We've been experimenting with integrating linux systems into what is largely a Windows domain, with a Windows-based Active Directory server. After considerable trial and error, we have successfully configured sssd (on RHEL, CentOS, and Ubuntu) to allow AD user logins bound by AD security groups. We solved the problem of allowing AD logins long ago; it was a bit trickier to restrict access to only particular AD domain users, as was necessary in our use case. The last hurdle involves the experiment of trying to "automount" home directories from a Windows storage server, with something like pam mkhomedir creating these home directories if they don't exist already. I say experiment because we can always fall back to using a linux storage server. The optimal system would have users with some level of linux home directory Windows user profile unification (similar to what Samba gives you with NT domain profiles), but at the moment we can't get this working for linux clients at all. Using a command like this
mount.cifs //cnsdisk/Home/pgoetz /home/pgoetz -o username=pgoetz,sec=krb5,vers=3.0,uid=pgoetz,cruid=pgoetz
Will work for exactly one user that already has a tgt kerberos ticket to mount a windows share, but a second user is then locked out. My thought is if we can't even get manual mounts to work, there's no hope of constructing an automated solution.
I'm not expecting anyone to be able to answer this (a RHEL knowledge base article professed to solve this; didn't work for us); just frustrated that these kinds of problems haven't already been thoroughly worked out and documented.
Edit: I'm pretty sure the multiuser option provided above is obsolete, but RHEL tech support included it in their solution, so I left it in. Don't think that helps, though.
0 Answers