NIS to Active Directory

  • 80 Views
  • Last Post 30 June 2017
BrianB posted this 29 June 2017

I have some Unix folks that want to start using AD for Authentication and SSSD. They were previously using a NIS server and want to migrate that information over to AD. The NIS server with AD is deprecated and we are unlikely to install this for the migrations due to that. I was told by the UNIX admin that all they want is the available NIS attributes to be modified on the objects in AD and we don’t need to install the NIS server for AD.

  However, we can see that the schema contains the NIS* objectclass when we installed the support for Unix in our AD. I still cannot see those attributes for NIS* on any objecting in AD. If I were to look at the User object class, I can add NISMap and NisNetgroup as possible Superior object classes. But, I am not sure if that is the correct approach to make these attributes available for user objects as not all users will require the NIS mapping attributes. I don’t want to affect an entire class for one department.   Could someone offer me advise on how to expose the NISMap and NISNetGroup attributes for AD objects? I have never really worked with NIS before.

  Thanks,   Brian Britt, CISSP, MCSE, MCSA, Comptia Security+ CE  

Order By: Standard | Newest | Votes
jeremyts posted this 29 June 2017

Hi Brian,

 

It’s probably best to get them to clarify the integration they want.

NIS integration is not used, needed, or recommended. But when it comes to Active Directory you do need to initiate it to “complete” the UNIX integration for the POSIX attributes. This is due to legacy code from Microsoft.

 

Red Hat have the SSSD integration options nicely documented here:



https://access.redhat.com/documentation/en-US/RedHatEnterpriseLinux/7/html/WindowsIntegrationGuide/sssd-ad-integration.html

 

The full guide is here:

https://access.redhat.com/documentation/en-US/RedHatEnterpriseLinux/7/html/WindowsIntegrationGuide/index.html

https://access.redhat.com/documentation/en-US/RedHatEnterpriseLinux/7/pdf/WindowsIntegrationGuide/RedHatEnterpriseLinux-7-WindowsIntegrationGuide-en-US.pdf

 

Generally speaking, in the corporate world most integrations that I see and get involved in nowadays tend to be Winbind. However, when it comes to a University this may not provide the outcome required for those

that teach Computer Science, etc, so SSSD with the POSIX attributes may be the way to go.

 

Ultimately, they need to understand all integration methods and the pros and cons of each. If they want the POSIX integration, I can provide information to assist, but will wait for your response.

 

Cheers,

Jeremy

 

show

BrianB posted this 29 June 2017

Just got out of a meeting with the Unix folks that are requesting the below. The have been using NIS server in their environment for many years and are stating that they really want to do things more securely

and stop being that one-off group running something that Central DS can do for them. They just need to map the NIStoAD.  

 

1.      

They agree that we will not install NIS server for AD.



2.      

They want to be able to creae NISMap, NISNetgroup, and NISObjects in their own OU in AD.



 

I can see that these objectclasses in the schema by way of installing the Service for Unix. Additionally, I can grant the rights to create / delete NIS objects in their OU for a security group. I can’t, however,

figure out how these objects are created, unless it still requires the NIS server for AD. I discussed the option of using some sort of LDIF import but I just don’t think that is the correct path to make this work.



 

Since I have never had to do this before, I did some research and everything I find requires or relates to installing NIS for AD. SO, how are these objects created and maintained?

 

Brian Britt

 



 

show

jeremyts posted this 30 June 2017

They are still focused on NIS and I think this is unnecessary. And NIS has been dead and buried for years. All the necessary classes and attributes are already present in the Windows Server 2003 R2 and later

show

BrianB posted this 30 June 2017

Jeremy,

 

This is great information. Thank you! I will try this out in my isolated environment.



 

Thank you again,

 

Brian Britt

 

show