LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Suse/Novell (http://www.linuxquestions.org/questions/suse-novell-60/)
-   -   Active Directory Authentication (http://www.linuxquestions.org/questions/suse-novell-60/active-directory-authentication-363721/)

zenix 09-15-2005 05:34 PM

Active Directory Authentication
 
Looking for some help here. Is their a recommended procedure for this? I was able to join the Active Directory domain and checked the box to use it for authentication, but it doesn't seem to be working.

I've read a bunch of information on how to get this all working manually, but I don't want to mangle my 9.3 setup anymore than needed. It seems like they tried to build the functionality into Suse 9.3, but I'm not sure if it's incomplete or if there are just additional steps that I need to take.

Thanks!

Daniel

dexteroo 09-18-2005 02:14 PM

Try going trough the documentation on www.samba.org, they have some very useful documentation in form of a howto collection as well as a guide by example book.

Micro420 09-18-2005 10:27 PM

I'm not a Windows 2003 server pro, but I do have a Windows 2003 server running with Active Directory under a domain. Is that the same thing? Assuming you installed the SAMBA service for SuSE, you can just use Konqueror to access the files and directories. You will need your username/password of the domain (obviously).

Maybe I'm way off (lol) but this is what I do:

1) open konqueror
2) address is: smb://ipaddress I believe.
3) input username/password when prompted.
4) the files and folders will be available.

Hope this helps? :confused:

zenix 09-20-2005 04:50 PM

The good news is... we got this to work.

Me and my partner spent almost 20 hours straight getting there, but we did. As it turns out (I know no one else has had this happen) it took several pieces of incomplete documentation to get it to work, but it does. The even better news is that this has been deployed as production server for one of our remote offices. Since this environment requires Active Directory, it was nice to finally find a way of integrating Linux (more specifically, Suse) where it fits. This server build will become our template for deploying new remote offices... very cool!!! This setup works sooo well. Complete, seamless integration with the AD environment (a member of the AD domain, fully capable of using AD usernames/passwords and security). The user at the desktop doesn't have anyway of telling it's Linux box in the back, it behaves exactly the same. We even left it running headless (no keyboard, monitor or mouse). Doing all administration via ssh.

If there's enough interest, I will take the time to write a real how-to specifically for Suse. So, let me know in this thread if you would be interested in seeing this documentation brought to life.

Thanks to those who offered their help.

My new moto: Moving Linux from the edge to the heart of the enterprise.

~Daniel

Micro420 09-20-2005 05:11 PM

Quote:

Originally posted by zenix
The good news is... we got this to work.

Me and my partner spent almost 20 hours straight getting there, but we did. As it turns out (I know no one else has had this happen) it took several pieces of incomplete documentation to get it to work, but it does. The even better news is that this has been deployed as production server for one of our remote offices. Since this environment requires Active Directory, it was nice to finally find a way of integrating Linux (more specifically, Suse) where it fits. This server build will become our template for deploying new remote offices... very cool!!! This setup works sooo well. Complete, seamless integration with the AD environment (a member of the AD domain, fully capable of using AD usernames/passwords and security). The user at the desktop doesn't have anyway of telling it's Linux box in the back, it behaves exactly the same. We even left it running headless (no keyboard, monitor or mouse). Doing all administration via ssh.

If there's enough interest, I will take the time to write a real how-to specifically for Suse. So, let me know in this thread if you would be interested in seeing this documentation brought to life.

Thanks to those who offered their help.

My new moto: Moving Linux from the edge to the heart of the enterprise.

~Daniel

You should DEFINITELY write a documentation for this. I guarantee you that this will help others. You can even post the 1-2-3's of it here on Linuxquestions.org in the tutorial section and the mod's will definitely approve it.

I know that when I google linux problems, I usually get back Linuxquestions.org somewhere. This is a really good resourceful place to get help.

And out of curiousity, can you quickly put the 1-2-3's of how you got it to work? I am curious!

zenix 09-20-2005 07:06 PM

If there were a quick 1-2-3, I would certainly post is here. Here's the 1,000 view:

1. Configure Suse 9.3 with Samba (don't even think about using the Yast samba server tool)

2. Configure Samba and test

3. Configure Windbind/Kerberos and test

4. Configure nsswitch

5. Configure PAM

As you can imagine each of theses pieces has serveral steps. If you decided to venture down the road of actually trying it, let me know. I would be happy to assist you with any help you may need.

Thakowbbery 09-21-2005 08:45 AM

I also managed to do that, first for Fedora (but for some strange reasons, some bugs started appearing with Fedora after some time :confused: ), but adapting it to Suse was quite easy (what turned Suse into my second favorite distribution :D).

Other cool thing that I discovered in some old archives of samba lists was a patch that allowed a kerberized printing to windows printers through CUPS (patch applied to smbspool.c at SAMBA compiling. Sadly, it seens to work only till samba-3.0.14, I tried applying it to samba-3.0.20 and got an error :( ).
Try googling for "samba3-smbspool-krb.bin".

gblanton 10-28-2005 03:39 PM

zenix

you posted:

"If there were a quick 1-2-3, I would certainly post is here. Here's the 1,000 view:

1. Configure Suse 9.3 with Samba (don't even think about using the Yast samba server tool)

2. Configure Samba and test

3. Configure Windbind/Kerberos and test

4. Configure nsswitch

5. Configure PAM

As you can imagine each of theses pieces has serveral steps. If you decided to venture down the road of actually trying it, let me know. I would be happy to assist you with any help you may need."



I am using SuSE 9.3 also. I got as far as step 4. what did you do to configure PAM?

EclipseAgent 10-28-2005 04:32 PM

When you say configure Samba and Test, what are you configuring really?

Should you not use YaST and configure smb.conf? When you are testing Samba, what are you testing?

I can get onto my file servers no problem using smb://fileservername

And who is PAM? Is she fat? Cute? Hot? jk.

EclipseAgent 10-28-2005 05:50 PM

I dunno about you and PAM and all that stuff, but I was able to get it working pretty easily by these steps

Open YaST
Configure Kerberos to an AD DC
Close YaST
Open Control Center (I am using KDE, and yes, they do seem to be different).
Click on Internet & Network thing
Click Samba
Click Administrative Mode
Change Security Level to ADS
Enter in Server Addy + Realm
Click Apply
Open Terminal
SU - SU Password
net ads join

I see my computer in the Domain, although I am not sure if the log on sequence (When I log onto the computer, is using the local passwd file or authenticating against the domain), but when I log in I am able to open domain resources etc without a hitch it seems.

I will try to check the authentication and report back.

EclipseAgent 10-28-2005 06:40 PM

I am authenticating using the local /etc/passwd and not the domain logon (I tired to log in as someone else with their domain account on the linux machine).

Did you install the NIS server from NFS3.5? For the Schema extension in AD?

I am sure it is pretty simple to do.. I am still trying to figure it out though..

So can anyone in your domain, walk up to the linux machine and login authenticating to their domain account?

yiannos 11-14-2005 08:50 AM

Yes. I can. And without any SAMBA settings

All Ineed is Kerberos in order to auth. But the user must be locally known in linux. If I want to lookup the user in AD I suspect I need some kind of directory lookup protocol. This would probably be LDAP right?

So I setup LDAP. I did not go into the advanced screens at all and the results was the following message in /var/log/messages: "nscd: nss_ldap: could not search LDAP server - Operations error"

Any ideas?

zenix 11-17-2005 04:19 PM

You already have all the tools you need. The authentication portion is handled by winbind and kerberos. You will need to edit your PAM files to get linux to use Active Directory for authentication. I don't have time to list all the steps now, but maybe this will get you on the right track.

Daniel

gblanton 11-17-2005 05:33 PM

Thanks for your response. I figured it out. Everything was already setup correctly. I did not realize that I had to have Domain\username instead of just the username in the read and write lists in Samba.

tcaleb 12-06-2005 03:41 PM

I am just starting to use SUSE Linux, and have had this question brought up to see if it is possible. I have a Windows AD (2003) and I can get the computer object into AD, but I cannot authenticate with an AD account only. I have followed alot of the steps outlined here, but I am getting an error:

Kerberos_kinit_password host hostname failed. Client not found in Kerberos database.

Any ideas?

Thanks


All times are GMT -5. The time now is 09:19 AM.