See if the info here helps: http://www.enterprisenetworkingplane...le.php/3487081
|
Quote:
|
I am in the process of reloading SUSE Pro 9.3, so I cannot try things right now. 1 question I have for you about the Active Directory domain name. We used an XXXXX.LOCAL domain name, does it matter? I know with MAC's it did. Also, I went to a terminal window, and issues a kinit with a username that is in the domain and not on the linux box, and it appended the domain name correctly, and it authorized me correctly, so I am assuming that the .conf file is correct.
Thanks |
I am not sure about the .LOCAL domain name. However I don't think that would be a problem if the DNS is working correctly. Did you modify PAM to use windbind for authentication? I used SuSE 9.3 Pro. Setup the samba server as a domain member and was able to authenticate via the domain. I installed windbind library from Samba, setup keberos, modified the PAM files, and joined the domain. After that a user could access shared files and use the dialup server being authenticated via the domain. Just a note that may save you some time, I used all of the pre-installed packages. I did not have to rebiuld anything.
|
Hey Zenix do yo still offer ur help plz let me know?
thanks heaps |
Hi,
I have SUSE 9.3, integrated with AD. All wbinfo commands work, all getent commands work, the net join worked, ticket refreshes work, mapping a drive from xp to the suse box using domain account works, but I cannot get ssh or normal logins to work - I can't seem to find the right combination for the pam.d configuration. I have set this up successfully before on RHEL, but as there is no system-auth file in Suse, I tried putting equivalent entries into the pam.d/common* files. This hasn't worked - do I need to load winbind in pam at all because the pam_unix2.conf file has use_krb5 statements ? Can anyone advise ? |
I've run through several problems with this situation in Suse 10.0 and would also like to know how this is done. I've been able to join the workstation to the domain, but that effectively does absolutely nothing if I can't plug the Windows Domain username and password into an init 5 type screen and get it to assign priviledges and the sort. My woes also come by way of PAM.
Something tells me that I would be able to do this in Fedora 4, but since I can't get Fedora to install without complaining about 5 different hardware scenarios only to botch my Windows partition, I'll pass. I may be required to fall back on Fedora though. We'll see. I recommend http://weblog.bignerdranch.com/?p=6 to get you started. If you are using SUSE however, there will come a point where you will not be able to execute the directions as they are written. I am attempting to find out what these instructions should be for Suse 10. |
Thanks for the link but it didn't help.
The link info uses the pam.d/system-auth file, which is not present in SUSE (hence my original question/issue). I can su to the domain user, so I know authentication from the box can work. It is just that I can't find the right combination for the pam files, as everything else works without issue. I have several RHEL3 boxes set up that work perfectly (including console login & ssh as domain user w/ assoc. perms.), but this SUSE box is impossible. |
I have read all of the info here and perhaps I am trying to do something a bit different but I am having issues. I am not a Linux guru or anything but I built a SUSE Linux 10 box and am trying to get it to join our Active Directory 2003 domain and act as a simple file server for internal use to let me backup files to it from an XP or Server 2003 machine.
Nobody is really going to sit at this machine and do any work but we have a bunch of big drives in there and want to be able to copy files from a Windows domain to the SUSE Linux box for short term backup purposes. So I wanted to join it to our domain in order to share out a folder and have an Active Directory user be able to communicate with this box without being prompted to re-authenticate with a local SUSE username/password. Is this possible and/or do I follow the same procedures as above? Zenix-I am in the exact same boat as you in terms of attempting various things-I tried the Samba Server and Samba Client via YAST as well as the LDAP client and various other methods but I am sure that I am missing something. Most of the documentation out there appears to describe how users can sit locally at a SUSE Linux box and login but I am attempting the opposite-just to have a folder shared to a certain user or group that exists in our domain. Anyone with any pointers or suggestions would be really helpful and appreciated. |
Hi,
Use YasT to install kerberos, then make then following file edits, restart winbind & samba, then do the kinit & net join. Following are file extracts of working Suse 9.3/Win2k3 AD integration. Make sure you keep the time running, and I run a ticket renewal script every 8 hrs. Have fun. Dump of Suse 9.3/AD Files Mon Mar 27 11:34:04 EST 2006 ************************************ common-account *----------------------------------* # # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired. # account sufficient pam_winbind.so account required pam_unix2.so ************************************ ************************************ common-auth *----------------------------------* # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth required pam_env.so auth sufficient pam_winbind.so auth required pam_unix2.so ************************************ ************************************ common-password *----------------------------------* # # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix2 in combination # with pam_pwcheck. # The "nullok" option allows users to change an empty password, else # empty passwords are treated as locked accounts. # # To enable Blowfish or MD5 passwords, you should edit # /etc/default/passwd. # # Alternate strength checking for passwords should be configured # in /etc/security/pam_pwcheck.conf. # # pam_make can be used to rebuild NIS maps after password change. # password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok #password required pam_make.so /var/yp ************************************ ************************************ common-session *----------------------------------* # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). The default is pam_unix2. # session required pam_limits.so session sufficient pam_winbind.so session required pam_unix2.so ************************************ ************************************ krb5.conf *----------------------------------* # WARNING: this configuration file was automatically converted from Heimdal to MIT kerberos. # It is possible that this configuration file does not work # Please check the values. [libdefaults] default_realm = DOMAINNAME.COM.AU clockskew = 300 v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } # Set this to false to disable MIT krb5 compatibility # in GSSAPI get_mic/verify_mic, and become compatible # with older Heimdal releases instead. gss_mit_compat = true [realms] DOMAINNAME.COM.AU = { kdc = ourdc1.domainname.com.au:88 default_domain = domainname.com.au admin_server = ourdc1.domainname.com.au:749 } MY.REALM = { kdc = MY.COMPUTER } OTHER.REALM = { v4_instance_convert = { kerberos = kerberos computer = computer.some.other.domain } } [domain_realm] .my.domain = MY.REALM .domainname.com.au = domainname.com.au [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 } ************************************ ************************************ login *----------------------------------* #%PAM-1.0 auth required pam_securetty.so auth include common-auth auth required pam_nologin.so auth required pam_mail.so account include common-account password include common-password session include common-session session required pam_resmgr.so ************************************ ************************************ nsswitch.conf *----------------------------------* # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # compat Use compatibility setup # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the /var/db databases # [NOTFOUND=return] Stop searching if not found so far # # For more information, please read the nsswitch.conf.5 manual page. # passwd: files winbind group: files winbind hosts: files lwres dns networks: files dns services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files publickey: files bootparams: files automount: files nis aliases: files ************************************ ************************************ passwd *----------------------------------* #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session ************************************ ************************************ samba *----------------------------------* #%PAM-1.0 auth sufficient pam_winbind.so auth include common-auth account sufficient pam_winbind.so account include common-account password include common-password session include common-session ************************************ ************************************ smb.conf *----------------------------------* # smb.conf is the main Samba configuration file. You find a full commented # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc package is installed. # Date: 2005-04-04 [global] log level = 10 workgroup = domainname.com.au load printers = no username map = /etc/samba/smbusers map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: domain master = no local master = no ldap ssl = No server signing = Auto security = ads password server = 10.10.10.01 realm = domainname.com.au server string = Samba-SUSE netbios name = SYSTEMNAME idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes template homedir = /home/%D/%U template shell = /bin/bash client schannel = no winbind cache time = 10 winbind enable local accounts = yes [homes] comment = Home Directories valid users = %S browseable = No read only = No inherit acls = Yes [tmp] path = /tmp valid users = DOMAIN\%U read only = no case sensitive = no msdfs proxy = no ************************************ ************************************ ssh_config *----------------------------------* # $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options Host * # ForwardAgent no # ForwardX11 no # If you do not trust your remote host (or its administrator), you # should not forward X11 connections to your local X11-display for # security reasons: Someone stealing the authentification data on the # remote side (the "spoofed" X-server by the remote sshd) can read your # keystrokes as you type, just like any other X11 client could do. # Set this to "no" here for global effect or in your own ~/.ssh/config # file if you want to have the remote X11 authentification data to # expire after two minutes after remote login. ForwardX11Trusted yes SendEnv LC_IDENTIFICATION LC_ALL Protocol 2 GSSAPIAuthentication yes GSSAPIDelegateCredentials yes ************************************ ************************************ sshd *----------------------------------* #%PAM-1.0 auth sufficient pam_rootok.so auth include common-auth account include common-account password include common-password session include common-session session optional pam_xauth.so ************************************ ************************************ sshd_config *----------------------------------* # $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes #PermitEmptyPasswords no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set ChallengeResponseAuthentication=yes UsePAM yes X11Forwarding yes |
I would be interested in the documentation as well. I'm a very new Linux user. I have a Windows 2003 server/domain and I would like to add my SUSE 10.2 box to it as well as us AD for authentication. So if someone can tell me the link to the documentation (assuming it's completed) or point me in the right direction, I'd very much appreciate it. Thanks in advance.
|
I would also LOOOOOOOOOOOOV to gewt some how-to on the working scenario.
I have been working( well pulling out all of my hairs) for the past weeks, and i stoppped counting the hours trying to get some sort of authentication from my Suse 10 Ent. Server to the Win2003 AD, i only want to share folders, get a backupp folder to dump backup files and get a SINGLE user/admin authentication for local users.... Why is it so complicated? Been stuck with 2 OS's is hell. and i cannot change the Windows, because some applications are stored there and Win only(DOS). thanks for your great help. |
Authentication on a Windows 2003 Domain
Daniel,
Can you point me to your directions or e-mail me the steps.... I've been looking all around and I'd like to see if your installation guide will work for me. Thanks, Cordt ---------------- Quote:
|
i have found this small X application to help configure all files to connect to AD.
It is called SADMS (http://sadms.sourceforge.net/). It works ! But for my part isee the Samba inside the AD and network browser, but i still need to enter user/pass and it does not give me the OK to enter. So there is still a bug somewhere in my fles. The good thing is that the SADMS configures all files then you can tweak them as you whish. Like cordth, i would like some new pointers. |
looks like this topic is dead...
am i the only one out there trying to make this Samba/AD combo work? Anyone got up to date info? many thanks. p.s: still would love to get the "promised" how-to guide :D |
All times are GMT -5. The time now is 10:54 AM. |