On Tue, 21 Jun 2005, Ira Abramov wrote:
I wondered once or twice if people united their linux machine to
authenticate against an existing Active Directory. today I had the
chance to do it for a client. first we tried the old fashioned way -
install SFU (Seervices for Unix) on the 2000/2003 machine, and bind to
it with LDAP. this proved to be a trial-and-error process sadly rnough,
most of the time we could not ever see the logs indicate that PAM was
even logging into the LDAP.
We quickly ditched it for winbind, a daemon bundled with Samba. the Red
Hat RHEL workstation (and appenretly Fedoras since at least RH9) come
with a script caled authconfig that takes care of editinig your
smb.conf, your nsswitch.conf and pam's system-auth files, and helps you
join the domain almost automaticly (needs kerberos). it was a bit
confusing to discover one can authenticate only some 50-60 seconds after
winbindd fires up but we did manage to get to the AD and authenticate
users. at last we could not log in with them though since winbindd kept
complaining about not being able to translate the users' SIDs to the
local UIDs, but that too was solved with a reboot (Tomer Perry suggested
it was a restart of nscd that released that final hurdle, I did not go
back to figure it out for sure).
I hope this helps people out there, enjoy :)
For those who are not using RHEL (and thus not using the authconfig
script) Should read this:
http://samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm
and remember two important lessons:
1. when requesting a kerberos key with kinit the domain name is case
sensitive
2. make sure to update you machines clock to the ntp server running on
the kDC, any time skew more then a few minutes will cause problems.
--
- Josh
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
