1

I've been looking around the web trying to find a way to authenticate users on Linux with a Domain User account on a Windows 2012R2 Server. The way I've done this in the past is using the "Identity Management for Unix" role on the server to get the Posix attributes setup. Microsoft, however, has "deprecated" this feature on 2012R2 Server.

Does anyone know of another way to authenticate (centralized) Linux accounts without having that Posix attributes in AD on the Windows server? I'm trying to follow the hesling pdf and the RedHat guide for integrating AD with Linux, but both articles, published last year. apparently use the IMU role on AD.

I tried Centrify Express this week, but unless I was missing something, I was not able to manage any of the Posix attributes for the Linux accounts in AD with it.

Server Fault
  • 3,714
  • 12
  • 54
  • 89
  • For reference - those attributes are still there and work as expected, they are simply no longer shown as a tab under AD Users and Computers. They can be managed through ADSIedit or Powershell. – Andy Feb 20 '15 at 23:15
  • ADSI Edit is too tedious for daily use. – Server Fault Aug 17 '16 at 15:10

3 Answers3

1

I believe FreeIPA was built from the ground up to connect UNIX/Linux with AD DC (Microsoft) and authenticate users.

Link to FreeIPA

"Create mutual trust with other Identity Management systems like Microsoft Active Directory."

Good luck! :)

Ehdrian
  • 78
  • 1
  • 5
1

I ended up going with Pass Through Authentication over OpenLDAP and SASL. FreeIPA looks good though.

Server Fault
  • 3,714
  • 12
  • 54
  • 89
0

The IMU from Microsoft is not necessary to manage Unix attributes, you just don't have a snap-in and a separate tab to manage Unix attributes. rfc2307/posix attributes are fully supported in the AD schema. Instead, you can manage them with ADSI Edit, AD Users & Groups (View --> Advanced, then use Attribute Editor tab on objects), LDAP, PowerShell, etc. An AD user with uidNumber, gidNumber, loginShell and unixHomeDirectory on their account is a Unix user and Linux clients can use AD as a name service and for authentication.

How each client is configured to use AD can vary. Newer SSSD Linux clients can be full AD domain clients using Kerberos. Or, if LDAP is enabled on the AD DCs, the Linux clients could be a traditional LDAP client.

ryebread157
  • 56
  • 5
  • I tried ADSI Edit and it's basic functionality is that of Regedit. It's not an option for production. Microsoft reccomendations are "We recommend to start planning for alternatives, for example: native LDAP, Samba Client, Kerberos or other non-Microsoft options." https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/ – Server Fault Aug 17 '16 at 14:54
  • You should try AD Users & Groups as I advised, it is better. To the original question: You must have Unix attributes on AD users/groups to use them on Linux. You could do something sloppy like /etc entries with users/groups and their attributes there, then muck with PAM to do authentication to AD, but that doesn't scale well. Another tip: AD does not enforce unique uidNumber or gidNumber, so a custom solution is needed. I only point this out, as I am unfamiliar with IMU and don't know if it did that. – ryebread157 Oct 02 '16 at 22:31