Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 10-02-2006, 03:32 AM   #1
LQ Newbie
Registered: Jul 2006
Posts: 4

Rep: Reputation: 0
Single Sign-On to Active Directory


I'm looking to get my Ubuntu(Breezy) and SUSE(9.3+) boxes to a point where single sign-on is possible from my windows boxes and all user authentication takes place via a combination of ldap and kerberos. I would like to do this without using Samba's winbind.

At the moment I have my ubuntu boxes authenticating to a 2003 AD box using ldap simple bind for user attributes and the 2003 KDC for password authentication. So I can log onto the unbuntu box using my AD credentials and can perform a kinit on my user to retrieve a TGT from the KDC but I'm having some issues getting the rest of the shooting match together.

I'm looking firstly, to have the pam.d setup configured so that su and ssh etc automatically retrieve TGTs from the KDC when logging in or switching users (needs to be done manually with kinit at the moment)

Then I need to configure SASL/GSSAPI and the ssh client/server to allow authentication via the kerberos credentials - I've installed the ssh_krb5 package and enable the kerberos options, and i'm using the vintella patched version of putty from my windows box - but it still complains about issues with the service_principal in kerberos. I'm assuming this is because Vintella putty leverages GSSAPI to pass credentials, and i haven't figure out how to configure it yet.

Can anyone give me a run down on these issues? I've read plenty on the net and some are semi-complete but usually don't deal with single sign-on, either that or they just suggest windbind. I'd like to get it running and try my hand at creating some more in-depth documentation.


Cam Marshall
Perth WA

Last edited by camshere; 10-02-2006 at 03:41 AM.
Old 10-02-2006, 09:40 PM   #2
LQ Newbie
Registered: Jul 2006
Posts: 4

Original Poster
Rep: Reputation: 0

Can no one offer any pointers here?
Old 10-02-2006, 10:02 PM   #3
Senior Member
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,745

Rep: Reputation: 71
You might want to look at PAM.
Old 10-02-2006, 10:08 PM   #4
Senior Member
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,745

Rep: Reputation: 71
A quick google search found articals like these. They might help, I just glanced at them.
Old 10-02-2006, 10:30 PM   #5
LQ Guru
Registered: Oct 2005
Location: Willoughby, Ohio
Distribution: linuxdebian
Posts: 7,232
Blog Entries: 5

Rep: Reputation: 190Reputation: 190
Here's my notes from the conference this past weekend. the guy giving the 'single sign-on' integration talk made it look easy.. I haven't tried yet so I can't confirm

Setup Active Directory (err of course) he works for an oakland university so that's the example used..

realm =

binddn cn=LDAP Query user, cn=users, dc=secs, dc=oakland, dc=edu

default_realm =

ldap:     compat
passwd:   compat
group:    compat
shadow:   compat
I do recall he specified here that ldap needs to be first in this list..

He also commented that when using the kerberized putty, once you had authenticated on the machine you could ssh to any of hte related boxes using putty and not have to authenticate since that was taken care of by Kerberos at this point..

Google for "Morons Guide to Kerberos" - he said this short article will give you a quick grasp of kerberos..

And that's pretty much all of the config he shared.. makes it look really simple. :/
Hope something here helps you out.. I'll be trying this out in a couple days myself..

Last edited by farslayer; 10-02-2006 at 10:33 PM.
Old 10-02-2006, 10:33 PM   #6
LQ Newbie
Registered: Jul 2006
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks, but they all just deal with Samba/Winbind or KRB configuration up to the point i am now, i'm really trying to get the SASL auth/GSSAPI and automatic retrieval of Kerberos tickets. Using winbind completely defeats the purpose of this setup. As it stands now i have simple authentication and kerberos functionality - the hard part seems to be getting the whole shooting match together for single sign-on

If I actually manage to get this working I'm going to have to constuct a pretty in depth how-to, it seems there aren't many people out there that have managed to get this running.

Again, thanks for your efforts anyway, you're the first person from any forum to actually respond!
Old 12-11-2006, 06:46 AM   #7
Registered: Mar 2006
Location: Ohio, USA
Distribution: Red Hat, Fedora, Knoppix,
Posts: 542

Rep: Reputation: 33
How's the progress on this project.
I'm just now tackling the same issue.
Do you have any documentation to share?

thanks in advance!!!!!


kerberos, ldap, sasl

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Single Sign-on Solution sunhui Linux - Software 1 07-14-2006 10:46 PM
Ideas for best Single Sign-on solution? humbletech99 Linux - Networking 4 02-02-2006 04:43 AM
Setting single Sign on using openLDAP kghoshal Linux - Security 1 12-07-2004 12:50 PM
Single Sign-On help vvandam Linux - Security 6 07-21-2003 05:23 AM
AFS Config. Using single sign on fenriswolf Linux - Security 0 07-20-2001 10:09 AM

All times are GMT -5. The time now is 06:41 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration