This is an old revision of the document!

Active Directory Migration

We are making changes to our authentication scheme in an effort to further simplify our computing environment. This will make things easier for users on our systems, and easier to maintain both now and in the future.

Up until now our Linux and Windows domains have been separate. Despite the fact that your accounts share file storage, these identities don't share any real information. This means that if you change your password in Windows, your Linux password has not changed. Similarly, if you are added to a Unix/Linux group, there is no corresponding Windows group. This makes file permissions difficult to manage.

We have been working on converting our Linux systems to authenticate against our Active Directory servers. Active Directory (AD) is a widely used Microsoft product for identity management. Thanks to software from open source projects like Samba and FreeIPA, as well as Red Hat, Linux now has reliable, enterprise-ready support for Active Directory.

Do you know your “Windows” password?

Our hope is that this move will have little effect on our users, however there is one thing that you need to make sure: After these changes go live, the password that you use to log into Linux systems will no longer work. When you first received your CS account, your “packet” came with your username and password. At first this password worked on both Windows and Linux domains, however most people have since changed their password(s).

If you have not changed both Windows and Linux passwords at the same time then they are out of sync, which means you may not know your Windows password. This means you will not be able to log in after we have moved to AD on our Linux systems.

We have already changed to authenticate against AD. This means you can try logging in (via ssh) to power4 and test your password. If you are unable to log in, you will need to submit a ticket to asking to have your password reset. We will then give you a temporary password, the first time you log in with this password you will be asked to set a new password.

After you are logged in to power4, feel free to run programs, submit jobs to SLURM, edit files in your home directory, etc.. You can help us test by trying out tasks that you would typically perform on a day to day basis. If you encounter any issues, please let us know so we can fix any bugs before moving forward. The one thing to note is we are not finished re-creating Linux groups in AD. This means that you may not have permissions to edit/view files owned by a group that you are a member of. However this is only temporary and will be fixed soon.

  • ad_migration.1532463517.txt.gz
  • Last modified: 2018/07/24 20:18
  • by ktm5j