Need Guidance Integrating Red Hat With Active Directory

[Ed_Garza]

We are a windows shop and have recently started a project for IBM Websphere MQ. Due to the amount of messages that will be pumped through the MQ infrastructure we we advised to go with installing Websphere MQ on linux. We chose Red Hat as our distro.

Here is my dilemma. I need the Red Hat servers to meet the three conditions outlined below:
1. Each Red Hat server must be a member of the Active Directory domain
2. I need to be able to login to the Red Hat servers using user accounts within Active Directory
3. While logged on the Red Hat servers with an Active Directory account, I need to be able to access Windows and NFS shares throughout the domain on non-linux servers

I have searched the internet and Red Hat portal, but nothing has been defined clearly how to implement this from scratch. There seems to be two ways to implement this with either SAMBA\WINBIND or by LDAP\KERBEROS.

Here are my questions that I need guidance with:
What is the preferred way?
Do I need to make changes to my Windows 2008 Active Directory servers?
Do I need to build a master NIS and/or SAMBA server?

Any guidance would be greatly appreciated.

[matonb]

Hi Ed,

RedHat seems to be pushing the winbind route at the moment. You should be able to find some integration guides in the RHEL Deployment Guide on their documentation site.

At the very least you'll need to install Identity Management for Unix on your AD Server as this provides the schema entries that store unix (posix) attibutes (hmoe directory uid/gid etc).

No need for a NIS or SAMBA server per se on your Linux server. You will need to install some of the samba packages to be able to join the AD domain and a what-not.

Brett

[Ed_Garza]

Thank you for the guidance.

I've put in a change request to get Identity Management For Unix installed on two of our domain controllers this weekend.

After that I'll configure each server with the Samba\Winbind clients and point them at the AD servers. Then I'll assign the correct permissions on my NFS share using the UID from AD for the MQ user account and MQ user group to control access to that NFS share.

I'll now by next Tuesday how well it works.

[Ed_Garza]

So i was able to successfully setup "Identity Management For Unix" on the active directory servers.
I successfully configured a Red Hat server to use LDAP, joined it to our AD, and am able to login using an AD account.

However, I am seeing the following error when logged in as an AD user:
id: cannot find name for group ID 10000

10000 is mapped to Domain Users in our AD.

I have nscd running on the Red Hat server as well.

Any ideas?

@JoeIT
I need to do more than just join these machines to active directory.

[matonb]

Hi Ed,

I think you need to create a NIS group on the AD side to map the gid's.

Likewise: Is a set of tools for connecting to AD and kerberos. It also provides it's own snap-in for configuring "nix" users in AD. It's supposed to make life easier

I'll be working on a fresh 2008 R2 AD and Centos 5 Lab this weekend, I'll let you know how I get on.

[Ed_Garza]

When I setup Identity Management Services For Unix, you are to map to a group first. I mapped the first GID of 10000 to Domain Users. It could have been any group, but I chose the default Domain Users.
Then you map the UID to each user that will need to log in to the Linux boxes, and add them to a group that is mapped in in AD with a GID, in this case Domain Users. When I say "add them" I mean under the tab labeled Unix Attributes within ADUC. They are already members on the AD side, but you do have to add them on the Unix side.

The error I am seeing is saying that it cannot find the name for the group ID 10000, which is the GID for Domain Users.

[Ed_Garza]

I just changed my primary group mapping on the Unix tab in ADUC to another group that is mapped to GID. Same issue, just different group ID it can't find the name for.

[matonb]

Hi Ed,

I've had loads of problems integrating Linux and AD (2003 R2). Mostly due to Attribute Mapping and a poor DNS setup....

I did have groups not being found which was due to the default nss ldap map looking for objectClass posixGroup by default.

Two solutions to that particular issue, first is to add posixGroup to your "unix" groups in AD using the adsiedit tool.
Other option is to change the ldap map to look for group instead of posixGroup