[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Kerberos & M$ AD



Am Freitag, 9. Januar 2004 14:40 schrieb Adrian Bellini:
> Hi Bjorn
> Thanks very much for your answer - looks like there is going to be
> many long nights and valium ! involved here !. Interesting that the
> M$ site doesn't make any reference to SAMBA 3 / winbind... wonder how
> they "did it" then ?
>
> I'll be sure to keep you informed as/when I get anything - if nothing
> else a pain shared :-) Best regards
> Ade

It's not that much nights... to get it running, but some to fix it for 
your needs...
Four steps:
- Install kerberos (suse supplies heimdal, even though some don't like 
or trust that - it works)
- Get and Install the newest suse samba 3 rpms from suse people 
(ftp://ftp.suse.com/pub/people/gd/samba3)
Try them. Check Them. For my purposes they work. Tell me about 
problems... ;-)

- Change /etc/krb5.conf and smb.conf for your realm (both) and ads 
support (samba only)

- Use "kinit" to get tickets from your ADS 
"net" to join the domain.
"klist" lists your tickets.

Obviously, you only need a ticket for joining the domain, afterwards 
user/password data are supplied without active ticket.
Is that true? I found two ADS behaving that way..

Then the real work starts: Changing smb.conf to fit your needs ... and 
pam and winbind and ldap and and and 
Enjoy!
;-)

>
> On Jan 09, 2004 02:28 PM, Bjorn Tore Sund <bjornts@xxxxxxxxx> wrote:
> > On Fri, 9 Jan 2004, Adrian Bellini wrote:
> > > Hi Good peoples
> > > I'm at a customers site who has already implimented a M$ AD
> > > system. They now though are starting to impliment SuSE clients &
> > > I now need to intergrate these clients into the M$ kerberos
> > > realm.
> >
> > I share your pain.  Literally. :-/
> >
> > > I have (at great personal pain :-)) read the M$ link
> > > http://www.microsoft.com/windows2000/techinfo/planning/security/k
> > >erbsteps.asp But would like to know/hear of any experence any of
> > > you guys have in this area. 1 thing I have noticed is that the M$
> > > handling os user names. Active Directory, by default, creates the
> > > X.500 standard cn parameter as firstname lastname rather than the
> > > user id that is used to login into the domain ( sAMAccountName
> > > attribute in the Active Directory).
> >
> > Before you do anything else: get "The Official Samba-3 HOWTO and
> > Referance Guide" by John H. Terpstra and Jelmer R. Venooij from the
> > Samba team.  The info will appear online sometime this spring, but
> > the book is truly good.
> >
> > You need to install the full Samba 3, in particular including the
> > Winbind libraries.  You need to make sure you're NOT running nscd. 
> > You obviously need Kerberos (The Heimdal rpms from SuSE 8.2 or 9.0
> > are fine).  And you need to fiddle with configuration quite a bit. 
> > There are bits and pieces all over the net, the above book covers
> > it all rather neatly.
> >
> > What you get then are random uid and gid for each user, changing
> > when you reboots and varying between clients.  Can be hacked, but
> > it ain't easy. I'm still trying to solve in on a large scale
> > student domain, for a smaller system where people use the same
> > machine every time it shouldn't be as much of a problem.
> >
> > Bjørn
> > --
> > Bjørn Tore Sund         Phone:  (+47) 555-84894      Stupidity is
> > like a System administrator    Fax:    (+47) 555-89672     
> > fractal; universal and Math. Department        Mobile: (+47) 918
> > 68075      infinitely repetitive. University of Bergen    VIP:   
> > 81724
> > teknisk@xxxxxxxxx       Email:  bjornts@xxxxxxxxx   
> > http://www.mi.uib.no/

-- 
Mit freundlichen Grüßen
Markus Feilner
--
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23  - mobil: +49 170 302 709 2 
web: http://feilner-it.net mail: mfeilner@xxxxxxxxxxxxxx


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here