----- Original Message -----
From: "Jason Pyeron" <jpyeron at pdinc.us>
To: "CentOS mailing list" <centos at centos.org>
Sent: Wednesday, November 14, 2007 12:23:17 PM (GMT+1000) Australia/Brisbane
Subject: [CentOS] Sso the Linux way?
So I was googling around about this over the last week and here is what I
found:
nis/yp is for some reason bad.
Kerbos is holy, but no how-to's that don't involve windows and active
directory.
What is the recommended sso approach for centos? Where are there examples /
docs to follow?
Jason
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Sr. Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately. Any other use of the email by you
is prohibited.
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Jason,
I've just finished writing up the solaris 9/10 version of what you are
looking for, amounted to about 10 pages ! As an exercise in illustrating (to
managment, with a view to ditching solaris and moving to RHEL) how much easier
this sort of thing is in linux (RHEL/CENTOS) I have taken some notes on how to
do it;
I can't remember if authconfig updates the /etc/krb5.conf file automatically
( I think it does) but it should look similar to this or you will not be able to
join your server to the domain;
[libdefaults]
default_realm = MYCORP.NET.AU
[realms]
MYCORP.NET.AU = {
kdc = dc1.mycorp.net.au
kdc = dc2.mycorp.net.au
}
[domain_realms]
.kerberos.server = MYCORP.NET.AU
You can test the kerberos stuff is working by doing;
kinit user at MYCORP.NET.AU
then
klist
and finally to destory the ticket;
kdestroy
Don't even bother going any further if this does not work.
1. ensure samba server packages are installed
2. ensure DNS forward and reverse entries are accurate
3. ensure your server is time synced accurately (kerberos steps above will fail
if not)
4. run authconfig or the 'tui' version
5. Tick/Star both the 'winbind' options for user and authentication
6. Next page - choose 'ads' as security model and fill in the rest of
the details, e.g. DOMAIN and DC, ensure that the 'ADS Realm' is your
FQDN from the krb5.conf file e.g. MYCORP.NET.AU in uppercase
7. Click join domain and enter your AD user/password
8. Check you /etc/samba/smb.conf and it should have all the necessary bits set
approriately
If you successfully joined the domain then domain users should now be able to
access any defined shares and even ssh onto the box provided you chose a valid
login shell, create the necessary 'template homedir' and update your pam
system-auth and add the following;
session required pam_mkhomedir.so skel=/etc/skel umask=0022
You can also limit who can login with ssh by editing the /etc/pam.d/sshd and
adding something like;
auth required pam_succeed_if.so user ingroup unix-admins
where 'unix-admins' is an AD group.
Authconfig will automatically update /etc/nsswitch.conf and add the
'winbind' entry for passwd, shadow and group.
Let us know if this works for you.
Cheers.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20071114/dba02253/attachment.html>