Actually, we didn't give the AD domain any control over the box
itself. PAM and NSS were set up to authenticate local machine users
(ssh) from our Unix (Sun) LDAP. Samba was only set up for use with
the RADIUS authentication process. You *can* give AD accounts control
over the machine, but you have to specifically set up PAM and NSS for
that. When everything Samba-wise was configured and set, the only
process we actually ran was winbindd, which is required for ntlm_auth
to work, which is what FreeRADIUS uses for PEAP-to-AD authentication.
smbd, nmbd, etc. were not running.
--Mike
On Aug 26, 2008, at 11:20 AM, Philippe Hanset wrote:
Michael,
Thanks.
How much control do you have to give to the domain controller
to have that scheme working?
(Somehow having AD, and the AD guys, controlling our UNIX box gives me
the schills... ;-)
Philippe
----------------------------------
Philippe Hanset
University of Tennessee, Knoxville
Office of Information Technology
Network Services
108 James D Hoskins Library
1400 Cumberland Ave
Knoxville, TN 37996
Tel: 1-865-9746555
----------------------------------
On Tue, 26 Aug 2008, Michael Griego wrote:
Philippe,
At UTD, we used FreeRADIUS to authenticate against Active Directory.
It required that you set up Samba and join it to the domain, but it
wasn't that difficult to get set up and running. I do remember that
sometimes Samba would have a hard time *creating* the machine trust
account, so, to get around that, we'd usually create the trust
account
manually, then join Samba to it.
--Mike
On Aug 26, 2008, at 9:06 AM, Philippe Hanset wrote:
All,
We want to move to EAP-PEAP instead of EAP-TTLS (secure W2),
and try to use the built-in client in Vista and XP.
We use RADIATOR for RADIUS and have two identical back end
directories:
LDAP and Active Directory.
Considering the hashing issue that MSchapV2 introduces we want to
authenticate against AD. But our AD admin is giving us a hard time.
He wants us to join his domain and do NTSM/Kerberos.
This involes a lot of SAMBA and I'm more of a Tango guy!
Is there a better way with UNIX Based RADIUS (RADIATOR in our case)?
Thank you in advance,
Philippe
----------------------------------
Philippe Hanset
University of Tennessee, Knoxville
Office of Information Technology
Network Services
108 James D Hoskins Library
1400 Cumberland Ave
Knoxville, TN 37996
Tel: 1-865-9746555
----------------------------------
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/
.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at http://www.educause.edu/groups/
.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at http://www.educause.edu/groups/
.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
