Hi,

I'm looking to get my Ubuntu(Breezy) and SUSE(9.3+) boxes to a point where single sign-on is possible from my windows boxes and all user authentication takes place via a combination of ldap and kerberos. I would like to do this without using Samba's winbind.

At the moment I have my ubuntu boxes authenticating to a 2003 AD box using ldap simple bind for user attributes and the 2003 KDC for password authentication. So I can log onto the unbuntu box using my AD credentials and can perform a kinit on my user to retrieve a TGT from the KDC but I'm having some issues getting the rest of the shooting match together.

I'm looking firstly, to have the pam.d setup configured so that su and ssh etc automatically retrieve TGTs from the KDC when logging in or switching users (needs to be done manually with kinit at the moment)

Then I need to configure SASL/GSSAPI and the ssh client/server to allow authentication via the kerberos credentials - I've installed the ssh_krb5 package and enable the kerberos options, and i'm using the vintella patched version of putty from my windows box - but it still complains about issues with the service_principal in kerberos. I'm assuming this is because Vintella putty leverages GSSAPI to pass credentials, and i haven't figure out how to configure it yet.

Can anyone give me a run down on these issues? I've read plenty on the net and some are semi-complete but usually don't deal with single sign-on, either that or they just suggest windbind. I'd like to get it running and try my hand at creating some more in-depth documentation.

Cheers

Cam Marshall
Perth WA

Bump...

Can no one offer any pointers here?

You might want to look at PAM.

A quick google search found articals like these. They might help, I just glanced at them.

http://www.redmondmag.com/columns/ar...itorialsID=858
http://reverendted.wordpress.com/?p=314
http://www.windowsnetworking.com/art...Directory.html

Here's my notes from the conference this past weekend. the guy giving the 'single sign-on' integration talk made it look easy.. I haven't tried yet so I can't confirm


Setup Active Directory (err of course) he works for an oakland university so that's the example used..

realm = ldap.secs.oakland.edu

/etc/ldap/ldap.conf
host ldap.secs.oakland.edu
binddn cn=LDAP Query user, cn=users, dc=secs, dc=oakland, dc=edu

/etc/krb5.conf
default_realm = secs.oakland.edu


/etc/nsswitch.conf
I do recall he specified here that ldap needs to be first in this list..


He also commented that when using the kerberized putty, once you had authenticated on the machine you could ssh to any of hte related boxes using putty and not have to authenticate since that was taken care of by Kerberos at this point..


Google for "Morons Guide to Kerberos" - he said this short article will give you a quick grasp of kerberos..
http://www.isi.edu/~brian/security/kerberos.html

And that's pretty much all of the config he shared.. makes it look really simple. :/
Hope something here helps you out.. I'll be trying this out in a couple days myself..

Thanks, but they all just deal with Samba/Winbind or KRB configuration up to the point i am now, i'm really trying to get the SASL auth/GSSAPI and automatic retrieval of Kerberos tickets. Using winbind completely defeats the purpose of this setup. As it stands now i have simple authentication and kerberos functionality - the hard part seems to be getting the whole shooting match together for single sign-on

If I actually manage to get this working I'm going to have to constuct a pretty in depth how-to, it seems there aren't many people out there that have managed to get this running.

Again, thanks for your efforts anyway, you're the first person from any forum to actually respond!

How's the progress on this project.
I'm just now tackling the same issue.
Do you have any documentation to share?

thanks in advance!!!!!