On 7/6/2004 at 4:55 AM, Kanwar Lal Guriro ([EMAIL PROTECTED]) wrote: KLG> Hello Dennis, Anthony and All other friends, KLG> Any one of you had any experience to connect linux machine in microsoft KLG> active directory domain. (ie linux as active directory client). Any one of KLG> you has any idea about kerb5.conf. It is Kerbros configuration file. I have KLG> installed Samba. But I am unable to fine kinit, to communicate and verify my KLG> domain. KLG> Thanks for your cooperations KLG> KL
KLG> [This E-mail has been scanned for viruses by AKUNET. KLG> Powered by Declude Anti-virus] It should be in a separate RPM package, named krb5-client or krb5-tools or something similar. I have set up Linux as an active directory client before, and while the details are fuzzy, it is possible with the following steps: 1. Install Samba and Winbindd (part of Samba) 2. Add winbind to nsswitch 3. Add winbind.so to the Pluggable Authentication Module (PAM) config files for whatever application(s) you want to use it for (or just put it into system-auth for everything). You may come across a double-login problem for the console. There is a way around this but I don't have a specific link :(. Check Google Groups and you're bound to find it. Also, SSH had a login problem which can be fixed by loosening up the security just a teeny bit. 4. Set up Samba in AD mode using Kerberus 5. use kinit to make sure that pre-auth keys are being received 6. use wbinfo -u (I think is the command) to see if Winbindd is getting users correctly. It should list every user in Active Directory. 7. ... 8. Profit! :) Samba will maintain an AD->UID mapping file that will map active directory users to Unix UIDs. BACKUP THIS FILE REGULARLY!!!!!!!!! That enough exclamations? I just say that because if you make heavy use of assigning active directory user and group rights to your linux box (as opposed to just accessing Windows machines), if you lose this file, you have to re-ACL the entire server or otherwise rebuild this file from scratch. Once you get all the little kinks and chkconfig startup order annoyances taken care of, it runs like a dream. I still prefer Novell eDirectory (among *many* other reasons, you can use LDAP and keep the Unix UIDs globally unique for each user), but if you have to deal with an Active Directory environment this will work great. ______________________________ Justin Grote Network Architect, CCNA JWG Networks Email: [EMAIL PROTECTED] (remove nospam-) SMS: [EMAIL PROTECTED] (remove nospam-) Phone: (208) 631-5440
smime.p7s
Description: S/MIME Cryptographic Signature