Home / server / Questions / 87840
Accepted
Chad P
Asked: 2009-11-25 08:41:14 +0800 CST

Linux Directory Server with existing local accounts

  • 772

I've got about 50 servers running a mix of RHEL and CentOS, and they all use local authentication. We are about to get these finally under a single unit's control, and we have a slew of local accounts all across these systems. I'm not sure if I want to authenticate off of LDAP from our existing Active Directory or use something like CentOS Directory Server, but either way.. Can I map a central account to different local accounts on these systems? I don't really want to have to worry about changing any existing permissions or anything.

Let's say I have joeuser1 on 3 different systems, and he has a different UID and his group has a different GID on each one. Is there a way to tie them all together with central authentication?

linux

4 Answers

  1. Best Answer

    It would do yourself much good if you decide to synchronize uids/gids in your whole organization, the overall maintenance effort would be much easier.

    And it can be achieved in a relatively painless way:

    • create or configure your central directory
    • decide on uid/gid space you would like to use (make sure it does not overlap anything you're using now and do not remap uids that will be local to the hosts only - system and daemon accounts etc.)
    • schedule maintenance break for every of your machines
    • prepare a script to reset the ownership after remapping users; something like this worked once for me:
      • find /path/to/what/has/to/be/preserved -printf "chown -c %u:%g \"%h/%f\"\n" > preserve
    • switch to your new directory service
    • remove or remap the non-system part of your /etc/passwd and /etc/group
    • restore the file/directory ownership by running the generated script (sh preserve will do)
    • rinse, repeat, profit!

    Notes:

    • the generated script is not efficient at all, as it's changing back ownership one file by one; but it should be a good demonstration of the general idea.
    • if you have any suid/sgid binaries and directories there, record them in the script as well, for example by changing the printf clause to "chown -c %u:%g \"%h/%f\"\nchmod -c %m \"%h/%f\"\n"
    • 3

  2. Most authentication systems use UID and GID's to map users around. So it is important that they match if they are going to be present in multiple places. And the point of having a central directory service is to avoid multiple locations.

    UID remapping is one of those things which isn't too painful to do on small sites, and becomes mandatory if you are dealing with larger sites as the rewards (in avoiding multiple places to manage things) scale faster than the pain (of making things right).

    • 2

  3. Yes, you can. It's pretty easy to configure and fairly non-problematic (as long as you keep your clocks synchronized!).

    The instructions to do so are in the RHEL deployment guide.

    If you have AD, I suggest you use that, as I believe synching Linux to AD might be easier than synching Windows to anything else than AD.

    • 1

  4. I've recommended this product dozens of times, but it saved me entirely. It's called Likewise Open, it's free and open source, and it exists to make your machines authenticate against Active Directory.

    The UID/GIDs are a hash, which makes them universal across your entire infrastructure. By implementing it, I have unified almost every authentication mechanism in my company. Shell access, apache auth, samba, etc. And since I'm using Active Directory, everything that can use LDAP can auth against it as well, so now my users' accounts are identical on the machines, their desktops, our internal jabber server, our SSL VPN concentrators, etc etc etc.

    I can't recommend it enough.

    • 1