Linux User and Permission Management within an AD Environment

There are two basic techniques I'm aware of --

Method One: Microsoft's Identity Management for UNIX - This allows you to expose ActiveDirectory as a NIS server.
This works with pretty much any *NIX flavor out there (they all support NIS), and has all the benefit (and drawbacks) of NIS. It is also officially supported by Microsoft, which means you have someone to call if stuff breaks.

Method Two: pam_ldap/nss_ldap (or similar, newer systems).
This works with any modern *NIX flavor capable of authenticating against LDAP directories, and may be included by default with Ubuntu and CentOS these days. It is a bit more robust/modern than the NIS-like hackery in Method One, but less likely to be officially supported by Microsoft.

Both of these techniques require you to extend AD Users and Groups to be POSIX Users & Groups respectively so that there are usable POSIX UIDs and GIDs for your *NIX systems -- Microsoft provides this capability in Active Directory.
An added benefit to Method Two above is that you can further extend the users to enable you to use the OpenSSH LDAP Public Key patch, which lets you store SSH keys in LDAP and eliminates the task of synchronizing authorized_keys files around your network.


From what I'm reading here, you want to have all the other typical Linux things stored in the typical linux fashion, and just have group membership come from AD?

Most of the examples you can find will talk about doing pulling from AD/LDAP (maybe kerberos auth and LDAP for all the user), it sounds like you just want LDAP for group stuff. If I'm wrong, you'll need to also do some PAM stuff.

Depending on exactly what version (it changed with CentOS/RHEL between version 5 and 6), you can use "nss_ldap" or "sssd" for this. sssd is newer. It's hard to say which is more flexible, since they seem to be flexible in different ways. sssd seems more flexible about configuring particular pieces to come from particular sources, while nss_ldap seems more flexible about the LDAP schema being used. You'll need the appropriate packages installed. sssd-client, sssd-tools, sssd, libnss-sss, libnss-ldap and/or nss_ldap. (the authentication stuff is pam_ldap or sssd)

There will need to be some unique numeric ID on the groups in AD. Basically, you'll need to pull the entire definition of the group from AD via LDAP, not just the group membership (entire group definition is basically name, unique numeric id and membership). It may be possible to avoid this with sssd and configure it to look up group ids in files and group membership from LDAP. Really the right thing is to extend the AD schema with the appropriate UNIX extensions so that it has the RFC2307 or RFC2307bis user/group data.

In /etc/nsswitch.conf you'll need group: files ldap or group: files sss. You may want to put "files" second instead of first.

nss_ldap ("ldap" in nsswitch.conf) is configured via /etc/ldap.conf and documented in the nss_ldap package. You'll need to set uri, binddn, bindpw, nss_base_group, pam_member_attribute, nss_map_objectclass group, nss_map_attribute.

sssd is configured via /etc/sssd/sssd.conf. Concentrate on the nss and id_provider stuff, not the pam and auth_provider stuff. Read the sssd.conf, sssd-ldap and sssd manpages. You'll need to configure a "domain" and configure some "ldap_group" stuff instide of it along with the basic id_provider and ldap_uri type stuff.

Note: I run both nss_ldap and sssd stuff against an OpenLDAP environment currently. It's been yearssince I used nss_ldap/pam_ldap with an AD environment.

It may also be worth looking into what Samba can do. It's typically used d for file/print sharing, but the logon stuff and domain controller stuff might be able to be configured for what you need.


Take a look at Likewise Open (Or now called PowerBroker Identity Services Open Edition). I have used Likewise open in a previous job and worked out great with Samba and our devs.