Linux server account management

Question

I am trying to help maintain a few dozen ubuntu servers and am looking for a way to maintain accounts on all the machines.

I tried using likewise-open but but found it to be unstable. I would constantly have to login to a local account and rejoin it to the domain. Had it proved to be stable it would have been great for my needs.

There are plenty of questions on how to force linux to play in an Active Directory world, but what I am looking for is the proper linux way to maintain shell accounts on servers. It just feels like everything with a samba approach is a square peg, and it can work, but you gotta want it.

It did seem like NIS was right right way to do this, but upon more research it seems that it has become outdated legacy stuff.

What do you use that has been reliable and otherwise good? Is setting up OpenLDAP/ApacheDS going to be better than trying to use Active Directory as our LDAP server? Or will it be all the same problems again?

This is one of those cases where in Windows it just works, and the choice has been made for us -- You'd think there would be a right way to do this on the *inx side.

Answer 1

Use PAM and LDAP or PAM and Kerberos authentication. This will get rid of most of the headaches.

Answer 2

Assuming that PAM and LDAP / Kerberos is not a desirable option, you might want to look at Puppet. In addition to the account management, it'll help ease a ton of other system administration headaches. There's also commercial support available.

Answer 3

If you can handle the packaging issue (it's not available packaged for Ubuntu), you might want to consider FreeIPA. FreeIPA is an integrated, easily manageable Kerberos / LDAP solution.

Personally, I work with pam_krb5 to authenticate against AD. You will have some issues to work around there too: assuming you do not want to have anonymous lookups, system LDAP lookups must be authenticated / secure somehow. This means you must either use system accounts over an LDAPS connection to do account lookups from the Linux machine, but this means having the password of that account in /etc/ldap.conf.

Or you can set up to authenticate the Linux machines via Kerberos themselves to do LDAP account lookups on the DC. This last option means joining them to the AD domain though, so must log into the machines again and join them.

Likewise works pretty wel for me in other setups btw: I haven't done a rejoin ever, but apparently you are not that lucky.

Answer 4

I'm not sure if you've found the answer, but this came out recently. It's a free tool for joining linux & mac systems to AD and doesn't require the fenagling of your systems.

http://www.centrify.com/express/download-centrify-express.asp