I have realm joined a rhel7 machine to my Windows AD environment. I was pleased to see that groups were mapped successfully within the rhel7 instance. I was able to see them via the id command.
I have additional AD attributes that I utilize for NTFS file permissions. In this case, i use an AD extension "caveat" to control some folders on an SMB share.
I want to mount the SMB share and have all user attributes working on my already configured Windows Access Controls.
Is this possible?
Thank you
Related
We are using a third-party IT provider that handles our network administration and domain accounts, but as part of moving to a different office and setting up new infrastructure, we are considering dropping that and using Azure Active Directory only.
Researching the topic online seems to indicate that Azure AD is not a complete replacement for on-premises Active Directory, as things like local resource access and group policies outside of Azure would be missing. However, we are moving towards using Azure for most things (file storage, etc), so that should be fine if we still have that functionality there.
Before finalizing the decision to go in that direction, we just need to be certain of a few things:
1) Is there a way to create a new account in Azure AD so that it can be used to login from any machine in the office, without having to create it locally first and then connect the two?
2) Is there a way to sync user data, such as user/desktop files, across any devices the account is used to log into?
3) Is it possible to have an office printer configured in Azure so that it can be used with an Azure AD login, completely independent on any on-premises setup (i.e, not Hybrid Cloud Print, which seems to require an on-premises network/AD to be joined with Azure AD)?
The goal is to be able to log in and work from any internet-connected device, whether in the office or at home, without needing to use a VPN and/or remote desktop, and forego on-premises AD administration.
This is possible as long as the device is joined to Azure AD. Once the device is joined to Azure AD, then newly created cloud-only users can also login to the devices.
Ref: https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
Enterprise state roaming should help in this aspect. It might not cover everything you are looking for but the important app-specific data and user settings are synced.
Ref: https://learn.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-overview
There is no direct solution from Microsoft for pure cloud scenarios. There are few 3rd party services offered for this.
Ref: https://appsource.microsoft.com/en-us/product/azure/printix.64182edf-4951-40d5-91c8-733e1c896b70
Hope this helps.
I found it's possible to sync users/groups from Azure AD to local App though SCIM. But it seems not available in local AD, and seems not available in ADFS.
How I can sync from local AD, or is there any tools I can use?
You would need a SCIM Product which you can create yourself or Purchase from several vendors.
Assuming you wish to take entries out of your local Microsoft Active Directory and "SCIM Them" into something else, you would probably want a SCIM Client and then put them into your SCIM Service Provider.
You would need to use something to get the entries out of Microsoft Active Directory and then use SCIM to put them into ???.
You could also use the Microsoft DirSync Control using LDAP
There are many IDM vendors that create product with this functionality.
We have an application that accesses Hadoop via HDFS, YARN, and Hive interfaces. This application works fine against Kerberos-secured clusters if kinit has been run. It also works fine if we call UserGroupInformation.loginUserFromKeytab(). We are able to delegate the HDFS and Hive tokens to YARN applications. The thing we cannot figure out is the following scenario:
The Hadoop cluster is secured using Kerberos
The Hadoop cluster either uses Active Directory as its KDC, or has
established a one-way trust between its KDC and the AD controller.
Our software is running in a session that has been authenticated
using AD directly on Windows, or via PAM or LDAP (or some other mechanism) on
Linux.
Our software queries the active AD session to extract a TGT or
equivalent, and relays that information to the Hadoop APIs (via
UserGroupInformation, presumably).
Hadoop authentication is thus achieved without the need for the user
to enter a principal, password, or keytab.
We know this is possible in theory, because there are two examples of software that achieve this. The first is HDFS Explorer from RedGate. The second is Hue. However, we just can't seem to figure out the right incantation, and even Hortonworks support can't seem to help.
Hue comes with a LDAP backend that can transparently authenticate users against your company directory,
Hue also comes with a KT renewer command for keeping its Kerberos ticket up to date. It is even ran automatically when using CM.
There are two active directory user registrys with trusted relationship, where users of one directory included in the groups of another directory. I need to configure IBM WebSphere Portal 6.1 on WAS7 that he used those related directories. But when federated repository is configured and I am trying to find users via group there are only those users who are in the same directory as the group. It works like it is independent registrys without trusted relationship.
Is it possible to configure portal server that he understood the trusted relationship of user registrys?
The solution was the usage of Global LDAP search port 3268 (3269) instead of default LDAP ports 389(636) and standalone repository.
Enable following referrals for both WAS security settings and WIM. You will have to edit security.xml and wimconfig.xml manually to accomplish all required changes.
We are trying to develop an ACL solution that would cater for both internal users (currently managed through Windows AD which is outside of the scope of the project) and external users. The idea is to have a new LDAP server, another Windows AD or non-AD server such as openldap, that will be used to manage external users and all groups that are to be used for the ACL.
And then a referral to the internal Windows AD would be setup so that authentication would work for both internal and external accounts and group membership to the groups defined in the new LDAP server would be open to both internal and external accounts.
The problem is to get the referral working, first following this document http://technet.microsoft.com/en-us/library/cc978014.aspx (under "Creating an External Cross-Reference for an Internal Location") it seems you need to have the external ldap server having the same domain as the internal one, this seems to be a problem, at least when using Windows AD as the external server as well.
Also due to security restrictions in place trust relationships cannot be created such that internal users can be added as members of groups created in the external server. So is there a way around this? Is it better to use openldap rather than Windows AD for the external server?
Any pointers would be much appreciated.
Cheers
#Haddad, the example you pointed out never mentioned the external server has to be in the same domain. The requirement is that the dnsRoot should be resolvable by your dns.
Have a look at this http://support.microsoft.com/kb/241737
Where the AD runs yourdomain.msft and the referral server runs in mydomain.msft