LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-16-2006, 09:39 AM   #1
macusr
LQ Newbie
 
Registered: Feb 2006
Posts: 1

Rep: Reputation: 0
Active Directory Kerberos


Hi all,
I am trying to get my unix machines startin with a fedora core 4 machine to authenticate to my windows 2003 server domain. I have the unix tools installed on the server, and kinit authenticates, however I can't get it so that ldap/login works.

Any help would be greatly appreciated.

Thanks,
andrew
 
Old 02-21-2006, 05:53 PM   #2
paul_mat
Member
 
Registered: Nov 2004
Location: Townsville, Australia
Distribution: Fedora Core 5, CentOS 4, RHEL 4
Posts: 855

Rep: Reputation: 30
okay there are two paths you can take, either get your *nix boxes to auth via LDAP or via winbind, i've got a how-to writtern for both, check out my website listed below

ldap - http://www.yourhowto.org/content/view/34/9/

winbind - http://www.yourhowto.org/content/view/31/9/ (just change it from /etc/pam.d/pop3 to /etc/pam.d/login)

serversetup - http://www.geocities.com/evilperson85/serversetup/
 
Old 03-10-2006, 11:26 AM   #3
bret
Member
 
Registered: Apr 2005
Location: SLC, Utah
Distribution: RHEL 4, RHEL 5
Posts: 59

Rep: Reputation: 16
Hi Macusr,

I ran into similar issues trying to authenticate user's defined on my SuSE server, via my AD Server. I finally got it to work, and it was really quite simple. Winbind was not even required, nor was LDAP. They were much too involved. A kerberos client is all you need installed. Here's what I did. These instructions are based on using userids that are all numerics, your ids may vary. These instructions also assume that you have YaST, if not you must install the Kerberos client manually.

How to setup SuSE Linux authentication to use Active Directory

1) From the linux desktop, start YaST
2) Select [Networking Services]
a. Select [Kerberos Client]
i. Select radio button [Use Kerberos]
ii. Basic Kerberos Settings
1. Default Domain: YOURDOMAIN.COM
2. Default Realm: YOURDOMAIN.COM
3. KDC Server Address: windowsdc.yourdomain.com
4. CLICK [Finish]
(this dialog will modify /etc/krb5.conf)

3) From a command prompt
a. Kinit userid (where userid is your 5 digit network id)
You will be prompted for your password
eg. 12345@YOURDOMAIN.COMs Password:

your response will be:
kinit: NOTICE: ticket renewable lifetime is 1 week

4) Once you have verified the Kerberos client set-up is working, you will need to tie the linux login screen to Kerberos.
a. Edit the /etc/security/pam_unix2.conf file. Add the following lines:

auth: use_krb5 nullok
account: use_krb5
password: use_krb5 nullok
session: none

5) Add user manually to /etc/passwd (make sure you use a unique uid!!!!)

12345:x:1002:100:Joe Geeko:/home/12345:/bin/bash

6) Create users home directory

cp R /etc/skel /home/12345

7) Change ownership to new user

chown R 12345. /home/12345

8) you can now logout and login with your new Active Directory credentials.

note: the userids I use are numeric, and must be added manually to /etc/passwd. If you have userids that don't start with a numeric, you will be able to use YaST or useradd.

I did not need to install winbind or samba. I also didn't need to do a net ads join.

These instructions are simply designed to allow you to use your AD user id to authenticate to linux.

HOPE THIS HELPS!

Bret
 
Old 03-10-2006, 11:49 AM   #4
BigGeek
LQ Newbie
 
Registered: Jan 2006
Posts: 2

Rep: Reputation: 0
AD authentication

That's interesting, since I did use winbind and user the AD usernames.

I didn't have to use the id#, whcih just seemd like a pain.
Then configured pam.d files and I was good to go.

Also I just had to make a /home/DOMAIN dir and not add users.
The entries I made in the pam.d files automatically made the user's home dirs when they logged in.
 
Old 03-10-2006, 12:51 PM   #5
bret
Member
 
Registered: Apr 2005
Location: SLC, Utah
Distribution: RHEL 4, RHEL 5
Posts: 59

Rep: Reputation: 16
Hi BigGeek,

What you did with winbind sounds great, especially not having to define the user's home dir. With my company, all users are identified with a 5 digit userid. Unfotunately, Linux will not let you do a useradd on an id that begins with a number ... ugh. It took me a while to figure this out, including going to Novell support. You just can't have an id that begins with a numeric. My instructions take this into account. If we'd picked ids that were anything else, life would have been much simpler. Oh well.

Bret
SLC, UT
 
Old 03-24-2006, 03:36 PM   #6
darogers
LQ Newbie
 
Registered: Mar 2006
Posts: 1

Rep: Reputation: 0
I've been trying to get winbind working for the last week or so. I've tried many different step-by-step web sites and I keep having similar results.

I'm running RHEL4 and a Windows 2003 R2 server. If I logon as root I can successfully view the users and groups on the Windows domain using wbinfo -u and wbinfo -g. Getent passwd works fine anf the users have ID ranges that are declared in my /etc/samba/smb.conf file.

When I try to logon as a domain user (after a reboot) using the Windows username and credentials I receive the following error in the syslog:

gdm-binary[2365]: pam_succeed_if: error retrieving information about user DOMAIN\Username

Now, if I logon as root and do a kinit and check out the wbinfo queries and logoff root and log back on as the domain users it works. If I open a terminal with the 'authenticated' domain user I see the following:

id: cannot find name for group ID [ID]
id: cannot find name for user ID [ID]
[I have no name!@host ~]$

I'm very very new to Linux so if you can tell me what I've done wrong and in specifics that would be really great!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Fedora Directory Server sync Active Directory paul_mat Linux - Networking 8 03-08-2007 10:51 AM
Active Directory, Kerberos, LDAP, PAM, and nsswitch PenguinPwrdBox Linux - Security 1 06-04-2005 09:56 PM
Suse to AD - Active Directory alime Suse/Novell 1 05-13-2005 10:05 AM
samba ldap winbindd kerberos with active directory errors xtrusion Linux - Software 0 03-21-2005 04:24 PM
Accessing the Active Directory GoRinNoSho Linux - Newbie 3 06-27-2003 09:44 AM


All times are GMT -5. The time now is 01:41 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration