[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Kerberos & M$ AD
Am Freitag, 9. Januar 2004 14:40 schrieb Adrian Bellini:
> Hi Bjorn
> Thanks very much for your answer - looks like there is going to be
> many long nights and valium ! involved here !. Interesting that the
> M$ site doesn't make any reference to SAMBA 3 / winbind... wonder how
> they "did it" then ?
> I'll be sure to keep you informed as/when I get anything - if nothing
> else a pain shared :-) Best regards
It's not that much nights... to get it running, but some to fix it for
- Install kerberos (suse supplies heimdal, even though some don't like
or trust that - it works)
- Get and Install the newest suse samba 3 rpms from suse people
Try them. Check Them. For my purposes they work. Tell me about
- Change /etc/krb5.conf and smb.conf for your realm (both) and ads
support (samba only)
- Use "kinit" to get tickets from your ADS
"net" to join the domain.
"klist" lists your tickets.
Obviously, you only need a ticket for joining the domain, afterwards
user/password data are supplied without active ticket.
Is that true? I found two ADS behaving that way..
Then the real work starts: Changing smb.conf to fit your needs ... and
pam and winbind and ldap and and and
> On Jan 09, 2004 02:28 PM, Bjorn Tore Sund <bjornts@xxxxxxxxx> wrote:
> > On Fri, 9 Jan 2004, Adrian Bellini wrote:
> > > Hi Good peoples
> > > I'm at a customers site who has already implimented a M$ AD
> > > system. They now though are starting to impliment SuSE clients &
> > > I now need to intergrate these clients into the M$ kerberos
> > > realm.
> > I share your pain. Literally. :-/
> > > I have (at great personal pain :-)) read the M$ link
> > > http://www.microsoft.com/windows2000/techinfo/planning/security/k
> > >erbsteps.asp But would like to know/hear of any experence any of
> > > you guys have in this area. 1 thing I have noticed is that the M$
> > > handling os user names. Active Directory, by default, creates the
> > > X.500 standard cn parameter as firstname lastname rather than the
> > > user id that is used to login into the domain ( sAMAccountName
> > > attribute in the Active Directory).
> > Before you do anything else: get "The Official Samba-3 HOWTO and
> > Referance Guide" by John H. Terpstra and Jelmer R. Venooij from the
> > Samba team. The info will appear online sometime this spring, but
> > the book is truly good.
> > You need to install the full Samba 3, in particular including the
> > Winbind libraries. You need to make sure you're NOT running nscd.
> > You obviously need Kerberos (The Heimdal rpms from SuSE 8.2 or 9.0
> > are fine). And you need to fiddle with configuration quite a bit.
> > There are bits and pieces all over the net, the above book covers
> > it all rather neatly.
> > What you get then are random uid and gid for each user, changing
> > when you reboots and varying between clients. Can be hacked, but
> > it ain't easy. I'm still trying to solve in on a large scale
> > student domain, for a smaller system where people use the same
> > machine every time it shouldn't be as much of a problem.
> > Bjørn
> > --
> > Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is
> > like a System administrator Fax: (+47) 555-89672
> > fractal; universal and Math. Department Mobile: (+47) 918
> > 68075 infinitely repetitive. University of Bergen VIP:
> > 81724
> > teknisk@xxxxxxxxx Email: bjornts@xxxxxxxxx
> > http://www.mi.uib.no/
Mit freundlichen Grüßen
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23 - mobil: +49 170 302 709 2
web: http://feilner-it.net mail: mfeilner@xxxxxxxxxxxxxx
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here