Joining linux servers to an AD domain

[Verge]

Is there any real advantage of doing this? All you really get is login credentials correct?

 

[ChadD]

From Redhat; "Windows integration can mean very different things, depending on the desired interaction between the Linux environment and the Windows environment. It could mean that individual Linux systems are enrolled into a Windows domain, it could mean that a Linux domain is configured to be a peer to the Windows domain, or it could simply mean that information is copied between environments."

https://access.redhat.com/documenta...l/Windows_Integration_Guide/introduction.html
https://access.redhat.com/documenta...e_Linux-7-Windows_Integration_Guide-en-US.pdf
https://www.suse.com/documentation/sles11/book_security/data/cha_ad.html

 

[Frobozz]

One of the main things i use it for is authentication, and authorization - leverage AD groups/users in linux.
Ex. Allow only certain groups of users to log in. That could free up administration tasks so that you don't have to log into the machine, make a user, add them to a group, blah blah blah. You could delegate it to your helpdesk to just add them to the LinuxDevelopers group in ADUC and they'll be good. Things like that.

You can also use them on the filesystem for ownership/permissions like you would normally use linux groups.

Also becomes useful if you setup a Samba share.

 

[Lunar]

So, this thread actually brings up something I've been curious about. If I were to have a mixed environment of Windows and Linux workstations, what is the best way to implement group policies? Now, I'm certain Linux calls them something other than this, but at the server level what would be the best way to deploy a domain controller that can issue group policies to Windows clients, and then the equivalent to Linux clients? I've honestly never administered a Linux DC before, and my only experience in that area is with Windows Server based DCs.

 

[Frobozz]

So, this thread actually brings up something I've been curious about. If I were to have a mixed environment of Windows and Linux workstations, what is the best way to implement group policies? Now, I'm certain Linux calls them something other than this, but at the server level what would be the best way to deploy a domain controller that can issue group policies to Windows clients, and then the equivalent to Linux clients? I've honestly never administered a Linux DC before, and my only experience in that area is with Windows Server based DCs.

I haven't really seen anything attempting to read GPOs and translate them into some sort of Linux configuration. Usually you'll use a separate configuration management system or approach like Puppet, SaltStack, The Foreman/Katello, Spacewalk, or Ansible (certainly forgetting a few.)

They're not all comparable and have different features/roles on their brochure. Some focus on lifecycle management, some configuration management, others task automation.

 

[grasshoppa]

Is there any real advantage of doing this? All you really get is login credentials correct?

My team uses linux with AD auth and fs permissions on the file servers ( as well as many other backend places ). Have for over 15 years, and have never had cause to regret it ( although we have had cause to regret using quickbooks...but then I imagine most administrators feel the same ).

 

[PM_ME_YOUR_LOGS]

I think the main benefit is one account to rule them all. But from a sys admins perspective that provides many benefits. You can integrate the Ad credentials with 2 factor Auth, email, login, administration, many enterprise integrated apps (Skype, slack, git etc), software deployment/upgrades. It also helps a lot for replicating environments if you are your users are maintaining or working on multiple servers all with dev, test, stage, prod instances. don't get me wrong, you can do all of that without Ad, but administration from one a centralized location is so much easier and cleaner.

 

[Verge]

Thanks for the input, time to learn some ansible.