Thanks for your help, i'll try to explain a little better what i've already have and what i wanna do :-)
> > On 6 Jan 2006, at 12:32, brunogola wrote: > > > > I have a machine running linux, and i'm authenticating in a > > windows 2000 domain (Active directory) using > > samba, winbind and kerberos. > > Hi there, > > I've done some of this recently, and I don't think you need active > directory, winbind AND kerberos. My understanding is that all three > are separate mechanisms for authenticating *nix users against a > Windows domain. > > Active directory is MS's name for LDAP, so if you use that then your > applications would be compiled using the LDAP USE flag & would treat > the MS server as an LDAP server. I don't believe its schema's are > terribly good for *nix users - I use Winbind, which uses PAM to > appear part of the local authentication process and pass these on to > the Windows DC. > My notebook running linux is already authenticating against the win. domain (AD). I've done this using samba, kerberos5 and winbind (pam modules etc), thats woring perfectly :-) Now, what i need : my desktop (that is another linux machine) authenticanting against my notebook, using samba, but the problem is that samba is already configured @ the notebook as a AD Domain member :S. > > What i need to know is if there is a way of making some other machines > > authenticate in this machine, and this machine will ask the > > password for the windows 2000 domain (only for some > > users, and the user need to be in the /etc/passwd). > > It would be helpful if you gave an example of which programs / > services on which machines (A, B and C??) you need to be able > authenticate in this way. > Well, the principal service is a VMWare GSX Server running on my notebook, i need to be able to authenticate (using the vmware-console) from any machine in my network (windows or linux). I think the vmware thing is the less important part, cause it should be easy editing pam.d/vmware-authd after everthing is configured. > > Let me explain: i have a user 'bob' that is not a user in > > the domain, but it has your username and password on my linux > > machine, so he can authenticate. I have a user > > bgola who has the username on the AD and on the linux machine, but > > the password isnt on the linux machine, only > > on the AD. He can authenticate too. > > Resuming: my linux machine will use the username database from its > > own but the password database from its own > > AND from the AD. > > I believe that in this situation it would be unusual to give the > bgola a username on the Linux machine - he has one on the AD, so if > you use Winbind then he doesn't need one on the Linux box. He can > have a homedir, since he may need to store files on the Linux box, > but that's not the same, I think, as having an account. > I want to have bgola on the linux machine for a control propose, or, only authenticate if the user exists on the machine. This is already working for console/ssh/etc on the Notebook. > For instance on my Linux/Winbind machine on an AD: > > $ getent passwd | grep -e stroller -e ned > stroller:x:1000:100::/home/stroller:/bin/bash > ned:x:10012:10000:Some Geezer:/home/DOMAIN/ned:/bin/false > $ grep -e stroller -e ned /etc/passwd > stroller:x:1000:100::/home/stroller:/bin/bash > $ ls -ld ~stroller ~ned > drwxr-xr-x 3 ned domain users 160 Jan 6 06:32 /home/DOMAIN/ned > drwxr-xr-x 5 stroller users 272 Jan 6 03:58 /home/stroller > > Both users can authenticate, depending on how the /etc/pam.d/ > the_authenticating_service is set up. I use pam_mkhomedir.so to > create a home directory for any users authenticating via Winbind, but > beware this only works for services which call PAM "session" directives. > > I used this guide to set it all up: http://www.samba.org/samba/docs/ > man/Samba-HOWTO-Collection/winbind.html#id2621482 > > Please CC me should you reply to the list with further questions, > > Stroller. > > > -- > gentoo-user@gentoo.org mailing list > > Resume: I need to transform my notebook (that is a AD Domain Member) in a Auth server, but with out leaving the AD Domain Member status, because it will need to get the passwd for some accounts from the AD Server. Thanks for your help, Bruno Gola -- gentoo-user@gentoo.org mailing list
