King, John (Greg) (LMIT-HOU)
2006-Jul-05 14:01 UTC
[CentOS] Linux kerberos to Windows AD 2000/2003
I have spent the last 4-5 hours scrounging google articles on this and have found 2 solutions. The problem is one of them is something that we will not do (as MS will not support extending AD with Services For Unix(SFU)). The other is simply configuring kerberos and pam on the linux system. No problem there from what I can tell. Ticket cache: FILE:/tmp/krb5cc_0 Default principal: userid at dom.ain Valid starting Expires Service principal 07/05/06 07:23:03 07/05/06 17:23:47 krbtgt/DOM.AIN at DOM.AIN renew until 07/06/06 07:23:03 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached The problem though is configuring winbind from the console (all of the linux systems are nothing more than the kernel, ssh and the few apps necessary for the system to do it's job). All the online examples I have been able to find use the linux GUI. Does anyone know of a document (or mind sharing) how they installed and configured the samba 3 winbind daemon to map SID's to unix uid's/gid's? That would eliminate the need to extend the active directory schema. thanks, Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20060705/d3d2db92/attachment-0002.html>
King, John (Greg) (LMIT-HOU)
2006-Jul-05 14:05 UTC
[CentOS] Linux kerberos to Windows AD 2000/2003
blah hit next on my google search and got this link hehe go figure it is the first link AFTER I finally ask for help http://windows.ittoolbox.com/documents/tutorials/integrating-samba-3-in- to-a-windows-2003-domain-1893 but if anyone has more links to share please do ________________________________ From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of King, John (Greg) (LMIT-HOU) Sent: Wednesday, July 05, 2006 9:02 AM To: centos at centos.org Subject: [CentOS] Linux kerberos to Windows AD 2000/2003 I have spent the last 4-5 hours scrounging google articles on this and have found 2 solutions. The problem is one of them is something that we will not do (as MS will not support extending AD with Services For Unix(SFU)). The other is simply configuring kerberos and pam on the linux system. No problem there from what I can tell. Ticket cache: FILE:/tmp/krb5cc_0 Default principal: userid at dom.ain Valid starting Expires Service principal 07/05/06 07:23:03 07/05/06 17:23:47 krbtgt/DOM.AIN at DOM.AIN renew until 07/06/06 07:23:03 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached The problem though is configuring winbind from the console (all of the linux systems are nothing more than the kernel, ssh and the few apps necessary for the system to do it's job). All the online examples I have been able to find use the linux GUI. Does anyone know of a document (or mind sharing) how they installed and configured the samba 3 winbind daemon to map SID's to unix uid's/gid's? That would eliminate the need to extend the active directory schema. thanks, Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20060705/b6a08ccb/attachment-0002.html>
Hi Greg, I remember doing it, and I remember starting from the ooficial samba howto: http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member or http://us1.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm (at least I remeber following it and getting it working). I should have some more documentation, if I can find it I will let you know. Cheers, Simone King, John (Greg) (LMIT-HOU) wrote:> blah hit next on my google search and got this link hehe go figure it > is the first link AFTER I finally ask for help > > http://windows.ittoolbox.com/documents/tutorials/integrating-samba-3-in-to-a-windows-2003-domain-1893 > > but if anyone has more links to share please do > > ------------------------------------------------------------------------ > *From:* centos-bounces at centos.org [mailto:centos-bounces at centos.org] > *On Behalf Of *King, John (Greg) (LMIT-HOU) > *Sent:* Wednesday, July 05, 2006 9:02 AM > *To:* centos at centos.org > *Subject:* [CentOS] Linux kerberos to Windows AD 2000/2003 > > I have spent the last 4-5 hours scrounging google articles on this and > have found 2 solutions. The problem is one of them is something that > we will not do (as MS will not support extending AD with Services For > Unix(SFU)). > > The other is simply configuring kerberos and pam on the linux system. > No problem there from what I can tell. > > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: userid at dom.ain > > Valid starting Expires Service principal > 07/05/06 07:23:03 07/05/06 17:23:47 krbtgt/DOM.AIN at DOM.AIN > renew until 07/06/06 07:23:03 > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > > The problem though is configuring winbind from the console (all of the > linux systems are nothing more than the kernel, ssh and the few apps > necessary for the system to do it's job). All the online examples I > have been able to find use the linux GUI. > > Does anyone know of a document (or mind sharing) how they installed > and configured the samba 3 winbind daemon to map SID's to unix > uid's/gid's? That would eliminate the need to extend the active > directory schema. > > thanks, > > Greg > >------------------------------------------------------------------------ > >_______________________________________________ >CentOS mailing list >CentOS at centos.org >http://lists.centos.org/mailman/listinfo/centos > >
Greg, The latest release of Windows AD (ADR2) integrates a newer version of SFU into the AD schema. We have tested it very successfully using our CentOS boxes to authenticate authorize access to our machines, using kerberos and LDAP. We tried the winbind/smb approach, and the way it handles UIDs and GIDs is less than desireable in our case. It might work for small offices/networks with 50 users or so, but for us, in the case of spreading it campuswide to 1000s of users, it would never do. Also, the degree of UID/GID management is less than stellar since they are enumerated as people log on, and if the machine housing the UID/GID database crashes or you lose the database, getting the exact same mappings upon rebuild may not work - even with backups. Ian