Re: [Veritas-bu] NBAC with AD-originated UNIXPWD Groups (RHEL Master Server)
2011-08-18 07:59:53
We use Quest Authentication Services, and
it has the ability to put a dummy entry in the passwd and group files for
the AD enabled users and groups. This has a tendency to create havoc
with other things, but for something as this, it may work. In QAS,
its called merging. In LikeWise, you may have to talk to them and
see if they do something similar.
From:
| thjones2 <nbu-forum AT backupcentral DOT com>
|
To:
| VERITAS-BU AT MAILMAN.ENG.AUBURN DOT EDU
|
Date:
| 08/17/2011 10:01 PM
|
Subject:
| [Veritas-bu] NBAC with AD-originated
UNIXPWD Groups (RHEL Master Server)
|
Sent by:
| veritas-bu-bounces AT mailman.eng.auburn DOT edu |
I'm attempting to get NBAC configured as part of a
large NBU 7.x rollout. I'm running my NBU master on RHEL 5.6 server. The
RHEL server is configured, via LikeWise, to do central user authentication/management
through Active Directory. As far as getting NBAC to use AD-managed users
through the UNIXPWD entry point (such that NBAC calls the OS native authentication
system, which, by way of PAM and LikeWise pulls user/authentication data
from Active Directory), everything works. I can add my AD userid into NBAC.
However, if I try to use the "O.S. Group" option, while NBAC
seems happy to use users that show up in /etc/group, it's being pissy about
the AD-managed groups: it allowed me to add the "wheel" group
(GID 10 in /etc/passwd) to the NBAC group using the "O.S. Group"
method; however, when I tried to add "san^admins" or "netbackup-tier3"
(AD-managed groups) I get the error message saying it's not a valid group.
I used getent() to verify that I wasn't fat-fingering the groups
or otherwise passing them incorrectly to NBAC.
This would be a lot less confusing if NBAC was refusing non-locally managed
users through the UNIXPWD module, but, that's not the case. It seems to
only be a groups issue (and only non-local groups). While I could do my
NBAC role-management via individually enumerated users, it makes it a HUGE
pain in the ass to do so, particularly if I've got more than one
NBU master per network. Being able to create an AD-managed group and then
map NBAC roles/groups to those (now) OS-level groups would make NBAC a
lot less onerous to manage.
Any suggestions or such would be greatly appreciated. Even if it's something
as simple as "NBAC doesn't support groupnames longer than X characters",
I could shoehorn my AD groupnames into compliant name-lengths, I just need
to know what the maximum is.
+----------------------------------------------------------------------
|This was sent by backupcentral AT xanthia DOT com via Backup Central.
|Forward SPAM to abuse AT backupcentral DOT com.
+----------------------------------------------------------------------
_______________________________________________
Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
"PLEASE NOTE: The preceding information may be confidential or
privileged. It only should be used or disseminated for the purpose
of conducting business with Parker. If you are not an intended
recipient, please notify the sender by replying to this message and
then delete the information from your system. Thank you for your
cooperation."
_______________________________________________
Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
|
|
|