Pam + krb5 + samba
All --
I am hoping to replace CentOS 6.x with Slackware sometime this fall. One thing I must have is Active Directory Integration for Single SignOn ( Linux Logins as well as File/Printer Sharing ). Windows Users need to log into the Linux Machine via ssh ( Putty ) to run our Terminal-Based App and they need to be able to access file shares, all using their Windows Logins. This is extremely simple in CentOS 6.x via KRB5 + PAM + WINBIND. Seems like VBatt's PAM + KRB5 from SlackBuilds would be good places to start. Has anyone tried VBatt's PAM Package for Slackware on 14.2 ? Other Hints ? Thanks in advance. -- kjh |
Check ivandi's implementation here: http://www.linuxquestions.org/questi...te-4175544114/
|
I'm pretty sure ivandi's SlackMATE would do it as well.
Forum Thread on it EDIT: Slax-Dude beat me to it |
Thanks Y'All !
I'll check it out ( ivandi's implementation ). -- kjh EDIT: Marked SOLVED |
This post was marked as solved - does that mean it worked? Could use a little more feedback on the results.
I am facing a similar issue: moving a Ubuntu domain member to Slackware. The setup needs PAM which shipped with Ubuntu, but is nowhere to be found in Slackware (see post http://www.linuxquestions.org/questi...am-4175483168/) I've looked at the ivandi post referenced in this link, but it appears to install MATE, which I don't want and a different cron. Is there a way to just get PAM? |
mfoley --
I probably should not have marked the thread 'solved' but my question was most definitely answered well enough that the next steps are all on me. I don't want Mate either, only ( samba + winbind + pam ) for AD Authentication / Single Sign-on. I built and installed PAM in a VM instance of Slackware64 14.2 as ivandi describes here: _README ; Linux-PAM/ ; shadow/ and I got as far as logging in to the VM with local accounts ( they still work :) ) To continue with the experiment, I need to either set up a Windows AD Domain in my 'lab' or ship a test appliance to one of our more adventurous Customers for testing. But things are looking VERY promising up to this point. HTH. -- kjh |
kjhambrick: I've successfully set up AD/Single-sign-on for Ubuntu, including redirected folder which use the same desktop and the Windows workstations. I am now migrating that to Slackware because of systemd issues (see thread http://www.linuxquestions.org/questi...st-4175588181/). If you need help, let me know. I interacted for months with Rowland Penny at the Samba maillist. In particular I have a module to permit AD password changing -- not possible with passwd.
Also, this link https://wiki.samba.org/index.php/Set..._Domain_Member has much of what needs to be done. Anyway, I tried downloading Ivandi's PAM-1.3.0 sources from http://www.linuxquestions.org/questi...st-4175588181/, did the ./configure and make and during make got this: Code:
/usr/bin/xsltproc --stringparam generate.toc "book toc" \ |
links complains about unknown option '-no-numbering'. links used to generate documentation.
As I can see, probably, options are: -- patch the Makefile to remove '-no-numbering', or -- disable making documentation, or -- install and use elinks as /usr/bin/links (it has '-no-numbering') |
Quote:
Your url points to some systemd related thread. Before bashing these "private" repositories that are made public for your convinience you could simply look at Linux-PAM.SlackBuild and see the easiest workaround "--disable-regenerate-docu". You could also look at DEPENDENCIES.SlackMATE and edit sync-SlackMATE.sh to download only what you need. There is also a bunch of config files in /extra/setup/SAMBA_AD_DC to setup AD/DC domain and client. You can easily create a simple host-only network on your workstation by placing something like this in your rc.local: Code:
brctl addbr br0 There are tagfiles in /extra/tags/server/ for a minimal server setup. You can also use mkiso.sh to create a Slackware install iso with added SlackMATE. And a simple install.sh. Slackware is not yet another Ubuntu derivative. Cheers |
Quote:
Quote:
Quote:
Quote:
I'll keep looking at pam.d configs and see if I can get something working. And, thanks for at least plugging the PAM hole that Slackware needs to eventually bite the bullet and support! |
mfoley --
Sorry, I should have pointed you at ivandi's SlackBuild scripts instead of simply dropping you in his pam directory ... This: Do check out ivandi's SlackBuild scripts ! His SlackBuilds are some of the cleanest scripts of any type that I've seen anywhere. I used ivandi's SlackBuilds to build the few packages that I installed and played with back in July on that VMWare Instance of Slackware64 14.2 . Anyhow, like I said in my earlier post, all I've done is the PAM section of his README File. I was able to log into the console as a local user ( i.e. I got logged in and nothing seemed broken :) ). Eventually what I have in mind is this ... Our Customers need samba for File and Printer Sharing and sshd to log in via an ssh client ( usually Putty-on-Windows ). So samba and sshd ( and the prerequisites ) will need to be 'pam-enabled' so Users can authenticate using their AD Credentials. That's about all we will need. Except ( :) beware of the exceptions :) ) Occasionally, a few Windows Admin-Type Users ( :) the ones that I can't wean away from the clicky-clicky configuration methodology :) ) will use a GUI Desktop to add or modify System Configs. On our CentOS 6.x Boxes, those Users wanting access to a GUI presently connect to an NXServer on CentOS via a Windows-Based NXClient for the GUI ( again, this is ssh-based ). My boss is in town this week for meetings and I've got some prep-work to do so I don't have a lot of time to boot the VM and dig thru my notes and SlackBuild Tree where I built the Packages ... But before you start, you might want to take a look at ivandi's DEPENDENCIES.SlackMATE File ( watch for circular-refs -- there is a file somewhere in the Tree that recommends rebuilding certain packages to resolve the circular deps ). And I don't recall where I found it but there is a also 'build-order' file ( something like that ) in the SlackMATE Tree. These two files could be huge time-savers for building Packages in a piece-meal fashion. Once you have 'your list' and 'the build order' his SlackBuilds are easily wrapped in a wrapper + logger script to automate the builds and eventually the installs / upgrades. Finally, HUGE thanks go to ivandi for sharing his excellent work ! HTH. -- kjh |
kjhambrick: I may have some disappointing news for you ... I was able to build ivandi's PAM successfully. That tip he gave me on using the "--disable-regenerate-docu" parameter on ./configure did work (though it was not obvious to me), and the system-auth file I downloaded from http://www.bisdesign.ca/ivandi/slack....d/system-auth passed the `make check` if I first renamed it to 'other'.
I have successfully joined this Slackware computer to my AD domain and can do `wbinfo -u` and `getent passwd userid` successfully. HOWEVER!!! I cannot authenticate when logging in as an AD user. Like you, I can log in as a local user (user in /etc/passwd). The problem, I believe, is that PAM is *NOT* being used in Slackware, regardless of it being successfully downloaded and installed. This excellent site: http://www.tuxradar.com/content/how-pam-works, says, Quote:
So, the bottom line is that no matter how good Ivandi's PAM collection is, or how well it works, it's not going to help us AD authenticate with Slackware if the various programs needing PAM for authentication are not PAM-enabled. Perhaps there is some way to make Slackware work anyway -- one possibility is recompiling login etc from sources with PAM enabled. For me, however, such exercises are beyond my job description, if not my skill level. So, despite my affection for Slackware and my irritations with Ubuntu and systemd, I will return to that platform for my domain member and user workstations since it works just fine for AD authentication. As an editorial comment, I think it's about time that Slackware reconsider the whole PAM issue. Like you, I am looking for office-environment alternatives to Windows. Our office has secure and private data and this alternative idea is driven by Microsoft's desire to push everything to the Cloud and intrinsic lack of privacy on Windows 10. I believe more and more businesses are going to look for MS alternatives and Linux Samba4 is the only AD/DC alternative out there (that I know of). Slackware is a great server and I will continue to use it as such, but Samba uses PAM to authenticate from Linux workstations and Samba rules at the moment. If Slackware doesn't get on the ball with respect to its future use as an AD workstation it's going to lose out. |
You have to recompile a lot of system packages to fully enable PAM. It would probably be best to build his whole SlackMATE system and then just choose your preferred WM/DE. That should allow you to log in using AD credentials.
|
mfoley --
Thanks a million for the feedback. One followup Q is: Did you also rebuild and install the pam-enabled shadow package ( and each of the prerequisites for the shadow package )? If so, another Q would be: Did you check that the accompanying rules are installed in /etc/pam.d/ ? Nevertheless, imagine this will come up again someday so I am unsetting the [SOLVED] Tag for this Thread so I don't mislead anyone else. I do plan on playing with this some more later down the road and maybe like bassmadrigal said, the best route may be via the full SlackMATE install ... Thanks again ! -- kjh |
I did not install the entire SlackMATE system. I'll check into that, but this being a production environment, I'd rather stick with a standard distro. I don't mind downloading a package or two, but I'm not as comfortable with much more that than. But like I said, I'll check into the SlackMATE thing on my own time.
|
All times are GMT -5. The time now is 02:37 PM. |