-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Leafey Sent: Thursday, June 05, 2008 4:35 PM To: CentOS mailing list Subject: [SPAM]Re: [CentOS] using windows ad accounts for centos 5
Isaac Gonzalez wrote: > Hi I read and used the article > http://blog.wazollc.com/Lists/Posts/Post.aspx?ID=2 to authenticate my > ad accounts when logging on to cent 5…however, once I edit the > nsswitch.conf file, I can’t even log on as root or any local users > anymore. Kinit seems to initialize fine doing a kinit > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> , however doing a > getent passwd adusername ….it just sits there in the shell and does > nothing. I actually had to put all files back to where they were > before the change to even be able to login locally or use sudo. > > I followed the steps line by line on this article but get stuck > everytime….anyone has an idea or a better documented way of achieving > what I am trying to do , please let me know. > > Thanks, > Isaac > >I'm using AD-via-Kerberos to authenticate users on several CentOS 5.1 systems. > Setting it up was as easy as a >single command line: >authconfig \ >--usemd5 --useshadow --enablelocauthorize \ >--enablekrb5 \ >--krb5realm={AD Domain Name} \ >--enablekrb5kdcdns --enablekrb5realmdns --update >This makes the necessary changes to /etc/krb5.conf, /etc/ and >/etc/nsswitch.conf. I am NOT using this for user >information, just password authentication, so I add user accounts for each >authorized user. >You can also consider using the --disablesysnetauth flag, which disables >authenticating "system" accounts via >the network services and forces them to use local authorization. This should >prevent entries in the AD for >"root" and other system accounts from being used. >Hope that helps! -- >Jay Leafey - Memphis, TN >[EMAIL PROTECTED] Ok no more errors with the pam file...guess my repos was out of sync. Jay, did you have to put in the hostname of the dc that actually performs the Kerberos auth? I am wondering if I need to specify this in the command or the krb5.conf file ...It is not working for me. I am using MYDOMAINNAME.COM as the AD domain name with and without brackets around it. Time is synced to dc. Thanks, Isaac
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos