[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Kerberos & M$ AD

Hi Bjorn
Thanks very much for your answer - looks like there is going to be many long nights and valium ! involved here !.
Interesting that the M$ site doesn't make any reference to SAMBA 3 / winbind... wonder how they "did it" then ?

I'll be sure to keep you informed as/when I get anything - if nothing else a pain shared :-)
Best regards

On Jan 09, 2004 02:28 PM, Bjorn Tore Sund <bjornts@xxxxxxxxx> wrote:

> On Fri, 9 Jan 2004, Adrian Bellini wrote:
> > Hi Good peoples
> > I'm at a customers site who has already implimented a M$ AD system.
> > They now though are starting to impliment SuSE clients & I now need to
> > intergrate these clients into the M$ kerberos realm.
> I share your pain.  Literally. :-/
> > I have (at great personal pain :-)) read the M$ link
> > http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
> > But would like to know/hear of any experence any of you guys have in this area. 
> > 1 thing I have noticed is that the M$ handling os user names.
> > Active Directory, by default, creates the X.500 standard cn parameter as
> > firstname lastname rather than the user id that is used to login into
> > the domain ( sAMAccountName attribute in the Active Directory).
> Before you do anything else: get "The Official Samba-3 HOWTO and Referance
> Guide" by John H. Terpstra and Jelmer R. Venooij from the Samba team.  The
> info will appear online sometime this spring, but the book is truly good.
> You need to install the full Samba 3, in particular including the Winbind
> libraries.  You need to make sure you're NOT running nscd.  You obviously 
> need Kerberos (The Heimdal rpms from SuSE 8.2 or 9.0 are fine).  And you 
> need to fiddle with configuration quite a bit.  There are bits and pieces
> all over the net, the above book covers it all rather neatly.
> What you get then are random uid and gid for each user, changing when you
> reboots and varying between clients.  Can be hacked, but it ain't easy.
> I'm still trying to solve in on a large scale student domain, for a smaller
> system where people use the same machine every time it shouldn't be as 
> much of a problem.
> Bjørn
> -- 
> Bjørn Tore Sund         Phone:  (+47) 555-84894      Stupidity is like a
> System administrator    Fax:    (+47) 555-89672      fractal; universal and
> Math. Department        Mobile: (+47) 918 68075      infinitely repetitive.
> University of Bergen    VIP:    81724                
> teknisk@xxxxxxxxx       Email:  bjornts@xxxxxxxxx    http://www.mi.uib.no/

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here