[opensuse] list recursive package dependencies
hi, I need all the dependencies (all the rpm files) of a KDE installation.. how would I get that listing? (substitute kde by any other application - i know apt-get (-s) install 'application' would give me that list quite easily) and what's the corresponding command to dpkg -l? (show all installed packages) :) probably there's a tool out there for .rpms I don't know of yet, right? -- Roman
Re: [opensuse] suse in a windows network (authentication)
hi, first of all thanks for your reply. Of course I did have a look at sadms. I have it up running and it is working quite reliable. Anyway there's something that keeps me worried. I tried analyzing the network traffic and figured out it's a big mess :) Hard to trace, hard to follow hard to understand. A timeline schematic showing the complete login process would be superb. Unfortunately all the documentation consists of some poorly described screenshots. Maybe the winbind/samba documentation has more information to offer, I'll check that asap. As far as I could see it is using GSSAPI/SPNEGO as security layer which is okay. I just can't tell for sure if all communication is secured :-/ And still the kerberos/ldap solution seems to be a much cleaner way to go. If it just worked... :) -- Roman Sommer "The value of an idea lies in the using of it." (Thomas Edison) 2005/11/5, Richard Bos <[EMAIL PROTECTED]>: > Op maandag 31 oktober 2005 12:23, schreef Roman Sommer: > > might anyone please help? > > This http://sadms.sourceforge.net was just announced on freshmeat... > > SADMS takes care of handling configuration > to achieve the integration of > Linux hosts to an Active Directory domain, > to the effect that:: > Linux hosts become Windows domain hosts > (and act either as station or server) > Windows domain users become Linux users > (authentication is offloaded to the domain > > But suse is not supported. > > -- > Richard Bos > Without a home the journey is endless > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] Re: suse in a windows network (authentication)
that is great news :) I know the microsoft guide linked in the wiki. It contains a lot of useful information but it has one major drawback. ---snip --- Security Configuration By default, Active Directory on Windows Server 2003 does not permit anonymous operations on the LDAP directory other than rootDSE searches. UNIX and Linux computers must be capable of browsing Active Directory to access UNIX Authentication and Authorization data. This data is required before a user logs in to the system. Therefore, the credentials of a domain user cannot be used to bind to Active Directory for searching. There are two main solutions to this problem: • Configure Active Directory to allow anonymous browsing. • Create a special Windows user account that is authorized to browse the Active Directory and then configure the UNIX and Linux operating systems to authenticate to Active Directory as this user. --- snip --- the first "solution" is unacceptable. The second solution requires a locally stored plaintext password file (ldap.secret). A more desireable solution would be to take the user's kerberos credidentials to access the ldap service on the domain controler. Unfortunately this approach is not covered in the guide as far as I can remember :-/ /R. 2005/11/2, Peter Flodin <[EMAIL PROTECTED]>: > I just recently created the SUSE Interoperability Project (sounds > fancy, but at this point it is a wiki page at > http://www.opensuse.org/SINTEROP), it is not linked to from anywhere > yet. The project goals are to provide tested and documented solutions > for SUSE to interoperate in an IT environment dominated by other > vendors. Initially focused on SUSE Linux 10.0 in a Microsoft > environment. > > Needless to say, anybody and everybody is not just welcomed but > encouraged to contribute, both in terms of howtos but also feedback > from using the information in your environment. > > Peter 'Pflodo' Flodin
Re: [opensuse] suse in a windows network (authentication)
further investigations showed ldap is not using gssapi on login because it doesn't see a credidentials cache file. /var/log/messages: Nov 2 08:56:27 playground login[7478]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:56:27 playground login[7478]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:56:27 playground login[7478]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:56:27 playground login[7478]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:56:27 playground login[7478]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:56:27 playground login[7478]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:56:27 playground login[7478]: pam_krb5[7478]: error resolving user name 'testuser' to uid/gid pair Nov 2 08:56:27 playground login[7478]: pam_krb5[7478]: error getting information about 'testuser' Nov 2 08:56:29 playground login[7478]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:56:29 playground login[7478]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:56:29 playground login[7478]: FAILED LOGIN 2 FROM /dev/tty2 FOR UNKNOWN, User not known to the underlying authentication module the error can partially be avoided by specifying a kerberos creditentials file in /etc/ldap.conf (krb5_ccname FILE:/tmp/.ldapcc) /var/log/messages Nov 2 08:57:22 playground login[7529]: pam_krb5[7529]: authentication succeeds for 'testuser' ([EMAIL PROTECTED]) // **1 Nov 2 08:57:22 playground login[7529]: pam_ldap: ldap_search_s Operations error / **2 Nov 2 08:57:22 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) / **3 Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: GSSAPI Error: Miscellaneous failure (No credentials cache found) / **4 Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned 0 (Success) Nov 2 08:57:23 playground login[7529]: GSSAPI Error: Miscellaneous failure (No credentials cache found) Nov 2 08:57:23 playground login[7529]: nss_ldap: ldap_sasl_interactive_bind_s returned -2 (Local error) ** 1: kerberos authentification succeeded. ** 2: simple bind, search of course fails.. ** 3: actually the value returned is 0x0E (saslBindInProgress) ** 4: still something can't find my creditentials cache file although it's statically specified. Something is not standing to the rules. and it is not doing _any_ ldapsearches at all.. just a dozen of bind requests :-/ any hints? thanks in advance Roman - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] suse in a windows network (authentication)
2005/10/31, Daniel Hatfield <[EMAIL PROTECTED]>: > I don't know about using doing this with ldap directly, but if you have > Kerberos working and you've successfully joined your computer to the > domain. You're really close. Let's test to make sure. > Do the following as root from the command line: > > To test Kerberos: > > kinit administrator > > The above command will prompt for a password. Enter the password of > your > 2K3 domain administrator. If you have renamed your domain administrator > account use the name instead with the kinit command. If you receive no > errors Kerberos is working. > > To test winbind: > > wbinfo -g > > The above command should give you a list of groups in you Active > directory. Try it with the -u switch to see a list of users. > > Let us know what your results are and we can help you further. > > Cheers, > Daniel first of all thank you for your replies, I really appreciate that. As I said before the kerberos part is pretty straight forward.. I never encountered any serious problems on this side. Packetyzer Trace: Kerberos AS-REP Pvno: 5 MSG Type: AS-REP (11) Client Realm: LINUX.LOCAL Client Name (Principal): Administrator Name-type: Principal (1) Name: Administrator Ticket Tkt-vno: 5 Realm: LINUX.LOCAL Server Name (Unknown): krbtgt/LINUX.LOCAL Name-type: Unknown (0) Name: krbtgt Name: LINUX.LOCAL enc-part rc4-hmac Encryption type: rc4-hmac (23) Kvno: 2 enc-part: 08561DE7EE73917EAB22B1B3E1DC1FE4E24F14BD18E39CF3... enc-part rc4-hmac Encryption type: rc4-hmac (23) Kvno: 1 enc-part: 2E1EDFF75F9DB3CA00736E7B3A4DE074E6A398E0810B415E... playground:~ # klist -e -5: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 11/02/05 07:22:07 11/02/05 17:22:15 krbtgt/[EMAIL PROTECTED] renew until 11/03/05 07:22:07, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 A packet sniffer proofed to be quite helpful here. If I try to log in as a domain user it first does the kerberos authentication (PAM: auth) and then tries to get account information via ldap (PAM: account). The problem is, ldapsearch tries to bind using the "simple" method (-x parameter). Some windows registry hacking would allow Active Directory to allow anonymous searches but that's not in my interest. Neither is a dedicated user with a locally stored plaintext password in ldap.secret. If I issue a ldapsearch with a tgt (ticket) present I get quite reasonable results: playground:/etc # ldapsearch "(&(objectclass=User)(msSFU30Name=testuser))" |head -20 SASL/GSSAPI authentication started SASL username: [EMAIL PROTECTED] SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (&(objectclass=User)(msSFU30Name=testuser)) # requesting: ALL # # testuser, Users, linux.local dn: CN=testuser,CN=Users,DC=linux,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: testuser givenName: testuser distinguishedName: CN=testuser,CN=Users,DC=linux,DC=local instanceType: 4 whenCreated: 20051020072831.0Z whenChanged: 20051031100055.0Z ... and once again: playground:/etc # klist -e -5 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 11/02/05 07:22:07 11/02/05 17:22:15 krbtgt/[EMAIL PROTECTED] renew until 11/03/05 07:22:07, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 11/02/05 07:44:54 11/02/05 17:22:15 ldap/[EMAIL PROTECTED] renew until 11/03/05 07:22:07, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 now I do have a service ticket for the ldap service as well (good!). I didn't test the winbind stuff as I do not want to use samba but ldap (natively supported by Active Directory). Does anyone know how I can tell ldap to use GSSAPI instead of simple auth while logging in? "use_sasl on" and "sasl_mech gssapi" didn't really point out to be helpful at all :-( Thanks in advance Roman - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[opensuse] suse in a windows network (authentication)
hi list i was wondering if I could somehow make my suse (10) authenticate versus my windows 2003 domain controller. I configured both ldap client and kerberos client in Yast2. Authentication works (the kerberos part).. but I still cannot log in because ldap isn't able to fetch user account information from my active directory which is because it's not using the kerberos credidentials to establish a gssapi connection. So I set up shell/home information in /etc/passwd. No password. Passwords are still being retrieved from the domain controller via kerberos. Big surprise -> login works. If I now issue a ldapsearch with the filter it already tried before (but with no valid bind) "(&(objectclass=User)(msSFU30Name=testuser))" it starts a SASL/GSSAPI authentication and successfully fetches the needed information. Why doesn't ldap use gssapi on logins then.. or where can I tell it to use it? Couldn't find any suitable option in Yast nor the config files themselves. Oh and no I don't want to use a dedicated user with a locally stored plaintext password to search active directory :) might anyone please help? best regards Roman Sommer - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
