LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Active Directory Kerberos (https://www.linuxquestions.org/questions/linux-networking-3/active-directory-kerberos-416072/)

macusr 02-16-2006 09:39 AM
Active Directory Kerberos
 
Hi all,
I am trying to get my unix machines startin with a fedora core 4 machine to authenticate to my windows 2003 server domain. I have the unix tools installed on the server, and kinit authenticates, however I can't get it so that ldap/login works.

Any help would be greatly appreciated.

Thanks,
andrew

paul_mat 02-21-2006 05:53 PM
okay there are two paths you can take, either get your *nix boxes to auth via LDAP or via winbind, i've got a how-to writtern for both, check out my website listed below

ldap - http://www.yourhowto.org/content/view/34/9/

winbind - http://www.yourhowto.org/content/view/31/9/ (just change it from /etc/pam.d/pop3 to /etc/pam.d/login)

serversetup - http://www.geocities.com/evilperson85/serversetup/

bret 03-10-2006 11:26 AM
Hi Macusr,

I ran into similar issues trying to authenticate user's defined on my SuSE server, via my AD Server. I finally got it to work, and it was really quite simple. Winbind was not even required, nor was LDAP. They were much too involved. A kerberos client is all you need installed. Here's what I did. These instructions are based on using userids that are all numerics, your ids may vary. These instructions also assume that you have YaST, if not you must install the Kerberos client manually.

How to setup SuSE Linux authentication to use Active Directory

1) From the linux desktop, start YaST
2) Select [Networking Services]
a. Select [Kerberos Client]
i. Select radio button [Use Kerberos]
ii. Basic Kerberos Settings
1. Default Domain: YOURDOMAIN.COM
2. Default Realm: YOURDOMAIN.COM
3. KDC Server Address: windowsdc.yourdomain.com
4. CLICK [Finish]
(this dialog will modify /etc/krb5.conf)

3) From a command prompt
a. Kinit userid (where userid is your 5 digit network id)
You will be prompted for your password
eg. 12345@YOURDOMAIN.COM’s Password:

your response will be:
kinit: NOTICE: ticket renewable lifetime is 1 week

4) Once you have verified the Kerberos client set-up is working, you will need to tie the linux login screen to Kerberos.
a. Edit the /etc/security/pam_unix2.conf file. Add the following lines:

auth: use_krb5 nullok
account: use_krb5
password: use_krb5 nullok
session: none

5) Add user manually to /etc/passwd (make sure you use a unique uid!!!!)

12345:x:1002:100:Joe Geeko:/home/12345:/bin/bash

6) Create user’s home directory

cp –R /etc/skel /home/12345

7) Change ownership to new user

chown –R 12345. /home/12345

8) you can now logout and login with your new Active Directory credentials.

note: the userids I use are numeric, and must be added manually to /etc/passwd. If you have userids that don't start with a numeric, you will be able to use YaST or useradd.

I did not need to install winbind or samba. I also didn't need to do a net ads join.

These instructions are simply designed to allow you to use your AD user id to authenticate to linux.

HOPE THIS HELPS!

Bret

BigGeek 03-10-2006 11:49 AM
AD authentication
 
That's interesting, since I did use winbind and user the AD usernames.

I didn't have to use the id#, whcih just seemd like a pain.
Then configured pam.d files and I was good to go.

Also I just had to make a /home/DOMAIN dir and not add users.
The entries I made in the pam.d files automatically made the user's home dirs when they logged in.

bret 03-10-2006 12:51 PM
Hi BigGeek,

What you did with winbind sounds great, especially not having to define the user's home dir. With my company, all users are identified with a 5 digit userid. Unfotunately, Linux will not let you do a useradd on an id that begins with a number ... ugh. It took me a while to figure this out, including going to Novell support. You just can't have an id that begins with a numeric. My instructions take this into account. If we'd picked ids that were anything else, life would have been much simpler. Oh well.

Bret
SLC, UT

darogers 03-24-2006 03:36 PM
I've been trying to get winbind working for the last week or so. I've tried many different step-by-step web sites and I keep having similar results.

I'm running RHEL4 and a Windows 2003 R2 server. If I logon as root I can successfully view the users and groups on the Windows domain using wbinfo -u and wbinfo -g. Getent passwd works fine anf the users have ID ranges that are declared in my /etc/samba/smb.conf file.

When I try to logon as a domain user (after a reboot) using the Windows username and credentials I receive the following error in the syslog:

gdm-binary[2365]: pam_succeed_if: error retrieving information about user DOMAIN\Username

Now, if I logon as root and do a kinit and check out the wbinfo queries and logoff root and log back on as the domain users it works. If I open a terminal with the 'authenticated' domain user I see the following:

id: cannot find name for group ID [ID]
id: cannot find name for user ID [ID]
[I have no name!@host ~]$

I'm very very new to Linux so if you can tell me what I've done wrong and in specifics that would be really great!


All times are GMT -5. The time now is 03:04 PM.