AD Bridge Enterprise Operations Best Practices

SSH Logons

Because AD Bridge Enterprise canonicalizes NT4-style and UPN-style log on names to the chosen display method (alias, short, or long name), users should be encouraged to use the same username on Windows and Unix systems. This provides log on name simplicity to the end user, and gives any troubleshooters a clear knowledge of the specific AD user in question, as well as the knowledge that the user is an AD user. Users will still be presented with their alias name once logged into the server.

Lookups and Configuration

Many Unix applications like sudo and chown will look up AD users through the AD Bridge-provided interfaces. In all cases where possible, best practices are to configure these applications to use the canonical (displayed or alias) name for all lookups, rather than the NT4-style or UPN-style names that AD Bridge understands.

Operating System Patching and Upgrades

When any Unix operating system is upgraded or patched, it is highly likely that AD Bridge-related files will be changed. For example, RPM-based Linux systems will overwrite PAM configuration for any package which uses PAM when that package is upgraded.

We recommend that the computer be fully rejoined to the domain after each OS upgrade. Minor patches which only affect PAM or NSSwitch configuration can be followed with the domainjoin-cli configure command. In all cases, all OS upgrades and patches should be tested for compatibility with the AD Bridge configuration changes prior to wide company adoption.