Table of Contents
Authentification for UNIX users in Active Directory (AD)
get Active Directory (AD) certificate
# echo | openssl s_client -showcerts -servername gnupg.org -connect server.mycompany.local:636 2>/dev/null | openssl x509 -inform pem -noout -text | grep "Subject:"
Or
# openssl s_client -connect server.mycompany.local:636
Copy out the Server certificate section, between (and including) —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—— and put the copied text into a text editor.
https://www.altaro.com/hyper-v/request-ssl-windows-certificate-server/
Windows
First things first, on each of the Active Directory Domain Controllers, install the “Identity Management for UNIX”. This can be found under:
Control Panel → Add / Remove Programs → Add / Remove Windows Components → Active Directory Services → Identity Management for UNIX
This will extend the Active Directory LDAP schema to allow it to include UNIX attributes, such as the UID, GID, and Home Directory.
Windows 2012 R2 Active Directory for Linux
This entry was tagged Linux Microsoft Powershell Red Hat RHEL Windows Server 2012 R2 and posted on February 17, 2014
This is the second post of a few loosely coupled posts to install and test a nfs4 environment with linux. In the first post I covered the steps to install a Windows 2012 R2 active directory server and this post will present the steps to prepare the active directory for linux clients. The next post covers the required steps to configure a RHEL to join the domain and use kerberize NFS.
Windows is using the concept of SIDs (security identifier) to uniquely identify windows users and groups. They look something like this: “S-1-5-32-544” (well-known domain-relative SID of the local Administrators group). In contrary to windows is linux using UID (user identifier) and GID (group identifier) to uniquely identify a user or group. UID and GID are integers like 32767 (default for nobody).
As we want to use our active directory not only to authenticate a linux host or user but also to resolve user- and group-names to UID and GID, we have to enter these IDs into our active directory database. Luckily windows supports RFC2307 (An Approach for Using LDAP as a Network Information Service) and therefore no changes to the active directory schema itself is necessary.
The LDAP attributes for groups are:
msSFU30NisDomain gidNumber
and for users:
uidNumber gidNumber unixHomeDirectory loginShell msSFU30NisDomain
Please note, as we are going to use AD/LDAP to resolve UID/GID from our linux system, you don’t need to install the Microsoft Identiy Management for Unix services. This is especially great because Windows Server Core does not support theses services! Only if you want to manage the UID/GID with the active directory users and computers MMC you need these services. They can be installed on a Windows Server 2012 R2 with following command:
Dism.exe /online /enable-feature /featurename:adminui /featurename:nis /all
To add the required attributes to an existing or new user/group you can use the following powershell cmdlets:
New-ADGroup Set-ADGroup New-ADUser Set-ADUser
If Powershell modules are missing, install them
Get-WindowsCapability -Name RSAT.ActiveDirectory* -Online | Add-WindowsCapability -Online
Here is an example to create a AD group “linux_user” with a GID of 20000 and a NisDomain “emc”:
$ New-ADGroup -name linux_user -GroupScope 1 -OtherAttributes @{msSFU30NisDomain='emc';gidNumber=20000}
If you have an existing group you can use following cmdlet to add the attributes:
$ Set-ADGroup -Instance linux_user -Add @{msSFU30NisDomain='emc';gidNumber=20000}
Next we are creating an user “user1” with a UID of 10000, being member of group 20000 and NisDomain ’emc’. Furthermore the user will use “/bin/bash” as login shell and a home directory located in “/home/EMC/user1”.
$ New-ADUser -name user1 -OtherAttributes @{uidNumber=(10000+$i);gidNumber=20000;unixHomeDirectory=('/home/EMC/user'+$i);loginShell='/bin/bash';msSFU30NisDomain='emc'}
And again for adding attributes to an existing user:
$ Set-ADUser -Instance user1 -Add @{uidNumber=(10000+$i);gidNumber=20000;unixHomeDirectory=('/home/EMC/user'+$i);loginShell='/bin/bash';msSFU30NisDomain='emc'}
Now you are able to query the active directory by LDAP from you linux client system to resolve user and group attributes. Furthermore you have a mapping between windows and linux users which is necessary for a multiprotocol access to NAS!
For testing in my lab I used follwing powershell command to quickly create 5 users with the appropriate linux attributes, the password “Passw0rd” and also added the user to the ad group “linux_user”:
$ for ($i=1; $i -le 5; $i++){New-ADUser -name ('user' + $i) -PasswordNeverExpires:$true -AccountPassword (ConvertTo-SecureString "Passw0rd" -AsPlainText -Force) -Enabled:$true -OtherAttributes @{uidNumber=(10000+$i);gidNumber=20000;unixHomeDirectory=('/home/EMC/user'+$i);loginShell='/bin/bash';msSFU30NisDomain='emc'}; Add-ADGroupMember -Identity linux_user -Members ('user'+$i)}
The last steps are configuring and joining the linux host to our active directory. This will be covered in one of the next posts.
https://banck.net/2014/02/preparing-windows-2012-r2-active-directory-for-linux/
https://banck.net/2014/03/configuring-rhel-for-kerberized-nfsv4/
Windows Server 2016 removal of IDMU/NIS Server role from Windows Server
IDMU/NIS Server has been removed, specifically the following components are no longer included with Windows Server 2016:
- Network Information Service (NIS) Windows Server role
- The Unix Attributes plug-in for the Active Directory Users and Computers Management Console (MMC) snap-in
Note: RFC2307 attributes (e.g. GID/UID etc.) in Active Directory continue to exist.
