On Wed, Feb 13, 2013 at 9:28 AM, Ken D'Ambrosio <[email protected]> wrote: > *sigh* Yeah, I realized (much) later that I wasn't descriptive enough. > That's *exactly* what I'm looking to do -- basically, I see it like > this: if they can bind to the AD server with the credentials (via LDAP, > which is woo feasible), then I want to let them in. And, yes, all via > ssh.
Okay, there are two ways to approach this. One is to have Linux speak LDAP to Windows, and do the auth via LDAP. It should basically be a pure LDAP scenario, with no knowledge of Windows-ese stuff involved. I don't know much about LDAP auth, but we do have people here who do. The other way is to have Linux speak Windows-ese to Windows, and do the auth via Windows-ese. This I know (far too much) about. There are two ways to have Samba do Windows-ese authentication. One is to have Samba join the domain. The other is to have Samba do pass-along server authentication against a Domain Controller server. Joining the domain is the preferred method. Is the situation truly hopeless? If you have a valid set of domain credentials, by default that will have permission to join up to 10 members to the domain, so we could try that and you could plead ignorance later. OTOH, that may be politically bad (i.e., a Career Limiting Move). On the third hand, can you have a dialog with the Windows admin team? If they're letting a Linux box on your network in the first place, one hopes they'd want it to be subject to corporate security and all that. (Or are you firewalled?) The other method is to configure Samba with "security = server". This basically passes credentials (username/password/hash) unprocessed to a named Windows server, and gets the auth that way. The problem here is that I AFAIK this excludes winbind, which is the mechanism Samba uses to provide a NSS/PAM compatible interface to the host OS. I guess this prolly doesn't help you much. Sorry. -- Ben _______________________________________________ gnhlug-discuss mailing list [email protected] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
