Hi I read and used the article http://blog.wazollc.com/Lists/Posts/Post.aspx?ID=2 to authenticate my ad accounts when logging on to cent 5...however, once I edit the nsswitch.conf file, I can't even log on as root or any local users anymore. Kinit seems to initialize fine doing a kinit username at MYDOMAIN.COM , however doing a getent passwd adusername ....it just sits there in the shell and does nothing. I actually had to put all files back to where they were before the change to even be able to login locally or use sudo. I followed the steps line by line on this article but get stuck everytime....anyone has an idea or a better documented way of achieving what I am trying to do , please let me know. Thanks, Isaac -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20080605/cfac7c68/attachment-0002.html>
Isaac Gonzalez wrote:> Hi I read and used the article > http://blog.wazollc.com/Lists/Posts/Post.aspx?ID=2 to authenticate my ad > accounts when logging on to cent 5?however, once I edit the > nsswitch.conf file, I can?t even log on as root or any local users > anymore. Kinit seems to initialize fine doing a kinit > username at MYDOMAIN.COM <mailto:username at MYDOMAIN.COM> , however doing a > getent passwd adusername ?.it just sits there in the shell and does > nothing. I actually had to put all files back to where they were before > the change to even be able to login locally or use sudo. > > I followed the steps line by line on this article but get stuck > everytime?.anyone has an idea or a better documented way of achieving > what I am trying to do , please let me know. > > Thanks, > Isaac >I'm using AD-via-Kerberos to authenticate users on several CentOS 5.1 systems. Setting it up was as easy as a single command line: authconfig \ --usemd5 --useshadow --enablelocauthorize \ --enablekrb5 \ --krb5realm={AD Domain Name} \ --enablekrb5kdcdns --enablekrb5realmdns --update This makes the necessary changes to /etc/krb5.conf, /etc/ and /etc/nsswitch.conf. I am NOT using this for user information, just password authentication, so I add user accounts for each authorized user. You can also consider using the --disablesysnetauth flag, which disables authenticating "system" accounts via the network services and forces them to use local authorization. This should prevent entries in the AD for "root" and other system accounts from being used. Hope that helps! -- Jay Leafey - Memphis, TN jay.leafey at mindless.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5553 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.centos.org/pipermail/centos/attachments/20080605/c31196b1/attachment-0002.bin>
That was exactly what I was looking for, thanks for taking the time to reply.....i'll reply back with my results. -Isaac -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Jay Leafey Sent: Thursday, June 05, 2008 4:35 PM To: CentOS mailing list Subject: [SPAM]Re: [CentOS] using windows ad accounts for centos 5 Isaac Gonzalez wrote:> Hi I read and used the article > http://blog.wazollc.com/Lists/Posts/Post.aspx?ID=2 to authenticate my > ad accounts when logging on to cent 5?however, once I edit the > nsswitch.conf file, I can?t even log on as root or any local users > anymore. Kinit seems to initialize fine doing a kinit > username at MYDOMAIN.COM <mailto:username at MYDOMAIN.COM> , however doing a > getent passwd adusername ?.it just sits there in the shell and does > nothing. I actually had to put all files back to where they were > before the change to even be able to login locally or use sudo. > > I followed the steps line by line on this article but get stuck > everytime?.anyone has an idea or a better documented way of achieving > what I am trying to do , please let me know. > > Thanks, > Isaac >I'm using AD-via-Kerberos to authenticate users on several CentOS 5.1 systems. Setting it up was as easy as a single command line: authconfig \ --usemd5 --useshadow --enablelocauthorize \ --enablekrb5 \ --krb5realm={AD Domain Name} \ --enablekrb5kdcdns --enablekrb5realmdns --update This makes the necessary changes to /etc/krb5.conf, /etc/ and /etc/nsswitch.conf. I am NOT using this for user information, just password authentication, so I add user accounts for each authorized user. You can also consider using the --disablesysnetauth flag, which disables authenticating "system" accounts via the network services and forces them to use local authorization. This should prevent entries in the AD for "root" and other system accounts from being used. Hope that helps! -- Jay Leafey - Memphis, TN jay.leafey at mindless.com
Hmmm... I get authconfig: Authentication module /lib/security/pam_krb5.so is missing. Authentication process will not work correctly. When running this command...i tried to use yum whatprovides pam_krb5.so ...to no avail. Any suggestions -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Jay Leafey Sent: Thursday, June 05, 2008 4:35 PM To: CentOS mailing list Subject: Re: [CentOS] using windows ad accounts for centos 5 Isaac Gonzalez wrote:> Hi I read and used the article > http://blog.wazollc.com/Lists/Posts/Post.aspx?ID=2 to authenticate my > ad accounts when logging on to cent 5?however, once I edit the > nsswitch.conf file, I can?t even log on as root or any local users > anymore. Kinit seems to initialize fine doing a kinit > username at MYDOMAIN.COM <mailto:username at MYDOMAIN.COM> , however doing a > getent passwd adusername ?.it just sits there in the shell and does > nothing. I actually had to put all files back to where they were > before the change to even be able to login locally or use sudo. > > I followed the steps line by line on this article but get stuck > everytime?.anyone has an idea or a better documented way of achieving > what I am trying to do , please let me know. > > Thanks, > Isaac >I'm using AD-via-Kerberos to authenticate users on several CentOS 5.1 systems. Setting it up was as easy as a single command line: authconfig \ --usemd5 --useshadow --enablelocauthorize \ --enablekrb5 \ --krb5realm={AD Domain Name} \ --enablekrb5kdcdns --enablekrb5realmdns --update This makes the necessary changes to /etc/krb5.conf, /etc/ and /etc/nsswitch.conf. I am NOT using this for user information, just password authentication, so I add user accounts for each authorized user. You can also consider using the --disablesysnetauth flag, which disables authenticating "system" accounts via the network services and forces them to use local authorization. This should prevent entries in the AD for "root" and other system accounts from being used. Hope that helps! -- Jay Leafey - Memphis, TN jay.leafey at mindless.com
Isaac Gonzalez
2008-Jun-18 18:22 UTC
[SPAM]Re: [CentOS] using windows ad accounts for centos 5
-----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Jay Leafey Sent: Thursday, June 05, 2008 4:35 PM To: CentOS mailing list Subject: [SPAM]Re: [CentOS] using windows ad accounts for centos 5 Isaac Gonzalez wrote:> Hi I read and used the article > http://blog.wazollc.com/Lists/Posts/Post.aspx?ID=2 to authenticate my > ad accounts when logging on to cent 5?however, once I edit the > nsswitch.conf file, I can?t even log on as root or any local users > anymore. Kinit seems to initialize fine doing a kinit > username at MYDOMAIN.COM <mailto:username at MYDOMAIN.COM> , however doing a > getent passwd adusername ?.it just sits there in the shell and does > nothing. I actually had to put all files back to where they were > before the change to even be able to login locally or use sudo. > > I followed the steps line by line on this article but get stuck > everytime?.anyone has an idea or a better documented way of achieving > what I am trying to do , please let me know. > > Thanks, > Isaac >>I'm using AD-via-Kerberos to authenticate users on several CentOS 5.1 systems. Setting it up was as easy as a >single command line:>authconfig \>--usemd5 --useshadow --enablelocauthorize \ >--enablekrb5 \ >--krb5realm={AD Domain Name} \ >--enablekrb5kdcdns --enablekrb5realmdns --update>This makes the necessary changes to /etc/krb5.conf, /etc/ and /etc/nsswitch.conf. I am NOT using this for user >information, just password authentication, so I add user accounts for each authorized user.>You can also consider using the --disablesysnetauth flag, which disables authenticating "system" accounts via >the network services and forces them to use local authorization. This should prevent entries in the AD for >"root" and other system accounts from being used.>Hope that helps!-->Jay Leafey - Memphis, TN >jay.leafey at mindless.comOk no more errors with the pam file...guess my repos was out of sync. Jay, did you have to put in the hostname of the dc that actually performs the Kerberos auth? I am wondering if I need to specify this in the command or the krb5.conf file ...It is not working for me. I am using MYDOMAINNAME.COM as the AD domain name with and without brackets around it. Time is synced to dc. Thanks, Isaac
Apparently Analagous Threads
- Graphical net install
- HowTo: Samba with ADS security in CentOS 5
- How to configure user accounts without NIS
- Help integrating CentOS 6 with existing network login infrastructure
- I want a Fedora 20 system to be a member server and offer a share in a Windows 2008R2 Active Directory domain