[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Kerberos & M$ AD



:-)
It's the " and " " and "" and "" and " part that ""worries" me :-)...
This looks like it's going to be loads of fun ... :-)
Thanks very much - I have the feeling this "thread" could get like "War & Peace" ..
Best regards  & have a nice weekend gents..
Ade


On Jan 09, 2004 03:04 PM, Markus Feilner <lists@xxxxxxxxxxxxxx> wrote:

> Am Freitag, 9. Januar 2004 14:40 schrieb Adrian Bellini:
> > Hi Bjorn
> > Thanks very much for your answer - looks like there is going to be
> > many long nights and valium ! involved here !. Interesting that the
> > M$ site doesn't make any reference to SAMBA 3 / winbind... wonder how
> > they "did it" then ?
> >
> > I'll be sure to keep you informed as/when I get anything - if nothing
> > else a pain shared :-) Best regards
> > Ade
> 
> It's not that much nights... to get it running, but some to fix it for 
> your needs...
> Four steps:
> - Install kerberos (suse supplies heimdal, even though some don't like 
> or trust that - it works)
> - Get and Install the newest suse samba 3 rpms from suse people 
> (ftp://ftp.suse.com/pub/people/gd/samba3)
> Try them. Check Them. For my purposes they work. Tell me about 
> problems... ;-)
> 
> - Change /etc/krb5.conf and smb.conf for your realm (both) and ads 
> support (samba only)
> 
> - Use "kinit" to get tickets from your ADS 
> "net" to join the domain.
> "klist" lists your tickets.
> 
> Obviously, you only need a ticket for joining the domain, afterwards 
> user/password data are supplied without active ticket.
> Is that true? I found two ADS behaving that way..
> 
> Then the real work starts: Changing smb.conf to fit your needs ... and 
> pam and winbind and ldap and and and 
> Enjoy!
> ;-)
> 
> >
> > On Jan 09, 2004 02:28 PM, Bjorn Tore Sund <bjornts@xxxxxxxxx> wrote:
> > > On Fri, 9 Jan 2004, Adrian Bellini wrote:
> > > > Hi Good peoples
> > > > I'm at a customers site who has already implimented a M$ AD
> > > > system. They now though are starting to impliment SuSE clients &
> > > > I now need to intergrate these clients into the M$ kerberos
> > > > realm.
> > >
> > > I share your pain.  Literally. :-/
> > >
> > > > I have (at great personal pain :-)) read the M$ link
> > > > http://www.microsoft.com/windows2000/techinfo/planning/security/k
> > > >erbsteps.asp But would like to know/hear of any experence any of
> > > > you guys have in this area. 1 thing I have noticed is that the M$
> > > > handling os user names. Active Directory, by default, creates the
> > > > X.500 standard cn parameter as firstname lastname rather than the
> > > > user id that is used to login into the domain ( sAMAccountName
> > > > attribute in the Active Directory).
> > >
> > > Before you do anything else: get "The Official Samba-3 HOWTO and
> > > Referance Guide" by John H. Terpstra and Jelmer R. Venooij from the
> > > Samba team.  The info will appear online sometime this spring, but
> > > the book is truly good.
> > >
> > > You need to install the full Samba 3, in particular including the
> > > Winbind libraries.  You need to make sure you're NOT running nscd. 
> > > You obviously need Kerberos (The Heimdal rpms from SuSE 8.2 or 9.0
> > > are fine).  And you need to fiddle with configuration quite a bit. 
> > > There are bits and pieces all over the net, the above book covers
> > > it all rather neatly.
> > >
> > > What you get then are random uid and gid for each user, changing
> > > when you reboots and varying between clients.  Can be hacked, but
> > > it ain't easy. I'm still trying to solve in on a large scale
> > > student domain, for a smaller system where people use the same
> > > machine every time it shouldn't be as much of a problem.
> > >
> > > Bjørn
> > > --
> > > Bjørn Tore Sund         Phone:  (+47) 555-84894      Stupidity is
> > > like a System administrator    Fax:    (+47) 555-89672     
> > > fractal; universal and Math. Department        Mobile: (+47) 918
> > > 68075      infinitely repetitive. University of Bergen    VIP:   
> > > 81724
> > > teknisk@xxxxxxxxx       Email:  bjornts@xxxxxxxxx   
> > > http://www.mi.uib.no/
> 
> -- 
> Mit freundlichen Grüßen
> Markus Feilner
> --
> Linux Solutions, Training, Seminare und Workshops - auch Inhouse
> Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
> fon: +49 941 70 65 23  - mobil: +49 170 302 709 2 
> web: http://feilner-it.net mail: mfeilner@xxxxxxxxxxxxxx
> 
> 
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
> 




--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here