AD Bridge Operations Best Practices

Before taking any actions with AD Bridge Operations, review these best practices carefully.

 

The Named Service Cache Daemon (NSCD) cache must be disabled as it conflicts with ADB.

Uninstall SSSD and Centrify

AD Bridge is not compatible with System Security Services Daemon (SSSD) or Centrify. Uninstall SSSD and Centrify from any Linux computers where you want to deploy the AD Bridge agent.

SSH Logons

Because AD Bridge canonicalizes NT4-style and UPN-style log on names to the chosen display method (alias, short, or long name), users should be encouraged to use the same username on Windows and Unix systems. This provides log on name simplicity to the end user, and gives any troubleshooters a clear knowledge of the specific AD user in question, as well as the knowledge that the user is an AD user. Users will still be presented with their alias name once logged into the server.

Lookups and Configuration

Many Unix applications like sudo and chown will look up AD users through the AD Bridge-provided interfaces. In all cases where possible, best practices are to configure these applications to use the canonical (displayed or alias) name for all lookups, rather than the NT4-style or UPN-style names that AD Bridge understands.

Operating System Patching and Upgrades

When any Unix operating system is upgraded or patched, it is highly likely that AD Bridge-related files will be changed. For example, RPM-based Linux systems will overwrite PAM configuration for any package which uses PAM when that package is upgraded.

We recommend that the computer be fully rejoined to the domain after each OS upgrade. Minor patches which only affect PAM or NSSwitch configuration can be followed with the domainjoin-cli configure command. In all cases, all OS upgrades and patches should be tested for compatibility with the AD Bridge configuration changes prior to wide company adoption.

 

For any Unix operating system upgrade or patch, you must back up all PAM files to a different location (other than the PAM directory) to mitigate module errors on domainjoin, prior to the upgrade or patch being applied.

Operations Best Practices Summary

  • Uninstall SSSD and Centrify from Linux computers where you want to deploy the AD Bridge agent.
  • The NSCD cache must be disabled.
  • Encourage users to use the same username on Windows and Unix systems.
  • Configure applications applications like sudo and chown to use the canonical (displayed or alias) name for all lookups.
  • All OS upgrades and patches should be tested for compatibility with the AD Bridge configuration changes.
  • After each OS upgrade, fully rejoining the computer to the domain is recommended.