| Excerpt |
|---|
Tips and tools, including PowerBroker (PBIS). |
See also
Summary table of options
| Method | Pros | Cons | How-to summary | Notes |
|---|---|---|---|---|
| PBIS Open (free app) | Automatic configuration. No CU AD change required. | Rare NetID name conflicts visible in UI (does not affect operational use). | Use app's GUI- easy! (is this correct?!) | Method preferred by Chemistry IT |
SSSD - System Security Services Daemon | The CIT-approved method. No NetID name conflicts. | Manual configuration. CU AD change requires coordinating CIT making changes within AD Q: What of person using Linux accounts within two departments, with only one NetID, thus only one CU AD entry? | (need this!) | Method preferred by CIT and Biotech IT. |
| winbind | No CU AD change required. No NetID name conflicts. | Manual configuration. | (need this!) | Anyone prefer this method? |
PowerBroker (PBIS)
12/3/13:
- The educational server pricing for the "Enterprise" version is $239 and $47.80 for the annual support.
- The "Open" version is free.
- PBIS Open/Enterprise comparison document.
Oliver's understanding about this software: The free ("Open", vs. "Enterprise") version of BeyondTrust's PowerBroker (PBIS = PowerBroker Identity Services) tool is apparently easy to use, but presents some "name collision" issues here at Cornell for reasons the vendor couldn't explain fully. Perhaps just cripple-ware, even though their tech staff and comparison documentation (linked above) says otherwise? Their fee-based, "Enterprise" software doesn't have this behavior, I understand.
Error, and thus limitation, in source code within "Open" found
1/23/17: Chemistry IT reviewed the source code and found the source causing the rare but very real NetID collisions. Instead of 20-bits stored for the user ID, only the first 19-bits are stored. Attempts made to contact the vendor. Also, we're testing out a recompiled version we hand-corrected. (Hard and uncertain outcomes since this limitation has been hard-coded in multiple locations within the code and not abstracted to just on location.)
Chemistry IT's notes regarding alternatives we've heard about in use at Cornell
1/23/17: Some folks on campus have a Boolean value CU AD for "edsvaOIT-IsUnixEnabled" marked as "Yes".
Other resources Oliver has found or heard about
Question: What happens if that person has a *nix system in more than one department? Won't that create a collision regarding home directory storage, etc?
Integrating RHEL With Active Directory
Getting Control of Linux/Unix with Sudo and AD Integration
Free relevant training is offered by Randy Franklin Smith, whom I trust. Examples:
Webinar: "Configuring Linux and Macs to Use Active Directory for Users, Groups, Kerberos Authentication and even Group Policy", Tuesday, January 24, 2017 1:00 - 2:30 PM ET:
Webinar: "Getting Control of Linux/Unix with Sudo and AD Integration" , 5/15/2014 11:00:00 AM [(GMT-05:00) Eastern Time (US & Canada)]
Tip: Randy encourages registering for an event even if one can't make the live event in order to receive a link to the recording.
Experiences from others on campus:
Original Message:
From: Martin Berggren [mjb43]
Sent: Friday, April 25, 2014 4:35 PM
To: Oliver B. Habicht; gaarder@math---; Martin J. Berggren
Subject: Re: FW: Getting Control of Linux/Unix with Sudo and AD Integration
...