端端舝

端端舝Share a Scribd company logo

完找抉 扶抉志抉忍抉 志 批扭把忘志抖快扶我我 忘批找快扶找我扳我抗忘扯我快抄 我 忘志找抉把我戒忘扯我快抄 志 RHEL 6.4

?Download as ODP, PDF?
?
Andrey Markelov
Andrey Markelov
1 of 21
Downloaded 11 times
完找抉 扶抉志抉忍抉 志 批扭把忘志抖快扶我我 忘批找快扶找我扳我抗忘扯我快抄 我 忘志找抉把我戒忘扯我快抄 志 RHEL 6.4 Andrey Markelov RHCA Red Hat, Presales Solution Architect
2 妒扶找快忍把忘扯我攸 ♂ 均批找快扶找我扳我抗忘扯我攸 ♂ 妞找抉 戒忘扶我技忘快找扼攸 忘批找快扶找我扳我抗忘扯我快抄? ♂ 妒扶扳抉把技忘扯我攸 抉 扭抉抖抆戒抉志忘找快抖快 ♂ 妞忘抗 扼我扼找快技忘 批戒扶忘快找 抗忘抗抉忍抉 扭抉抖抆戒抉志忘找快抖攸 扶批忪扶抉 忌把忘找抆? ♂ 妞忘抗 批折快找扶抑快 戒忘扭我扼我 AD 扼抉扭抉扼找忘志抖攸攻找扼攸 POSIX? ♂ 妓忘戒把快扮快扶我快 我技快扶 我 扭抉我扼抗 扼快把志我扼抉志 ♂ 妞忘抗 扼我扼找快技忘 批戒扶忘快找 忍忱快 扼快把志快把忘 忘批找快扶找我扳我抗忘扯我我 我 坎坏 扭抉抖抆戒抉志忘找快抖快抄? ♂ 孝扭把忘志抖快扶我快 扭抉抖我找我抗忘技我 ♂ 妞忘抗 扭抉抖我找我抗我 扭把我技快扶攸攻找扼攸 抗 扭抉抖抆戒抉志忘找快抖攸技 我 扼我扼找快技忘技?
3 妤抉扼找抉扶抉志抗忘 扭把抉忌抖快技抑 ♂ 圾 忌抉抖抆扮我扶扼找志快 抗抉技扭忘扶我抄 - AD ♂ 妥忘抗 我抖我 我扶忘折快 扶批忪扶抉 扭抉抖批折忘找抆 忱抉扼找批扭 抗 AD ♂ 妒扶抉忍忱忘 AD 每 抗抉把扭抉把忘找我志扶抑抄 扼找忘扶忱忘把找 ♂ DNS 折忘扼找抉 我扶找快忍把我把抉志忘扶 志 AD
4 妒扶找快忍把忘扯我攸 扼找抉把抉扶扶我技我 把快扮快扶我攸技我 AD Linux System 3rd party client Authentication 3rd Party Plugin Policies via GPO KDCLDAPDNS Identities Name resolution Policies sudo hbac automount selinuxAuthentication can use LDAP or Kerberos ID mapping is implementation specific or uses SFU/IMU extensions in AD Client may also use native AD protocols
5 妊找抉把抉扶扶我快 把快扮快扶我攸 每 戒忘 我 扭把抉找我志 ♂ 妝忘 ♂ 圾扼快 批扭把忘志抖快扶我快 我戒 抉忱扶抉抄 抗抉扶扼抉抖我 ♂ 妤把抉找我志 ♂ 妥把快忌批快找 快投快 抉忱扶抉忍抉 志快扶忱抉把忘 ♂ 坏抉扭抉抖扶我找快抖抆扶抑快 忱快扶抆忍我 戒忘 抗忘忪忱批攻 扼我扼找快技批 ♂ 妍忍把忘扶我折我志忘快找 扶快戒忘志我扼我技抉扼找抆 扼把快忱抑 UNIX/Linux ♂ 妥把快忌批快找 批扼找忘扶抉志抗我 忱抉扭抉抖扶我找快抖抆扶抉忍抉 妤妍 扶忘 扼找抉把抉扶快 AD
6 孝扼找忘把快志扮我抄 志忘把我忘扶找 我扶找快忍把忘扯我我 AD Linux System LDAP/KRB Authentication KDCLDAPDNS Identities Name resolution Policies sudo hbac automount selinuxAuthentication can use LDAP or Kerberos ID mapping uses SFU/IMU extensions in AD Policies are delivered via configuration files managed locally or via a config server like Puppet AD can be extended to serve basic sudo and automount
7 孝扼找忘把快志扮我抄 志忘把我忘扶找 - 戒忘 我 扭把抉找我志 ♂ 妝忘: ♂ 坎快扼扭抖忘找扶抉 ♂ 妖快 扶批忪快扶 3抄 志快扶忱抉把 ♂ 妒扶找批我找我志抉 扭抉扶攸找扶抉 我 ※扭把抉戒把忘折扶抉§ ♂ 妤把抉找我志: ♂ 妥把快忌批快找 SFU/IMU ♂ 妖快找 扯快扶找把忘抖我戒抉志忘扶扶抉忍抉 批扭把忘志抖快扶我攸 扭抉抖我找我抗忘技我 ♂ 妥攸忪快抖抉 扶忘扼找把忘我志忘找抆
8 妥把忘忱我扯我抉扶扶抑抄 志忘把我忘扶找 AD Linux System Winbind Authentication KDCLDAPDNS Identities Name resolution Policies sudo hbac automount selinuxAuthentication can use LDAP or Kerberos Map AD SID to POSIX attributes Join system into AD domain Uses native AD protocols Policies are delivered via configuration files managed locally or via a config server like Puppet AD can be extended to serve basic sudo and automount
9 妥把忘忱我扯我抉扶扶抑抄 志忘把我忘扶找 每 妝忘 我 妤把抉找我志 ♂ 妝忘: ♂ 宋我把抉抗抉 我戒志快扼找扶抑抄 ♂ 妖快 找把快忌批快找 3忍抉 志快扶忱抉把忘 ♂ 妖快 找把快忌批快找 SFU/IMU ♂ 坏抉志快把我找快抖抆扶抑快 抉找扶抉扮快扶我攸 技快忪忱批 忱抉技快扶忘技我 ♂ 妤把抉找我志: ♂ 妙抉忪扶抉 扭抉忱抗抖攻折忘找抆扼攸 找抉抖抆抗抉 抗 AD ♂ 妙抉忍批找 忌抑找抆 扭把抉忌抖快技抑 扼抉 扼找忘忌我抖抆扶抉扼找抆攻
10 妊抉志把快技快扶扶抑抄 志忘把我忘扶找 (RHEL 6.4) AD Linux System SSSD Authentication KDCLDAPDNS Identities Name resolution Policies sudo hbac automount selinuxAuthentication can use LDAP or Kerberos Can map AD SID to POSIX attributes Can join system into AD domain Policies are delivered via configuration files managed locally or via a config server like Puppet AD can be extended to serve basic sudo and automount
11 妊抉志把快技快扶扶抑抄 志忘把我忘扶找 每 戒忘 我 扭把抉找我志 ♂ 妝忘: ♂ 妖快 找把快忌批快找 3忍抉 志快扶忱抉把志 ♂ 妖快 找把快忌批快找 SFU/IMU (RHEL 6.4) ♂ 坏抉志快把我找快抖抆扶抑快 抉找扶抉扮快扶我攸技快忪忱批 忱抉技快扶忘技我 志 IPA (RHEL 6.4) ♂ 圾抑忍抖攸忱我找 扼找忘忌我抖抆扶快快 Winbind ♂ 妤把抉找我志: ♂ 妖快 扭抉忱忱快把忪我志忘快找 忱抉志快把我找快抖抆扶抑快 抉找扶抉扮快扶我攸 志 AD (1.10) ♂ 妖快 扭抉忱忱快把忪我志忘快找 扶快抗抉找抉把抑抄 扭把抉忱志我扶批找抑抄 扳批扶抗扯我抉扶忘抖 AD (1.10)
12 妊把忘志扶快扶我快 Feature LDAP/KRB Winbind SSSD Authenticate using Kerberos or LDAP Yes Yes Yes Identities are looked up in AD Yes Yes Yes Requires SFU/IMU Yes No Yes until SSSD 1.9 ID mapping None Multiple ways One way starting SSSD 1.9 (RHEL 6.4) System is joined into AD Manual Has join utility Samba join utility needs to be used (realmd project makes it easy) Supports multiple AD domains No Yes Will in SSSD 1.10 Supports heterogeneous domains No No Yes Support advanced AD features No Yes Some Reliability High Medium High Community N/A Hard to deal with Friendly
13 妍忍把忘扶我折快扶我攸 我扶找快忍把忘扯我我 扼 AD 扶忘扭把攸技批攻 ♂ 妖快找 批扭把忘志抖快扶我攸 扭抉抖我找我抗忘技我 ♂ CAL 抉扼找忘攻找抆扼攸 ♂ 均忱技我扶我扼找把忘找抉把抑 Linux/UNIX 找快把攸攻找 抗抉扶找把抉抖抆 扶忘忱 扼把快忱抉抄
14 IdM IdM Core Directory Server Kerberos KDC NTP DNS Management framework Managed host (client) SSSD Management Station CLI Browser Certmonger ipa-client CA ConfiguresConfigures ConfiguresConfigures nss_ldap WEBUI AuthenticationAuthentication Name lookupsName lookups and serviceand service discoverydiscovery Cert tracking &Cert tracking & provisioningprovisioning Other mapsOther maps Enrollment & un-enrollmentEnrollment & un-enrollment ManagementManagement Users, Groups,Users, Groups, Netgroups, HBACNetgroups, HBAC
15 妒扶找快忍把忘扯我攸 扶忘 忌忘戒快 IdM (把快抗抉技快扶忱批快找扼攸) AD Linux System SSSD Authentication KDCLDAPDNS Identities Name resolution Policies sudo hbac automount selinux Policies are centrally managed over LDAP IdM KDCLDAPDNS A DNS zone is delegated by AD to IdM to manage Linux environment Name resolution and service discovery queries are resolved against IdM Users are synchronized from AD to IdM
16 妝忘 我 妤把抉找我志 我扶找快忍把忘扯我我 折快把快戒 IdM ♂ 妝忘: ♂ 妖快找 3忍抉 志快扶忱抉把忘 ♂ 孛快扶找把忘抖我戒抉志忘扶扶抉快 批扭把忘志抖快扶我快 扭抉抖我找我抗忘技我 ♂ 妞抉扶找把抉抖抆 扼抉抒把忘扶攸快找扼攸 戒忘 Linux-忘忱技我扶我扼找把忘找抉把忘技我 ♂ 妤把抉找我志: ♂ 妥把快忌批快找扼攸 扼我扶抒把抉扶我戒忘扯我攸 扭抉抖抆戒抉志忘找快抖快抄 我 扭忘把抉抖快抄 ♂ 均批找快扶找我扳我抗忘扯我攸 扶快 志 AD ♂ 妥把快忌批快找 忱抉扭抉抖扶我找快抖抆扶抉抄 扭把忘志我抖抆扶抉抄 扶忘扼找把抉抄抗我 DNS
17 妒扶找快忍把忘扯我攸 扶忘 忌忘戒快 IdM (split brain) AD Linux System SSSD Authentication KDCLDAPDNS Identities Name resolution Policies sudo hbac automount selinux Policies are centrally managed over LDAP IdM KDCLDAPDNS A DNS zone is delegated by AD to IdM to manage Linux environment Name resolution and service discovery queries are resolved against IdM Users are synchronized from AD to IdM Requires changes to config files after installation and initial client enrollment
18 妝忘 我 扭把抉找我志 ※Split Brain§ ♂ 妝忘: ♂ 圾扼攸 忘批找快扶找我扳我抗忘扯我攸 志 AD ♂ 妤把抉找我志: ♂ 妖忘扼找把抉抄抗忘 志把批折扶批攻
19 IdM 每 坏抉志快把我找快抖抆扶抑快 抉找扶抉扮快扶我攸 (RHEL 6.4) AD Linux System SSSD Authentication KDCLDAPDNS Identities Name resolution Policies sudo hbac automount selinux Policies are centrally managed over LDAP IdM KDCLDAPDNS Domains trust each other. Users stay where they are, no synchronization needed A DNS zone is delegated by AD to IdM to manage Linux systems or IdM has an independent namespace Client software connects to the right server depending on the information it needs
20 坏抉志快把我找快抖抆扶抑快 抉找扶抉扮快扶我攸 每 妝忘 我 妤把抉找我志 ♂ 妝忘: 妊找抉我技抉扼找抆 每 扶快找 CAL 我 找把快找抆快忍抉 志快扶忱抉把忘 ♂ 孛快扶找把忘抖我戒抉志忘扶扶抉快 批扭把忘志抖快扶我快 扭抉抖我找我抗忘技我 ♂ 妞抉扶找把抉抖抆 抉扼找忘快找扼攸 批 Linux-忘忱技我扶我扼找把忘找抉把抉志 ♂ 妖快 扶批忪扶忘 扼我扶抒把抉扶我戒忘扯我攸 ♂ 均批找快扶找我扳我抗忘扯我攸 志 AD ♂ Cons: ♂ 妥把快忌批快找 扭把忘志我抖抆扶抉抄 扶忘扼找把抉抄抗我 DNS ♂ 妥把快忌批快找 扭抉扼抖快忱扶快抄 志快把扼我我 SSSD
妊扭忘扼我忌抉! 均扶忱把快抄 妙忘把抗快抖抉志 andrey@redhat.com twitter.com/amarkelov

More Related Content

完找抉 扶抉志抉忍抉 志 批扭把忘志抖快扶我我 忘批找快扶找我扳我抗忘扯我快抄 我 忘志找抉把我戒忘扯我快抄 志 RHEL 6.4

  • 1. 完找抉 扶抉志抉忍抉 志 批扭把忘志抖快扶我我 忘批找快扶找我扳我抗忘扯我快抄 我 忘志找抉把我戒忘扯我快抄 志 RHEL 6.4 Andrey Markelov RHCA Red Hat, Presales Solution Architect
  • 2. 2 妒扶找快忍把忘扯我攸 ♂ 均批找快扶找我扳我抗忘扯我攸 ♂ 妞找抉 戒忘扶我技忘快找扼攸 忘批找快扶找我扳我抗忘扯我快抄? ♂ 妒扶扳抉把技忘扯我攸 抉 扭抉抖抆戒抉志忘找快抖快 ♂ 妞忘抗 扼我扼找快技忘 批戒扶忘快找 抗忘抗抉忍抉 扭抉抖抆戒抉志忘找快抖攸 扶批忪扶抉 忌把忘找抆? ♂ 妞忘抗 批折快找扶抑快 戒忘扭我扼我 AD 扼抉扭抉扼找忘志抖攸攻找扼攸 POSIX? ♂ 妓忘戒把快扮快扶我快 我技快扶 我 扭抉我扼抗 扼快把志我扼抉志 ♂ 妞忘抗 扼我扼找快技忘 批戒扶忘快找 忍忱快 扼快把志快把忘 忘批找快扶找我扳我抗忘扯我我 我 坎坏 扭抉抖抆戒抉志忘找快抖快抄? ♂ 孝扭把忘志抖快扶我快 扭抉抖我找我抗忘技我 ♂ 妞忘抗 扭抉抖我找我抗我 扭把我技快扶攸攻找扼攸 抗 扭抉抖抆戒抉志忘找快抖攸技 我 扼我扼找快技忘技?
  • 3. 3 妤抉扼找抉扶抉志抗忘 扭把抉忌抖快技抑 ♂ 圾 忌抉抖抆扮我扶扼找志快 抗抉技扭忘扶我抄 - AD ♂ 妥忘抗 我抖我 我扶忘折快 扶批忪扶抉 扭抉抖批折忘找抆 忱抉扼找批扭 抗 AD ♂ 妒扶抉忍忱忘 AD 每 抗抉把扭抉把忘找我志扶抑抄 扼找忘扶忱忘把找 ♂ DNS 折忘扼找抉 我扶找快忍把我把抉志忘扶 志 AD
  • 4. 4 妒扶找快忍把忘扯我攸 扼找抉把抉扶扶我技我 把快扮快扶我攸技我 AD Linux System 3rd party client Authentication 3rd Party Plugin Policies via GPO KDCLDAPDNS Identities Name resolution Policies sudo hbac automount selinuxAuthentication can use LDAP or Kerberos ID mapping is implementation specific or uses SFU/IMU extensions in AD Client may also use native AD protocols
  • 5. 5 妊找抉把抉扶扶我快 把快扮快扶我攸 每 戒忘 我 扭把抉找我志 ♂ 妝忘 ♂ 圾扼快 批扭把忘志抖快扶我快 我戒 抉忱扶抉抄 抗抉扶扼抉抖我 ♂ 妤把抉找我志 ♂ 妥把快忌批快找 快投快 抉忱扶抉忍抉 志快扶忱抉把忘 ♂ 坏抉扭抉抖扶我找快抖抆扶抑快 忱快扶抆忍我 戒忘 抗忘忪忱批攻 扼我扼找快技批 ♂ 妍忍把忘扶我折我志忘快找 扶快戒忘志我扼我技抉扼找抆 扼把快忱抑 UNIX/Linux ♂ 妥把快忌批快找 批扼找忘扶抉志抗我 忱抉扭抉抖扶我找快抖抆扶抉忍抉 妤妍 扶忘 扼找抉把抉扶快 AD
  • 6. 6 孝扼找忘把快志扮我抄 志忘把我忘扶找 我扶找快忍把忘扯我我 AD Linux System LDAP/KRB Authentication KDCLDAPDNS Identities Name resolution Policies sudo hbac automount selinuxAuthentication can use LDAP or Kerberos ID mapping uses SFU/IMU extensions in AD Policies are delivered via configuration files managed locally or via a config server like Puppet AD can be extended to serve basic sudo and automount
  • 7. 7 孝扼找忘把快志扮我抄 志忘把我忘扶找 - 戒忘 我 扭把抉找我志 ♂ 妝忘: ♂ 坎快扼扭抖忘找扶抉 ♂ 妖快 扶批忪快扶 3抄 志快扶忱抉把 ♂ 妒扶找批我找我志抉 扭抉扶攸找扶抉 我 ※扭把抉戒把忘折扶抉§ ♂ 妤把抉找我志: ♂ 妥把快忌批快找 SFU/IMU ♂ 妖快找 扯快扶找把忘抖我戒抉志忘扶扶抉忍抉 批扭把忘志抖快扶我攸 扭抉抖我找我抗忘技我 ♂ 妥攸忪快抖抉 扶忘扼找把忘我志忘找抆
  • 8. 8 妥把忘忱我扯我抉扶扶抑抄 志忘把我忘扶找 AD Linux System Winbind Authentication KDCLDAPDNS Identities Name resolution Policies sudo hbac automount selinuxAuthentication can use LDAP or Kerberos Map AD SID to POSIX attributes Join system into AD domain Uses native AD protocols Policies are delivered via configuration files managed locally or via a config server like Puppet AD can be extended to serve basic sudo and automount
  • 9. 9 妥把忘忱我扯我抉扶扶抑抄 志忘把我忘扶找 每 妝忘 我 妤把抉找我志 ♂ 妝忘: ♂ 宋我把抉抗抉 我戒志快扼找扶抑抄 ♂ 妖快 找把快忌批快找 3忍抉 志快扶忱抉把忘 ♂ 妖快 找把快忌批快找 SFU/IMU ♂ 坏抉志快把我找快抖抆扶抑快 抉找扶抉扮快扶我攸 技快忪忱批 忱抉技快扶忘技我 ♂ 妤把抉找我志: ♂ 妙抉忪扶抉 扭抉忱抗抖攻折忘找抆扼攸 找抉抖抆抗抉 抗 AD ♂ 妙抉忍批找 忌抑找抆 扭把抉忌抖快技抑 扼抉 扼找忘忌我抖抆扶抉扼找抆攻
  • 10. 10 妊抉志把快技快扶扶抑抄 志忘把我忘扶找 (RHEL 6.4) AD Linux System SSSD Authentication KDCLDAPDNS Identities Name resolution Policies sudo hbac automount selinuxAuthentication can use LDAP or Kerberos Can map AD SID to POSIX attributes Can join system into AD domain Policies are delivered via configuration files managed locally or via a config server like Puppet AD can be extended to serve basic sudo and automount
  • 11. 11 妊抉志把快技快扶扶抑抄 志忘把我忘扶找 每 戒忘 我 扭把抉找我志 ♂ 妝忘: ♂ 妖快 找把快忌批快找 3忍抉 志快扶忱抉把志 ♂ 妖快 找把快忌批快找 SFU/IMU (RHEL 6.4) ♂ 坏抉志快把我找快抖抆扶抑快 抉找扶抉扮快扶我攸技快忪忱批 忱抉技快扶忘技我 志 IPA (RHEL 6.4) ♂ 圾抑忍抖攸忱我找 扼找忘忌我抖抆扶快快 Winbind ♂ 妤把抉找我志: ♂ 妖快 扭抉忱忱快把忪我志忘快找 忱抉志快把我找快抖抆扶抑快 抉找扶抉扮快扶我攸 志 AD (1.10) ♂ 妖快 扭抉忱忱快把忪我志忘快找 扶快抗抉找抉把抑抄 扭把抉忱志我扶批找抑抄 扳批扶抗扯我抉扶忘抖 AD (1.10)
  • 12. 12 妊把忘志扶快扶我快 Feature LDAP/KRB Winbind SSSD Authenticate using Kerberos or LDAP Yes Yes Yes Identities are looked up in AD Yes Yes Yes Requires SFU/IMU Yes No Yes until SSSD 1.9 ID mapping None Multiple ways One way starting SSSD 1.9 (RHEL 6.4) System is joined into AD Manual Has join utility Samba join utility needs to be used (realmd project makes it easy) Supports multiple AD domains No Yes Will in SSSD 1.10 Supports heterogeneous domains No No Yes Support advanced AD features No Yes Some Reliability High Medium High Community N/A Hard to deal with Friendly
  • 13. 13 妍忍把忘扶我折快扶我攸 我扶找快忍把忘扯我我 扼 AD 扶忘扭把攸技批攻 ♂ 妖快找 批扭把忘志抖快扶我攸 扭抉抖我找我抗忘技我 ♂ CAL 抉扼找忘攻找抆扼攸 ♂ 均忱技我扶我扼找把忘找抉把抑 Linux/UNIX 找快把攸攻找 抗抉扶找把抉抖抆 扶忘忱 扼把快忱抉抄
  • 14. 14 IdM IdM Core Directory Server Kerberos KDC NTP DNS Management framework Managed host (client) SSSD Management Station CLI Browser Certmonger ipa-client CA ConfiguresConfigures ConfiguresConfigures nss_ldap WEBUI AuthenticationAuthentication Name lookupsName lookups and serviceand service discoverydiscovery Cert tracking &Cert tracking & provisioningprovisioning Other mapsOther maps Enrollment & un-enrollmentEnrollment & un-enrollment ManagementManagement Users, Groups,Users, Groups, Netgroups, HBACNetgroups, HBAC
  • 15. 15 妒扶找快忍把忘扯我攸 扶忘 忌忘戒快 IdM (把快抗抉技快扶忱批快找扼攸) AD Linux System SSSD Authentication KDCLDAPDNS Identities Name resolution Policies sudo hbac automount selinux Policies are centrally managed over LDAP IdM KDCLDAPDNS A DNS zone is delegated by AD to IdM to manage Linux environment Name resolution and service discovery queries are resolved against IdM Users are synchronized from AD to IdM
  • 16. 16 妝忘 我 妤把抉找我志 我扶找快忍把忘扯我我 折快把快戒 IdM ♂ 妝忘: ♂ 妖快找 3忍抉 志快扶忱抉把忘 ♂ 孛快扶找把忘抖我戒抉志忘扶扶抉快 批扭把忘志抖快扶我快 扭抉抖我找我抗忘技我 ♂ 妞抉扶找把抉抖抆 扼抉抒把忘扶攸快找扼攸 戒忘 Linux-忘忱技我扶我扼找把忘找抉把忘技我 ♂ 妤把抉找我志: ♂ 妥把快忌批快找扼攸 扼我扶抒把抉扶我戒忘扯我攸 扭抉抖抆戒抉志忘找快抖快抄 我 扭忘把抉抖快抄 ♂ 均批找快扶找我扳我抗忘扯我攸 扶快 志 AD ♂ 妥把快忌批快找 忱抉扭抉抖扶我找快抖抆扶抉抄 扭把忘志我抖抆扶抉抄 扶忘扼找把抉抄抗我 DNS
  • 17. 17 妒扶找快忍把忘扯我攸 扶忘 忌忘戒快 IdM (split brain) AD Linux System SSSD Authentication KDCLDAPDNS Identities Name resolution Policies sudo hbac automount selinux Policies are centrally managed over LDAP IdM KDCLDAPDNS A DNS zone is delegated by AD to IdM to manage Linux environment Name resolution and service discovery queries are resolved against IdM Users are synchronized from AD to IdM Requires changes to config files after installation and initial client enrollment
  • 18. 18 妝忘 我 扭把抉找我志 ※Split Brain§ ♂ 妝忘: ♂ 圾扼攸 忘批找快扶找我扳我抗忘扯我攸 志 AD ♂ 妤把抉找我志: ♂ 妖忘扼找把抉抄抗忘 志把批折扶批攻
  • 19. 19 IdM 每 坏抉志快把我找快抖抆扶抑快 抉找扶抉扮快扶我攸 (RHEL 6.4) AD Linux System SSSD Authentication KDCLDAPDNS Identities Name resolution Policies sudo hbac automount selinux Policies are centrally managed over LDAP IdM KDCLDAPDNS Domains trust each other. Users stay where they are, no synchronization needed A DNS zone is delegated by AD to IdM to manage Linux systems or IdM has an independent namespace Client software connects to the right server depending on the information it needs
  • 20. 20 坏抉志快把我找快抖抆扶抑快 抉找扶抉扮快扶我攸 每 妝忘 我 妤把抉找我志 ♂ 妝忘: 妊找抉我技抉扼找抆 每 扶快找 CAL 我 找把快找抆快忍抉 志快扶忱抉把忘 ♂ 孛快扶找把忘抖我戒抉志忘扶扶抉快 批扭把忘志抖快扶我快 扭抉抖我找我抗忘技我 ♂ 妞抉扶找把抉抖抆 抉扼找忘快找扼攸 批 Linux-忘忱技我扶我扼找把忘找抉把抉志 ♂ 妖快 扶批忪扶忘 扼我扶抒把抉扶我戒忘扯我攸 ♂ 均批找快扶找我扳我抗忘扯我攸 志 AD ♂ Cons: ♂ 妥把快忌批快找 扭把忘志我抖抆扶抉抄 扶忘扼找把抉抄抗我 DNS ♂ 妥把快忌批快找 扭抉扼抖快忱扶快抄 志快把扼我我 SSSD