[Klug-general] Kerberos and AD authentication

Karl Lattimer karl at nncc.info
Fri Nov 18 16:47:38 GMT 2005


winbind!

on redhat using authconf you get something like this inserted into
your /etc/samba/smb.conf

   password server = ads.password-server.my-domain.com
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   winbind use default domain = yes
   winbind separator = +
   realm = MY-DOMAIN.COM

and into /etc/pam_smb.conf something like
-----------------
my-workgroup
ads.password-server.my-domain.com
-----------------

there may be something you need to add for pam, but alot of the stuff
redhat authconfig does is useless to know unless you have a certain
penchant for getting your teeth into something that just works!

start winbind (which I don't know how to do on other systems ?service
winbind start?) and make sure it starts on boot and voila! you'll be
authenticating with the windows domain!

I use this on redhat/fedora daily, and it works great! It uses smb/ads
security completely ignoring kerberos, kerberos is _/possible_/ ish! but
is way too much of a pain to even bother yourself with on a linux
machine. I also use the same method (using smb auth instead) to
authenticate with a samba PDC, apparently ads auth works with a
samba/ldap PDC, but seriously WHY BOTHER, when pam has a native ldap
auth plugin.

The problem with kerberos and windows <-> heimdal/mit implementations is
that windows is broken. keytabs aren't generated correctly, realms work
in a seriously screwed way and getting a decent working SPENGO is
impossible! You can coerce kerberos to auth with apache with great
difficulty but client negotiation is ruled out and verify KDC is an
impossibility.

winbind works fine though, so use that.

Karl,

On Fri, 2005-11-18 at 16:26 +0000, David Halliday wrote:
> This has been something i have looked at a number of times and had
> little success with. I am fine installing Linux and doing a number of
> administrative jobs within Linux. However where i work we use M$
> Winblows server 2003 on both our servers and have Win2k or XP on the
> clients. I'm interested in using Linux (I don't feel I need to go into
> the reasons) on some of the clients.
> 
> My difficulty is this, getting the Linux boxes to authenticate with
> the active directory on the servers allowing the users to type in a
> user name and password to use the workstations.
> 
> using log on scripts I can map network directories and other things,
> its just authentication and making a home directory that has had me
> completely stumped. I had a go a while ago without much success. Does
> anyone here have experience with this and any hints tips or knowledge
> of guides that helped?
> 
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/kent
> 




More information about the Kent mailing list