Active Directory Accounts
Active directory accounts are managed by the AD server. No local entries are manintained by the host regarding them.
System Security Services Daemon (SSSD) is generally used by RHEL for AD based authentication.
This is not limited to AD, the following combinations are supported. 1
| Identity Provider | Authentication Provider |
|---|---|
| Identity Management | Identity Management |
| Active Directory | Active Directory |
| LDAP | LDAP |
| LDAP | Kerberos |
| Proxy | Proxy |
| Proxy | LDAP |
| Proxy | Kerberos |
SSSD does not create user accounts on the local system. However, SSSD can be configured to create home directories for IdM users. Once created, an IdM user home directory and its contents on the client are not deleted when the user logs out 1.
SSSD maintains a local cache about the users that attempted to logon to the local system.
UID/GID for AD Users
Windows uses security ids (SID) and is incompatible with Linux UID/SID. SSSD autogenerates the UID and GID from the SIDs when the user logs on to a linux host for the first time. This information is cached as mentioned above. Note that the UID generated from a SID is always the same.
ID mapping can be disabled. This should be used if AD defined POSIX attributes are to be used instead.