On Feb 23, 2007, at 9:40 AM, McKown, John wrote:
Assuming that I can overcome the Windows people's disinclination to
want
any non-Microsoft software around, has anybody here integrated Linux
(zSeries or other) into an Active Directory setup? Yes, I have found
some documentation on this on the Web. But given that I know nothing
about Samba and Kerberos and the like, how difficult would it be
for me
to get this accomplished? And the biggest question is: If I make a
mistake, can it cause a problem with the AD systems or other
clients? If
yes, then it is unlikely that I will get permission to even try.
If you're setting yourself up purely as a client, I don't see any way
for you to break anything for anyone else. That said, this is not
legal advice, etc.
We've done it; the quickest route is to use winbind (from Samba) to
authenticate, which is suboptimal (in that it relies on Samba rather
than just Kerberos plus LDAP) but very easy.
The "right" way to do it internally is with a pure Kerberos/LDAP
setup, but in order to get credentials onto the machines you need to
use ktpass.exe on the Windows side, and if your Windows admins are
already hostile they may not be willing to do this for you.
Using winbind with the idmap_rid backend allows you to get consistent
Linux UIDs/GIDs across your hosts, which is what you probably care
about. In almost all cases, it works well enough. It should only be
a few lines changed in smb.conf, something like:
# realm = Kerberos realm
realm = ADS.EXAMPLE.COM
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = ADS
# Security mode.
security = ADS
password server = 192.168.101.140 192.168.101.143
# RID to UID map
idmap backend = idmap_rid:snaads=10000-60000
# RID idmap does not work with trusted domains
allow trusted domains = no
# Domain user id range
idmap uid = 10000-60000
# Domain group id range
idmap gid = 10000-60000
# Allow enumeration of domain users and groups
winbind enum users = yes
winbind enum groups = yes
Then you'd want to change pam.d--add something like:
auth sufficient pam_winbind.so use_authtok
at the top of your authentication stack (use_authtok may not even be
required if it's the first thing; I remember there was some reason I
had it in there, but I don't remember exactly what it was)
Adam
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
