In the redbook Linux for s/390 and zSeries: distributions there is a
chapter that shows how to setup LDAP for authentication. Authenticating
against RACF has limitations because you can only have one RACF user
profile with a specific name. In other words one ROOT user only. SO if you
are doing a bunch of linux images you would have to do something in RACF to
manipulate the names of the root userids. We tested using LDAP-DB2 on
OS/390 and it worked fine. You need to get some missing schemas (at that
time) some if you are looking for more info let me know. Carlos :-)
Saying goes: Great minds think alike - I say: Great minds think for
themselves!
Carlos A. Ordonez
IBM Corporation
Server Consolidation
|---------+------------------------------->
| | "Tim-Chr. Hanschen" |
| | <Tim-Christian.Hansc|
| | [EMAIL PROTECTED]> |
| | Sent by: Linux on |
| | 390 Port |
| | <[EMAIL PROTECTED]|
| | .EDU> |
| | |
| | |
| | 05/16/2002 02:10 AM |
| | Please respond to |
| | Linux on 390 Port |
| | |
|---------+------------------------------->
>-------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: [EMAIL PROTECTED]
|
| cc:
|
| From:
|
| Subject: Antwort: Re: synchronize passwords
|
|
|
>-------------------------------------------------------------------------------------------------------------------------------|
Do you have something like a cookbook for configure PAM to authenticate
users login and samba access to a RACF database?
I do not know how to set up.
Well, via Perl-LDAP I get a connection to RACF... so far so good, but do I
have to set up ldap.conf, slapd.conf, ....?
TIA,
- Tim -
Carlos Ordonez <[EMAIL PROTECTED]>@VM.MARIST.EDU> on 15.05.2002 20:21:33
Bitte antworten an Linux on 390 Port <[EMAIL PROTECTED]>
Gesendet von: Linux on 390 Port <[EMAIL PROTECTED]>
An: [EMAIL PROTECTED]
Kopie:
Thema: Re: synchronize passwords
We have tested using also the pam winbind to authenticate users login into
Linux.
Carlos A. Ordonez
IBM Corporation
Server Consolidation
|---------+--------------------------->
| | Tim Verhoeven |
| | <[EMAIL PROTECTED]> |
| | Sent by: Linux |
| | on 390 Port |
| | <[EMAIL PROTECTED]|
| | RIST.EDU> |
| | |
| | |
| | 05/15/2002 02:06|
| | PM |
| | Please respond |
| | to Linux on 390 |
| | Port |
| | |
|---------+--------------------------->
>------------------------------------------------------------------------
-------------------------------------------------------|
|
|
| To: [EMAIL PROTECTED]
|
| cc:
|
| From:
|
| Subject: Re: synchronize passwords
|
|
|
>------------------------------------------------------------------------
-------------------------------------------------------|
On Wed, 15 May 2002, Philip J. Tully wrote:
> Is this using the winbind portion of Samba? Has anyone used Winbind?
See below for answer.
>
> Tim Verhoeven wrote:
> >
> > On Mon, 13 May 2002, John Summerfield wrote:
> >
> > > > in our company our passwords are synchronized with a tool called
pass-go.
> > > > My idea is to also synchronize the linux passwords with our RACF or
> > > > lan-passwords.
> > > >
> > > > Pass-Go is not available for L/390.. bad luck. Out domain
controller is
> > > > OS/2, so it is unfortunately not possible to synchronize via samba.
> > >
> > > Have you actually tried? Linux can authenticate against an NT server,
though I
> > > don't know how it's done.
> >
> > You can do this with PAM, there is a module called pam_smb_auth that
lets
> > you authenticate against domain controllers.
> >
> > Basic setup is just adding this module to the auth section of the pam
> > config files.
It depends on how tight integration you want.
With pam_smb_auth you can only authenticate to a domain. In short use the
passwords that are stored in the domain.
The users still have to be present in the /etc/passwd file.
The winbind daemon uses nss to import the domain users and groups into the
UNIX/Linux environment. This means that all domain users appear to being
added to the /etc/passwd file. This is done by a library thats is the link
between the winbind daemon and nss.
Winbind also included a pam module that also allows you to authenticate
users that are in the domain, so this pam module is simular to
pam_auth_smb.
So the choice is :
- only passwd integration : pam_smb_auth
- user integration : winbindd + winbind nss library
- complete : winbindd + winbind nss lib + winbind pam module
I'm using the second to import users for a Samba file and print server.
Regards,
Tim
--
===========================================================================
Tim Verhoeven
Linux & Open Source Specialist
GSM : 0496 / 693 453 + e-business solutions
Email : [EMAIL PROTECTED] + consulting
URL : www.sin.khk.be/~dj/ + Server consolidation
===========================================================================
