Single Sign-On to Active Directory
I'm looking to get my Ubuntu(Breezy) and SUSE(9.3+) boxes to a point where single sign-on is possible from my windows boxes and all user authentication takes place via a combination of ldap and kerberos. I would like to do this without using Samba's winbind.
At the moment I have my ubuntu boxes authenticating to a 2003 AD box using ldap simple bind for user attributes and the 2003 KDC for password authentication. So I can log onto the unbuntu box using my AD credentials and can perform a kinit on my user to retrieve a TGT from the KDC but I'm having some issues getting the rest of the shooting match together.
I'm looking firstly, to have the pam.d setup configured so that su and ssh etc automatically retrieve TGTs from the KDC when logging in or switching users (needs to be done manually with kinit at the moment)
Then I need to configure SASL/GSSAPI and the ssh client/server to allow authentication via the kerberos credentials - I've installed the ssh_krb5 package and enable the kerberos options, and i'm using the vintella patched version of putty from my windows box - but it still complains about issues with the service_principal in kerberos. I'm assuming this is because Vintella putty leverages GSSAPI to pass credentials, and i haven't figure out how to configure it yet.
Can anyone give me a run down on these issues? I've read plenty on the net and some are semi-complete but usually don't deal with single sign-on, either that or they just suggest windbind. I'd like to get it running and try my hand at creating some more in-depth documentation.
Can no one offer any pointers here?
You might want to look at PAM.
A quick google search found articals like these. They might help, I just glanced at them.
Here's my notes from the conference this past weekend. the guy giving the 'single sign-on' integration talk made it look easy.. I haven't tried yet so I can't confirm :)
Setup Active Directory (err of course) he works for an oakland university so that's the example used..
realm = ldap.secs.oakland.edu
binddn cn=LDAP Query user, cn=users, dc=secs, dc=oakland, dc=edu
default_realm = secs.oakland.edu
He also commented that when using the kerberized putty, once you had authenticated on the machine you could ssh to any of hte related boxes using putty and not have to authenticate since that was taken care of by Kerberos at this point..
Google for "Morons Guide to Kerberos" - he said this short article will give you a quick grasp of kerberos..
And that's pretty much all of the config he shared.. makes it look really simple. :/
Hope something here helps you out.. I'll be trying this out in a couple days myself..
If I actually manage to get this working I'm going to have to constuct a pretty in depth how-to, it seems there aren't many people out there that have managed to get this running.
Again, thanks for your efforts anyway, you're the first person from any forum to actually respond!
How's the progress on this project.
I'm just now tackling the same issue.
Do you have any documentation to share?
thanks in advance!!!!!
|All times are GMT -5. The time now is 09:50 PM.|