Joseph L. Casale
2007-Dec-18 19:45 UTC
[CentOS] Logging into Windows 2003 Active Directory
I have been searching the net for directions on rhel and centos 5(1) to log in to a windows domain and have found many examples, all different and none work for me. Is there a hint to some documentation anyone here knows of that actually works? Thanks! jlc -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20071218/ee15a33f/attachment-0002.html>
On Tue, 2007-12-18 at 12:45 -0700, Joseph L. Casale wrote:> I have been searching the net for directions on rhel and centos 5(1) > to log in to a windows domain and have found many examples, all > different and none work for me. > > Is there a hint to some documentation anyone here knows of that > actually works?---- I would use the official samba documentation... http://samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member Craig
Michael Semcheski
2007-Dec-18 20:20 UTC
[CentOS] Logging into Windows 2003 Active Directory
There are really two parts to what you are trying to do.
Part 1: Get the user information out of the AD LDAP schema. As I
understand it, this requires modifying the Active Directory first. I
haven't been able to get this to work, but don't control my active
directory either.
Part 2: Authenticate the user via Kerberos. This is not too bad, as
long as you don't care if your desktop can't grant tickets. Two
things you need to do:
Modify /etc/krb5.conf:
* Set the default realm to your AD Domain.
e.g.: default_realm = MY.ACTIVEDIRECTORY.COM)
* Define as a domain_realm your default realm.
e.g.: .my.activedirectory.com = MY.ACTIVEDIRECTORY.COM
* Define the realm.
e.g.: MY.ACTIVEDIRECTORY.COM
{
kdc = dc1.my.activedirectory.com
kdc = dc2.my.activedirectory.com
default_domain = my.activedirectory.com
admin_server = dc1.my.activedirectory.com
}
Modify /etc/pam.d/system-auth -- not something I understand real well,
so don't treat this as definitive information. Try:
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
If you use that setup, and keep the username entries in /etc/passwd
consistent with the names of users in your active directory, you can
require the user to present their AD password in order to login.
On Dec 18, 2007 2:45 PM, Joseph L. Casale <jcasale at activenetwerx.com>
wrote:>
>
>
>
> I have been searching the net for directions on rhel and centos 5(1) to log
> in to a windows domain and have found many examples, all different and none
> work for me.
>
> Is there a hint to some documentation anyone here knows of that actually
> works?
>
>
>
> Thanks!
> jlc
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
Joseph L. Casale wrote:> > I have been searching the net for directions on rhel and centos 5(1) > to log in to a windows domain and have found many examples, all > different and none work for me. > > Is there a hint to some documentation anyone here knows of that > actually works? > > >thats a SAMBA issue, really, not a RHEL/CentOS issue, except in that RHEL/CentOS 5 has a particular version of SAMBA. it works somewhat differently in each version of samba, and yes, ADS intergration is often a major pain. Look for directions on Samba 3.0 and Active Directory.
redhat at mckerrs.net
2007-Dec-18 22:46 UTC
[CentOS] Logging into Windows 2003 Active Directory
----- Original Message ----- From: "Joseph L. Casale" <jcasale at ActiveNetwerx.com> To: "centos at centos.org" <centos at centos.org> Sent: Wednesday, December 19, 2007 5:45:13 AM (GMT+1000) Australia/Brisbane Subject: [CentOS] Logging into Windows 2003 Active Directory I have been searching the net for directions on rhel and centos 5(1) to log in to a windows domain and have found many examples, all different and none work for me. Is there a hint to some documentation anyone here knows of that actually works? Thanks! jlc -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. Checkout this mailing list archives, I posted a rough guide that works well. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20071219/2ddaf98d/attachment-0002.html>
On Dec 18, 2007 1:45 PM, Joseph L. Casale <jcasale at activenetwerx.com> wrote:> I have been searching the net for directions on rhel and centos 5(1) to log > in to a windows domain and have found many examples, all different and none > work for me.You don't say exactly what you are trying to accomplish, but I'll chime in with the solution we use. If you simply need to have your CentOS boxes be aware of AD users and authenticate against AD passwords, take a look at nss_ldap. There are lots of instructions available on the net, even some good documents from Microsoft. You can even restrict access based on OU or Group membership. If you have a Server 2003 R2 domain, the MS side is ready to go. Otherwise you will need Services For Unix 3.5 on your DCs. I find it to be a much cleaner solution than joining Linux boxes to the domain with Samba if that is not required. Better yet, if I only need authentication for services that have built-in support for LDAP such as cyrus-imapd/saslauthd or httpd, I'll use that service's built-in LDAP authentication against AD and keep the Linux side as a 'black-box'. The learning curve can be a challenge, but once you get it figured out, it's pretty slick. Jeff