[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Kerberos & M$ AD

On Fri, 9 Jan 2004, Adrian Bellini wrote:

> Hi Good peoples
> I'm at a customers site who has already implimented a M$ AD system.
> They now though are starting to impliment SuSE clients & I now need to
> intergrate these clients into the M$ kerberos realm.

I share your pain.  Literally. :-/

> I have (at great personal pain :-)) read the M$ link
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
> But would like to know/hear of any experence any of you guys have in this area. 
> 1 thing I have noticed is that the M$ handling os user names.
> Active Directory, by default, creates the X.500 standard cn parameter as
> firstname lastname rather than the user id that is used to login into
> the domain ( sAMAccountName attribute in the Active Directory).

Before you do anything else: get "The Official Samba-3 HOWTO and Referance
Guide" by John H. Terpstra and Jelmer R. Venooij from the Samba team.  The
info will appear online sometime this spring, but the book is truly good.

You need to install the full Samba 3, in particular including the Winbind
libraries.  You need to make sure you're NOT running nscd.  You obviously 
need Kerberos (The Heimdal rpms from SuSE 8.2 or 9.0 are fine).  And you 
need to fiddle with configuration quite a bit.  There are bits and pieces
all over the net, the above book covers it all rather neatly.

What you get then are random uid and gid for each user, changing when you
reboots and varying between clients.  Can be hacked, but it ain't easy.
I'm still trying to solve in on a large scale student domain, for a smaller
system where people use the same machine every time it shouldn't be as 
much of a problem.

Bjørn Tore Sund         Phone:  (+47) 555-84894      Stupidity is like a
System administrator    Fax:    (+47) 555-89672      fractal; universal and
Math. Department        Mobile: (+47) 918 68075      infinitely repetitive.
University of Bergen    VIP:    81724                
teknisk@xxxxxxxxx       Email:  bjornts@xxxxxxxxx    http://www.mi.uib.no/

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here