Active Directory Migration

We are making changes to our authentication scheme in an effort to further simplify our computing environment. This will make things easier for users on our systems, and easier to maintain both now and in the future.

Up until now our Linux and Windows domains have been separate. Despite the fact that your accounts share file storage, these identities don't share any real information. This means that if you change your password in Windows, your Linux password has not changed. Similarly, if you are added to a Unix/Linux group, there is no corresponding Windows group. This can make file permissions difficult to manage.

If you are exclusively a Windows/MacOS user then this should not affect you.

We have been working on converting our Linux systems to authenticate against our Active Directory servers. Active Directory (AD) is a widely used Microsoft product for identity management. Thanks to software from open source projects like Samba and FreeIPA, as well as Red Hat, Linux now has reliable, enterprise-ready support for Active Directory.

We have determined what is needed to accomplish this goal and already have a number of Linux systems configured under this new model. We are working on testing these systems to be sure that the new system does everything we need without causing issues elsewhere. After testing is complete, we will begin to roll out the migration in stages, working through groups of servers and desktops one step at a time.

Do you know your “Windows” password?

Our hope is that this move will have little effect on our users, however there is one thing that you need to make sure: After these changes go live, the password that you use to log into Linux systems will no longer work. When you first received your CS account, your “packet” came with your username and password. At first this password worked on both Windows and Linux domains, however most people have since changed their password(s).

If you have not changed both Windows and Linux passwords at the same time then they are out of sync, which means you may not know your Windows password. This means you will not be able to log in after we have moved to AD on our Linux systems.

This will not affect your file storage/home directories. After the change you will still have the same numerical user id (uid) and group id (gid) in Linux. This is important so that you still “own” your files after the migration.

We have already changed power4.cs.virginia.edu to authenticate against AD. This means you can try logging in (via ssh) to power4 and test your password. If you are unable to log in, you will need to submit a ticket to cshelpdesk@virginia.edu asking to have your password reset. We will then give you a temporary password, the first time you log in with this password you will be asked to set a new password.

After you are logged in to power4, feel free to run programs, submit jobs to SLURM, edit files in your home directory, etc.. You can help us test by trying out tasks that you would typically perform on a day to day basis. If you encounter any issues, please let us know so we can fix any bugs before moving forward.

  • ad_migration.txt
  • Last modified: 2018/08/16 13:53
  • by ktm5j