Hi Syan Its not exactly on topic but when I tried really hard to get Active directory authentication and single sign on happening on my netork and have linux boxes authenticate against the Active directory Win2k3 domain there was tinkering with Kerberos involved.
http://windows.ittoolbox.com/documents/tutorials/integrating-samba-3-in-to-a-windows-2003-domain-1893 http://www.windowsnetworking.com/articles_tutorials/Authenticating-Linux-Active-Directory.html http://www.debian-administration.org/articles/340 ----------------------------------------------------------------- We will have to configure Kerberos (or you could avoid this by setting the password server in /etc/samba/smb.conf, to the PDC emulator but then you would be talking old school NTLM with the domain controller). To get real AD working add the folowing lines to /etc/krb5.conf: [realms] TESTDOMAIN.LOCAL = { kdc = win2003test.testdomain.local admin_server = win2003test.testdomain.local } Then do: kinit [EMAIL PROTECTED] The syntax is kinit [EMAIL PROTECTED], where REALM is your Active Directory domain name and must be all uppercase. If you do not use all uppercase for the realm, you'll either receive this error: kinit(v5): Cannot find KDC for requested realm while getting initial credentials or this error: kinit(v5): KDC reply did not match expectations while getting initial credentials. You can test your kerberos setup by issuing klist If it reports that you have no keys in the cache then something is wrong. In the event that you recive: kinit(v5): Clock skew too great while getting initial credentials then make sure that the clock synchronisation between your Windows Server and your Linux server is within five minutes. If the time is off by more then the two servers will unable send ticket information to each other. ------------------------------------------------------------------------------- I dont know if this gives uyou much help/insight or not.. The kerberos bit wasnt the show stopper for me in fact. It was the PAM issues that prevented me completeing the task. (Basically I couldnt get the PAM config correct for Gnome on debian) One day Real Soon Now I might revisit this. Regards JD [EMAIL PROTECTED] wrote: > > > *question for the IT and hobbyist people - has anyone set up kerberos > working > on one computer running linux ? > I've been using ethereal to sniff the packets, and it's looking for SRV > _kerberos_udp(or _tcp).localdomain , and I've put something like > > $ORIGIN LOCALDOMAIN > _kerberos TXT "LOCALHOST.LOCALDOMAIN" > kerberos CNAME LOCALHOST > _kerberos._udp SRV 0 0 88 localhost > _kerberos-master._udp SRV 0 0 88 localhost > _kerberos-adm._tcp SRV 0 0 749 localhost > _kpasswd._udp SRV 0 0 464 localhost > > in /etc/bind/db.local , hoping that my named server will serve out the > localhost:88 as the > dns lookup. > > I've changed /etc/resolv.conf to point nameserver to the ip address of my > computer on the network. (192.168.1.6) > the lookup is failing. Am I putting the dns information in the wrong > place ? > > > > * > > * > * > ------------------------------------------------------------------------ > * > _______________________________________________ > Gpcg_talk mailing list > [email protected] > http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk > * > > * > * > ------------------------------------------------------------------------ > * > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.375 / Virus Database: 267.15.0/249 - Release Date: 2/2/2006 > * -- ================================================= dr john dooley mbbs frcpa aka "ron" _______________________________________________ Gpcg_talk mailing list [email protected] http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
