directory as the Authentication and Authorization for Linux hosts:

LDAP
Kerberos
Samba/Winbind

Is there a (current) consensus on which method is the best practice?

I've never been entirely clear on the pros/cons of each method to start with, but every document/tutorial says a different way and not many of them are dated or explain why they are using a particular method.

Reddit threw this up for me this morning http://www.chriscowley.me.uk/blog/2013/12/16/integrating-rhel-with-active-directory/ — fukawi2, Dec 16 '13 at 22:44

score 5 · Accepted Answer · answered Jul 12 '13 at 01:01

The approach I use now is SSSD. It's quite painless and the configuration files are clean. SSSD can be enabled at install time or just run via the authconfig command UI. I recently converted ~200 Linux servers to SSSD from local auth and used the steps below.

This assumes a Red Hat-like system (RHEL, CentOS, Fedora)...

1) Download SSSD.

yum install sssd

2). Modify the system's authconfig settings.

authconfig --enablesssd --ldapserver=ldap://dc1.mdmarra.local --ldapbasedn="dc=mdmarra,dc=local" --enablerfc2307bis --enablesssdauth --krb5kdc=dc1.mdmarra.local --krb5realm=MDMARRA.LOCAL --disableforcelegacy --enablelocauthorize --enablemkhomedir --updateall

3). Update the /etc/sssd/sssd.conf configuration file contents with the following:

# sssd.conf

[domain/default]

ldap_id_use_start_tls = False
ldap_schema = rfc2307bis
ldap_search_base = dc=mdmarra,dc=local
krb5_realm = MDMARRA.LOCAL
krb5_server = dc1.mdmarra.local
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://dc1.mdmarra.local,ldap://dc2.mdmarra.local
krb5_kpasswd = dc1.mdmarra.local,dc2.mdmarra.local
krb5_kdcip = dc1.mdmarra.local,dc2.mdmarra.local
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_force_upper_case_realm = True
ldap_user_object_class = person
ldap_group_object_class = group
ldap_user_gecos = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_default_bind_dn = ldapuser@mdmarra.local
ldap_default_authtok_type = password
ldap_default_authtok = fdfXb52Ghk3F

[sssd]
services = nss, pam
config_file_version = 2

domains = default

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd

[pam]

[sudo]

[autofs]

[ssh]

@MichaelHampton lol @ewwhite I see some of the config directives list 2 DC's, while some only list `dc1`. What impact does that have on fail-over if `dc1` is unavailable? — fukawi2, Jul 12 '13 at 01:37
I just did that to get the basic config in place on the `authconfig` command line. The real config has two DCs. — ewwhite, Jul 12 '13 at 02:04
I'm going to do a domain rename on my home domain to "mdmarra.local". — Evan Anderson, Jul 12 '13 at 03:27
@ewwhite Since no-one else has piped up with any other alternatives, I'll accept this answer. Thank-you again :) — fukawi2, Jul 23 '13 at 23:30
This just popped up on Reddit for me :) http://www.chriscowley.me.uk/blog/2013/12/16/integrating-rhel-with-active-directory/ — fukawi2, Dec 16 '13 at 22:43

Current Best Practice for using AD to auth Linux (2013)

1 Answers1