LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Suse/Novell
User Name
Password
Suse/Novell This Forum is for the discussion of Suse Linux.

Notices



Reply
 
Search this Thread
Old 09-15-2005, 05:34 PM   #1
zenix
LQ Newbie
 
Registered: Dec 2002
Location: Portland, OR
Distribution: CentOS
Posts: 23

Rep: Reputation: 15
Active Directory Authentication


Looking for some help here. Is their a recommended procedure for this? I was able to join the Active Directory domain and checked the box to use it for authentication, but it doesn't seem to be working.

I've read a bunch of information on how to get this all working manually, but I don't want to mangle my 9.3 setup anymore than needed. It seems like they tried to build the functionality into Suse 9.3, but I'm not sure if it's incomplete or if there are just additional steps that I need to take.

Thanks!

Daniel
 
Old 09-18-2005, 02:14 PM   #2
dexteroo
Member
 
Registered: Sep 2003
Location: Nigeria
Distribution: CentOS 4.3
Posts: 37

Rep: Reputation: 15
Try going trough the documentation on www.samba.org, they have some very useful documentation in form of a howto collection as well as a guide by example book.
 
Old 09-18-2005, 10:27 PM   #3
Micro420
Senior Member
 
Registered: Aug 2003
Location: Berkeley, CA
Distribution: Mac OS X Leopard 10.6.2, Windows 2003 Server/Vista/7/XP/2000/NT/98, Ubuntux64, CentOS4.8/5.4
Posts: 2,986

Rep: Reputation: 45
I'm not a Windows 2003 server pro, but I do have a Windows 2003 server running with Active Directory under a domain. Is that the same thing? Assuming you installed the SAMBA service for SuSE, you can just use Konqueror to access the files and directories. You will need your username/password of the domain (obviously).

Maybe I'm way off (lol) but this is what I do:

1) open konqueror
2) address is: smb://ipaddress I believe.
3) input username/password when prompted.
4) the files and folders will be available.

Hope this helps?

Last edited by Micro420; 09-18-2005 at 10:41 PM.
 
Old 09-20-2005, 04:50 PM   #4
zenix
LQ Newbie
 
Registered: Dec 2002
Location: Portland, OR
Distribution: CentOS
Posts: 23

Original Poster
Rep: Reputation: 15
The good news is... we got this to work.

Me and my partner spent almost 20 hours straight getting there, but we did. As it turns out (I know no one else has had this happen) it took several pieces of incomplete documentation to get it to work, but it does. The even better news is that this has been deployed as production server for one of our remote offices. Since this environment requires Active Directory, it was nice to finally find a way of integrating Linux (more specifically, Suse) where it fits. This server build will become our template for deploying new remote offices... very cool!!! This setup works sooo well. Complete, seamless integration with the AD environment (a member of the AD domain, fully capable of using AD usernames/passwords and security). The user at the desktop doesn't have anyway of telling it's Linux box in the back, it behaves exactly the same. We even left it running headless (no keyboard, monitor or mouse). Doing all administration via ssh.

If there's enough interest, I will take the time to write a real how-to specifically for Suse. So, let me know in this thread if you would be interested in seeing this documentation brought to life.

Thanks to those who offered their help.

My new moto: Moving Linux from the edge to the heart of the enterprise.

~Daniel
 
Old 09-20-2005, 05:11 PM   #5
Micro420
Senior Member
 
Registered: Aug 2003
Location: Berkeley, CA
Distribution: Mac OS X Leopard 10.6.2, Windows 2003 Server/Vista/7/XP/2000/NT/98, Ubuntux64, CentOS4.8/5.4
Posts: 2,986

Rep: Reputation: 45
Quote:
Originally posted by zenix
The good news is... we got this to work.

Me and my partner spent almost 20 hours straight getting there, but we did. As it turns out (I know no one else has had this happen) it took several pieces of incomplete documentation to get it to work, but it does. The even better news is that this has been deployed as production server for one of our remote offices. Since this environment requires Active Directory, it was nice to finally find a way of integrating Linux (more specifically, Suse) where it fits. This server build will become our template for deploying new remote offices... very cool!!! This setup works sooo well. Complete, seamless integration with the AD environment (a member of the AD domain, fully capable of using AD usernames/passwords and security). The user at the desktop doesn't have anyway of telling it's Linux box in the back, it behaves exactly the same. We even left it running headless (no keyboard, monitor or mouse). Doing all administration via ssh.

If there's enough interest, I will take the time to write a real how-to specifically for Suse. So, let me know in this thread if you would be interested in seeing this documentation brought to life.

Thanks to those who offered their help.

My new moto: Moving Linux from the edge to the heart of the enterprise.

~Daniel
You should DEFINITELY write a documentation for this. I guarantee you that this will help others. You can even post the 1-2-3's of it here on Linuxquestions.org in the tutorial section and the mod's will definitely approve it.

I know that when I google linux problems, I usually get back Linuxquestions.org somewhere. This is a really good resourceful place to get help.

And out of curiousity, can you quickly put the 1-2-3's of how you got it to work? I am curious!
 
Old 09-20-2005, 07:06 PM   #6
zenix
LQ Newbie
 
Registered: Dec 2002
Location: Portland, OR
Distribution: CentOS
Posts: 23

Original Poster
Rep: Reputation: 15
If there were a quick 1-2-3, I would certainly post is here. Here's the 1,000 view:

1. Configure Suse 9.3 with Samba (don't even think about using the Yast samba server tool)

2. Configure Samba and test

3. Configure Windbind/Kerberos and test

4. Configure nsswitch

5. Configure PAM

As you can imagine each of theses pieces has serveral steps. If you decided to venture down the road of actually trying it, let me know. I would be happy to assist you with any help you may need.
 
Old 09-21-2005, 08:45 AM   #7
Thakowbbery
Member
 
Registered: Mar 2005
Posts: 135

Rep: Reputation: 17
I also managed to do that, first for Fedora (but for some strange reasons, some bugs started appearing with Fedora after some time ), but adapting it to Suse was quite easy (what turned Suse into my second favorite distribution ).

Other cool thing that I discovered in some old archives of samba lists was a patch that allowed a kerberized printing to windows printers through CUPS (patch applied to smbspool.c at SAMBA compiling. Sadly, it seens to work only till samba-3.0.14, I tried applying it to samba-3.0.20 and got an error ).
Try googling for "samba3-smbspool-krb.bin".
 
Old 10-28-2005, 03:39 PM   #8
gblanton
LQ Newbie
 
Registered: Oct 2005
Location: Charlotte, NC
Distribution: SuSE 9.3 Pro
Posts: 4

Rep: Reputation: 0
zenix

you posted:

"If there were a quick 1-2-3, I would certainly post is here. Here's the 1,000 view:

1. Configure Suse 9.3 with Samba (don't even think about using the Yast samba server tool)

2. Configure Samba and test

3. Configure Windbind/Kerberos and test

4. Configure nsswitch

5. Configure PAM

As you can imagine each of theses pieces has serveral steps. If you decided to venture down the road of actually trying it, let me know. I would be happy to assist you with any help you may need."



I am using SuSE 9.3 also. I got as far as step 4. what did you do to configure PAM?
 
Old 10-28-2005, 04:32 PM   #9
EclipseAgent
Member
 
Registered: Oct 2005
Location: California
Distribution: SLED 10, openSuSE 10.2, Ubuntu Drapper
Posts: 713

Rep: Reputation: 30
When you say configure Samba and Test, what are you configuring really?

Should you not use YaST and configure smb.conf? When you are testing Samba, what are you testing?

I can get onto my file servers no problem using smb://fileservername

And who is PAM? Is she fat? Cute? Hot? jk.

Last edited by EclipseAgent; 10-28-2005 at 04:39 PM.
 
Old 10-28-2005, 05:50 PM   #10
EclipseAgent
Member
 
Registered: Oct 2005
Location: California
Distribution: SLED 10, openSuSE 10.2, Ubuntu Drapper
Posts: 713

Rep: Reputation: 30
I dunno about you and PAM and all that stuff, but I was able to get it working pretty easily by these steps

Open YaST
Configure Kerberos to an AD DC
Close YaST
Open Control Center (I am using KDE, and yes, they do seem to be different).
Click on Internet & Network thing
Click Samba
Click Administrative Mode
Change Security Level to ADS
Enter in Server Addy + Realm
Click Apply
Open Terminal
SU - SU Password
net ads join

I see my computer in the Domain, although I am not sure if the log on sequence (When I log onto the computer, is using the local passwd file or authenticating against the domain), but when I log in I am able to open domain resources etc without a hitch it seems.

I will try to check the authentication and report back.

Last edited by EclipseAgent; 10-28-2005 at 05:52 PM.
 
Old 10-28-2005, 06:40 PM   #11
EclipseAgent
Member
 
Registered: Oct 2005
Location: California
Distribution: SLED 10, openSuSE 10.2, Ubuntu Drapper
Posts: 713

Rep: Reputation: 30
I am authenticating using the local /etc/passwd and not the domain logon (I tired to log in as someone else with their domain account on the linux machine).

Did you install the NIS server from NFS3.5? For the Schema extension in AD?

I am sure it is pretty simple to do.. I am still trying to figure it out though..

So can anyone in your domain, walk up to the linux machine and login authenticating to their domain account?
 
Old 11-14-2005, 08:50 AM   #12
yiannos
LQ Newbie
 
Registered: Oct 2003
Posts: 1

Rep: Reputation: 0
Yes. I can. And without any SAMBA settings

All Ineed is Kerberos in order to auth. But the user must be locally known in linux. If I want to lookup the user in AD I suspect I need some kind of directory lookup protocol. This would probably be LDAP right?

So I setup LDAP. I did not go into the advanced screens at all and the results was the following message in /var/log/messages: "nscd: nss_ldap: could not search LDAP server - Operations error"

Any ideas?
 
Old 11-17-2005, 04:19 PM   #13
zenix
LQ Newbie
 
Registered: Dec 2002
Location: Portland, OR
Distribution: CentOS
Posts: 23

Original Poster
Rep: Reputation: 15
You already have all the tools you need. The authentication portion is handled by winbind and kerberos. You will need to edit your PAM files to get linux to use Active Directory for authentication. I don't have time to list all the steps now, but maybe this will get you on the right track.

Daniel
 
Old 11-17-2005, 05:33 PM   #14
gblanton
LQ Newbie
 
Registered: Oct 2005
Location: Charlotte, NC
Distribution: SuSE 9.3 Pro
Posts: 4

Rep: Reputation: 0
Thanks for your response. I figured it out. Everything was already setup correctly. I did not realize that I had to have Domain\username instead of just the username in the read and write lists in Samba.
 
Old 12-06-2005, 03:41 PM   #15
tcaleb
LQ Newbie
 
Registered: Dec 2005
Distribution: SUSE 9.3, Fedora Core 4
Posts: 2

Rep: Reputation: 0
I am just starting to use SUSE Linux, and have had this question brought up to see if it is possible. I have a Windows AD (2003) and I can get the computer object into AD, but I cannot authenticate with an AD account only. I have followed alot of the steps outlined here, but I am getting an error:

Kerberos_kinit_password host hostname failed. Client not found in Kerberos database.

Any ideas?

Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid Authentication to Active Directory BuRnInICE Red Hat 2 06-03-2011 05:55 AM
Samba Active Directory Authentication zenix Linux - Networking 1 09-17-2005 05:26 AM
Active Directory authentication? cwhitmore Mandriva 3 03-09-2005 12:25 PM
active directory authentication mozilla Linux - Networking 2 02-21-2005 05:55 AM
Squid Authentication Active Directory BuRnInICE Linux - Networking 1 10-27-2004 09:02 AM


All times are GMT -5. The time now is 10:22 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration