Re: Authenticating users against AD *without* joining the domain?
On Tue, Feb 12, 2013 at 8:55 PM, Ken D'Ambrosio wrote: > I'd be just plain happy if I could use an AD server to let > users authenticate against LDAP, and then log in. Can you explain what you're after in a little more details, please? E.g., are you wanting users to be able to SSH in, type a username and password for an AD account, and have those checked against a Domain Controller? Or... what? :) -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Authenticating users against AD *without* joining the domain?
Ben said: > Can you explain what you're after in a little more details, please? > > E.g., are you wanting users to be able to SSH in, type a username > and password for an AD account, and have those checked against a > Domain Controller? *sigh* Yeah, I realized (much) later that I wasn't descriptive enough. That's *exactly* what I'm looking to do -- basically, I see it like this: if they can bind to the AD server with the credentials (via LDAP, which is woo feasible), then I want to let them in. And, yes, all via ssh. -Ken > > Or... what? :) > > -- Ben > ___ > gnhlug-discuss mailing list > gnhlug-discuss@mail.gnhlug.org > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ -- This mail was scanned by BitDefender For more information please visit http://www.bitdefender.com/links/en/frams.html ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
RE: Authenticating users against AD *without* joining the domain?
I have struggled with this problem for years. We came to a solution a long time ago that works 100% of the time but keeps the Linux servers somewhat on the sidelines. The solution is very simple, really. We have all our Linux boxes (we have about 50 of them connected together under the umbrella of a MS Exchange Server) using a really stripped down Samba (excUUUse me, I mean CIFS) configuration. I have attached the smb.conf file. It provides a completely open share. We rely on the firewall of the Exchange Server and have the Linux firewall turned completely off. Put the smb.conf file in /etc/samba and do this: 'service smb restart' or whatever your distro requires equivalent to that. Here was the most important piece: We DO NOT REFER TO THE LINUX SERVERS BY THEIR NETWORK NAMES. For some reason, using the workgroup name and the Linux netbios name causes Active Directory to get really constipated. It works but sometime it just doesn't and other times it takes minutes or hours to resolve the Linux netbios names. Instead, we simply refer to the Linux CIFS server by its Ethernet address and it always works and works very efficiently with no complaints from the Windows domain server. It works in both directions. We can access file shares through Windows explorers and we can mount Windows shares on our Linux boxes. Let's say I want to get at /var/log/messages on Linux Server XYZ1 at IP address 192.168.101.195 I simply refer to it as \\192.168.101.195\sysroot\var\log\messages from Windows and all is well (sysroot is the name of the Linux share that gives me access to "/") We use the "porta putty" SSH client and simply use the IP address to login to Linux and the whole package is rather seamless. On the rare occasions we need to get at the Xwindows desktop, we use VNC and it simply works and we have no issues as long as we do not make the mistake of trying to access a Linux box as , e.g., \\XYZ1\sysroot\var\ instead of \\192.168.101.195\sysroot\var\ Later - Frank -Original Message- From: gnhlug-discuss-boun...@mail.gnhlug.org [mailto:gnhlug-discuss-boun...@mail.gnhlug.org] On Behalf Of Ken D'Ambrosio Sent: Tuesday, February 12, 2013 8:55 PM To: GNHLUG Subject: Authenticating users against AD *without* joining the domain? Hey, all. At my new employer, it basically takes an act of God to get a Linux box to join the domain. I'd be just plain happy if I could use an AD server to let users authenticate against LDAP, and then log in. Any idea how to make that happen? Worst-case, I'm thinking of doing some sort of Apache/LDAP thing, but if anyone's got any bright ideas, I'm all ears. Thanks, -Ken -- This mail was scanned by BitDefender For more information please visit http://www.bitdefender.com/links/en/frams.html ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ smb.conf Description: smb.conf ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Authenticating users against AD *without* joining the domain?
On Wed, Feb 13, 2013 at 11:03 AM, Rudolph, Frank wrote: > We have all our Linux boxes (we have about 50 of them connected > together under the umbrella of a MS Exchange Server) Uh... just FYI, Exchange has nothing to do with SMB/CIFS/NetBIOS/etc. That might be your problem right there. :-) > We rely on the firewall of the Exchange Server ... Nor is Exchange a firewall. Exchange is a mail server. :-) > Here was the most important piece: We DO NOT REFER TO > THE LINUX SERVERS BY THEIR NETWORK NAMES. You have no name resolution configured in the provided Samba config file; I suspect that's part of your problem. The defaults use broadcasts, which are unreliable at best, and often don't work at all. If you're in a good-sized Microsoft shop, and there is a need or desire to support NetBIOS (very common), the Windows admins very likely using WINS (NBNS), and you're going to need to configure that. The Windows people may also have disabled broadcast name resolution entirely. Alternatively, the Windows admins may have gone entirely to using DNS names, and you're going to need to configure Samba to know that. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
RE: Authenticating users against AD *without* joining the domain?
Sorry, you are correct. Not being a Windows expert, I tend to oversimplify. I keep referring to our Windows Server as an Exchange server. I realize that is incorrect. We are an engineering house with negligible IT support and I touch Windows only when I have to. Let me clarify... We have a Windows Server 2008 or 2010, not sure which) On that server, we have all our umbrella of security running for the entire domain, firewalls included. On that server we have an Exchange server running to support email. We also have Active Directory running there and the entire enterprise uses that as our in-house support. Our IT manage is quite knowledgeable about Windows ONLY and knows nothing about Linux. I on the other hand try to stay entirely in the Linux world and use Windows only as a way to edit documents send email, etc. What I discovered is that, since we have limited support for the interface between Windows and Linux and no time at all to figure out why, I learned from another Linux user back in 2005 that if I just used the stripped down smb.conf file, all the issues I was having with Windows constantly barfing every time I tried to do anything that involved talking to Linux, my problems would go away. So I did that and the problem immediately ceased to be a problem. We have a software staff of 1, an IT staff of 1 and we use a few contractors to help out. For us this has been a completely sufficient, cheap, easy, long-term solution for an undermanned staff and I just passed it on. But thanks for your corrections. - Frank -Original Message- From: gnhlug-discuss-boun...@mail.gnhlug.org [mailto:gnhlug-discuss-boun...@mail.gnhlug.org] On Behalf Of Ben Scott Sent: Wednesday, February 13, 2013 11:53 AM To: Greater NH Linux User Group Subject: Re: Authenticating users against AD *without* joining the domain? On Wed, Feb 13, 2013 at 11:03 AM, Rudolph, Frank wrote: > We have all our Linux boxes (we have about 50 of them connected > together under the umbrella of a MS Exchange Server) Uh... just FYI, Exchange has nothing to do with SMB/CIFS/NetBIOS/etc. That might be your problem right there. :-) > We rely on the firewall of the Exchange Server ... Nor is Exchange a firewall. Exchange is a mail server. :-) > Here was the most important piece: We DO NOT REFER TO THE LINUX > SERVERS BY THEIR NETWORK NAMES. You have no name resolution configured in the provided Samba config file; I suspect that's part of your problem. The defaults use broadcasts, which are unreliable at best, and often don't work at all. If you're in a good-sized Microsoft shop, and there is a need or desire to support NetBIOS (very common), the Windows admins very likely using WINS (NBNS), and you're going to need to configure that. The Windows people may also have disabled broadcast name resolution entirely. Alternatively, the Windows admins may have gone entirely to using DNS names, and you're going to need to configure Samba to know that. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Authenticating users against AD *without* joining the domain?
On Wed, Feb 13, 2013 at 9:28 AM, Ken D'Ambrosio wrote: > *sigh* Yeah, I realized (much) later that I wasn't descriptive enough. > That's *exactly* what I'm looking to do -- basically, I see it like > this: if they can bind to the AD server with the credentials (via LDAP, > which is woo feasible), then I want to let them in. And, yes, all via > ssh. Okay, there are two ways to approach this. One is to have Linux speak LDAP to Windows, and do the auth via LDAP. It should basically be a pure LDAP scenario, with no knowledge of Windows-ese stuff involved. I don't know much about LDAP auth, but we do have people here who do. The other way is to have Linux speak Windows-ese to Windows, and do the auth via Windows-ese. This I know (far too much) about. There are two ways to have Samba do Windows-ese authentication. One is to have Samba join the domain. The other is to have Samba do pass-along server authentication against a Domain Controller server. Joining the domain is the preferred method. Is the situation truly hopeless? If you have a valid set of domain credentials, by default that will have permission to join up to 10 members to the domain, so we could try that and you could plead ignorance later. OTOH, that may be politically bad (i.e., a Career Limiting Move). On the third hand, can you have a dialog with the Windows admin team? If they're letting a Linux box on your network in the first place, one hopes they'd want it to be subject to corporate security and all that. (Or are you firewalled?) The other method is to configure Samba with "security = server". This basically passes credentials (username/password/hash) unprocessed to a named Windows server, and gets the auth that way. The problem here is that I AFAIK this excludes winbind, which is the mechanism Samba uses to provide a NSS/PAM compatible interface to the host OS. I guess this prolly doesn't help you much. Sorry. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/