That's not completely true. He can set up cross-realm authentication in Kerberos to have AD accept the TGTs and vice-versa. This way, people can use their Unix credentials to access AD resources. There is plenty of documentation on the Microsoft site and on the Internet about setting it up.
On 8/23/07, Sean OMeara <[EMAIL PROTECTED]> wrote: > > Scott: > > If you want TRUE single sign on capabilities and you intend to involve > Windows in any way, you absolutely have to use an Active Directory as > your kerberos KDC. There is ABSOLUTELY NO WAY around it. (unless of > course you're adventurous enough to use samba4) > > By TRUE sigle sign on I mean: > passwordless authentication to network resources (ssh, samba shares/ > NFSv4 servers, (homedirs!) apache/mod_spnego, jabber/sasl, ssh/gssapi, > ldap/sasl, AFS, the works) from both the XP clients and the linux/unix > clients. > > The only way to do it is: > authentication > *Active Directory KDC + LDAP + RPC for windows > authentication/authorization > *Active Directory KDC for unixland kerberos authentication > > authorization > * Active Directory ldap server schema extensions (ms SFUv3.5) to house > the unix posix data (uid, gid, homedir, shell, supplemental gids > ((/etc/group)) > > or > * seperate ldap resource (openldap, fedoraDS) dedicated to housing the > unix posix data > * scripting fun to keep your groups in order > > The reason for this lies in the way Windows handles the authorization > part of the sign on process. ( unix clients dig their authorization > data out of ldap, windows clients have it returned in the PAC field > within their kerberos ticket) > > It's actually not that bad really.... AD can be manipulated from the > linux command line via samba tools (net ads user add, net ads group > delete, etc) > > ...... > > now barring all that... if what you meant by "single sign on" is > actually "unified passwords", then you can do it without AD using > samba and ldap no problem. (well, only small problems anyway) > > > No matter what you'll have to maintain TWO password databases, one for > windows, and one for everyone else. > > The standard configuration for this is one of the two of these: > > a) > authentication > * Windows NT4 style NTLMv2 Samba v3 authentication > * Samba looks at an ldap backend for: > sambaLMPassword: > sambaNTPassword: > > * unixland clients attempt a bind to the ldap server, testing against the > field: > userPassword > > authorization: > Samba looks at an ldap backend for, and then returns to the windows > machine via rpc: > sambaAcctFlags > sambaPrimaryGroupSID: > sambaLogonTime: > sambaPasswordHistory > sambaSID > sambaPwdCanChange: > sambaAcctFlags: > sambaPwdLastSet: > sambaPwdMustChange > > b) > authentication: > samba stuff for windows > unixland looks to an MIT or Heimdal KDC for authentication > > authorization: > same stuff for windows > unixland looks in the ldap directory for: > uidNumber > gidNumber > homeDirectory > groups information > > The consequences of the dual password sources will boil down to this: > > When a user changes his password via the unix passwd utility, it will > only change: > the userPassword field in the ldap record or the password on the > kerberos principal. > > Windows users change it via samba, which can call a script to change > both the sambaNTPassword fields and the userPassword fields in the > ldap record. > > I'm not sure if its possible to have samba call a script to set the > sambaNTPassword and change the kerberos princ. > > PS if you're going to get kerberos involved in any way, every machine > needs to be able to resolve their FQDN, both forward and reverse. This > means you either need to maintain lots of /etc/hosts entries in the > form: > > 127.0.0.1 localhost localhost.localdomain > 127.0.0.1 somebox.mit.edu sombox > > or proper 1 to 1 mapped forward and reverse DNS. > > If your machine can't correctly do > hostname and hostname -f, kerberos will NOT WORK. > > ..... > > To answer your questions about the homedirs: > > You want a fileserver running both samba and NFS. > Windows clients will use roaming profiles to mount their homedirs via > SMB, linux will use NFS. > > Your error messages look like your ldap server isnt running. > > -s > > > > PS I live around the corner from MIT and I'm much better at explaining > things when people buy me ronnie burgers ;) > > -s > > > On 8/23/07, Scott Ehrlich <[EMAIL PROTECTED]> wrote: > > I have a RHEL5 Server and some dual-boot XP/CentOS 5 systems (Linux > systems all > > 64-bit). All Linux is out-of-box, with all packages, minus > international > > languages, installed. No patching has been done. > > > > On the server, I selected system-config-authentication and enabled LDAP > for > > User Information, Kerberos, LDAP, and SMB for Authentication, and Shadow > and > > MD5 Passwords, along with Authenticate system accounts by network > services for > > Options. > > > > All machines are on an isolated LAN, with no DNS server (I could always > enable > > and configure DNS on the server if it helps the cause). > > > > I also don't know if it matters, but the server is running the > virtualization > > kernel (xen), but the clients are not. > > > > I only have LDAP service enabled on the server. Kerberos services are > enabled > > on both client and server. > > > > I tweaked the LDAP and Kerberos settings using the CentOS/RH GUIs, and > have the > > clients looking to the RH box for authentication. > > > > I also have the firewall enabled, but am letting kerberos and ldap ports > > through as tcp. > > > > During a login test, /var/log/messages on the client showed: > > > > lin1 gdm[pid]: nss_ldap: failed to bind to LDAP server > ldap://192.168.1.100: > > Can't contact LDAP server > > > > lin1 gdm[pid]: nss_ldap: reconnecting to LDAP server (sleeping 32 > seconds)... > > > > lin1 dbus-daemon: nss_ldap: failed to bind to LDAP server > ldap://192.168.1.100: > > Can't contact LDAP server > > > > lin1 dbus-daemon: dss_ldap: failed to bind to LDAP server... > > > > lin1 xfs: ... > > > > > > During boot time, Starting system message bus: [long pause] then error > messages > > about DB_CONFIG and /var/lib/ldap, the usual cannot find DB_CONFIG in > > /var/lib/ldap, showing the example.com instead of my customized ldap > settings, > > etc. > > > > I've checked openldap.org, but I figured if the configuration appears to > be > > simplified via an included GUI, I shouldn't have much trouble gettigns > things > > going. > > > > Anyway, what am I missing? Anything special RH 5 is doing compared to > the > > openldap docs? > > > > Both servers have been rebooted since adding the respective ports in the > > firewall. > > > > The goal is a to permit my test user, created on the server, to sit at a > > workstation, boot into either Linux or XP, and get their home directory. > > > > Ideally, the server only needs to consist of one account for them, which > they > > get upon login on the workstation. > > > > I want to highly restrict _any_ third-party tools/apps/etc. I will be > happy > > to take suggestions and leads, but I want to try and rely on what RH has > > provided. > > > > Thanks for any insight/help. > > > > Scott > > > > _______________________________________________ > > bblisa mailing list > > [email protected] > > http://www.bblisa.org/mailman/listinfo/bblisa > > > > _______________________________________________ > bblisa mailing list > [email protected] > http://www.bblisa.org/mailman/listinfo/bblisa >
_______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
