LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 10-02-2006, 03:32 AM   #1
camshere
LQ Newbie
 
Registered: Jul 2006
Posts: 4

Rep: Reputation: 0
Single Sign-On to Active Directory


Hi,

I'm looking to get my Ubuntu(Breezy) and SUSE(9.3+) boxes to a point where single sign-on is possible from my windows boxes and all user authentication takes place via a combination of ldap and kerberos. I would like to do this without using Samba's winbind.

At the moment I have my ubuntu boxes authenticating to a 2003 AD box using ldap simple bind for user attributes and the 2003 KDC for password authentication. So I can log onto the unbuntu box using my AD credentials and can perform a kinit on my user to retrieve a TGT from the KDC but I'm having some issues getting the rest of the shooting match together.

I'm looking firstly, to have the pam.d setup configured so that su and ssh etc automatically retrieve TGTs from the KDC when logging in or switching users (needs to be done manually with kinit at the moment)

Then I need to configure SASL/GSSAPI and the ssh client/server to allow authentication via the kerberos credentials - I've installed the ssh_krb5 package and enable the kerberos options, and i'm using the vintella patched version of putty from my windows box - but it still complains about issues with the service_principal in kerberos. I'm assuming this is because Vintella putty leverages GSSAPI to pass credentials, and i haven't figure out how to configure it yet.

Can anyone give me a run down on these issues? I've read plenty on the net and some are semi-complete but usually don't deal with single sign-on, either that or they just suggest windbind. I'd like to get it running and try my hand at creating some more in-depth documentation.

Cheers

Cam Marshall
Perth WA

Last edited by camshere; 10-02-2006 at 03:41 AM.
 
Old 10-02-2006, 09:40 PM   #2
camshere
LQ Newbie
 
Registered: Jul 2006
Posts: 4

Original Poster
Rep: Reputation: 0
Bump...

Can no one offer any pointers here?
 
Old 10-02-2006, 10:02 PM   #3
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,744

Rep: Reputation: 70
You might want to look at PAM.
 
Old 10-02-2006, 10:08 PM   #4
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,744

Rep: Reputation: 70
A quick google search found articals like these. They might help, I just glanced at them.

http://www.redmondmag.com/columns/ar...itorialsID=858
http://reverendted.wordpress.com/?p=314
http://www.windowsnetworking.com/art...Directory.html
 
Old 10-02-2006, 10:30 PM   #5
farslayer
Guru
 
Registered: Oct 2005
Location: Willoughby, Ohio
Distribution: linuxdebian
Posts: 7,231
Blog Entries: 5

Rep: Reputation: 189Reputation: 189
Here's my notes from the conference this past weekend. the guy giving the 'single sign-on' integration talk made it look easy.. I haven't tried yet so I can't confirm


Setup Active Directory (err of course) he works for an oakland university so that's the example used..

realm = ldap.secs.oakland.edu

/etc/ldap/ldap.conf
host ldap.secs.oakland.edu
binddn cn=LDAP Query user, cn=users, dc=secs, dc=oakland, dc=edu

/etc/krb5.conf
default_realm = secs.oakland.edu


/etc/nsswitch.conf
Code:
ldap:     compat
passwd:   compat
group:    compat
shadow:   compat
I do recall he specified here that ldap needs to be first in this list..


He also commented that when using the kerberized putty, once you had authenticated on the machine you could ssh to any of hte related boxes using putty and not have to authenticate since that was taken care of by Kerberos at this point..


Google for "Morons Guide to Kerberos" - he said this short article will give you a quick grasp of kerberos..
http://www.isi.edu/~brian/security/kerberos.html

And that's pretty much all of the config he shared.. makes it look really simple. :/
Hope something here helps you out.. I'll be trying this out in a couple days myself..

Last edited by farslayer; 10-02-2006 at 10:33 PM.
 
Old 10-02-2006, 10:33 PM   #6
camshere
LQ Newbie
 
Registered: Jul 2006
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks, but they all just deal with Samba/Winbind or KRB configuration up to the point i am now, i'm really trying to get the SASL auth/GSSAPI and automatic retrieval of Kerberos tickets. Using winbind completely defeats the purpose of this setup. As it stands now i have simple authentication and kerberos functionality - the hard part seems to be getting the whole shooting match together for single sign-on

If I actually manage to get this working I'm going to have to constuct a pretty in depth how-to, it seems there aren't many people out there that have managed to get this running.

Again, thanks for your efforts anyway, you're the first person from any forum to actually respond!
 
Old 12-11-2006, 06:46 AM   #7
DotHQ
Member
 
Registered: Mar 2006
Location: Ohio, USA
Distribution: Red Hat, Fedora, Knoppix,
Posts: 542

Rep: Reputation: 33
How's the progress on this project.
I'm just now tackling the same issue.
Do you have any documentation to share?

thanks in advance!!!!!
 
  


Reply

Tags
kerberos, ldap, sasl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Single Sign-on Solution sunhui Linux - Software 1 07-14-2006 10:46 PM
Ideas for best Single Sign-on solution? humbletech99 Linux - Networking 4 02-02-2006 04:43 AM
Setting single Sign on using openLDAP kghoshal Linux - Security 1 12-07-2004 12:50 PM
Single Sign-On help vvandam Linux - Security 6 07-21-2003 05:23 AM
AFS Config. Using single sign on fenriswolf Linux - Security 0 07-20-2001 10:09 AM


All times are GMT -5. The time now is 12:06 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration