Rob Townley
2008-Aug-18 19:28 UTC
[CentOS] Win2000 / Win2003 ADS dnsHostName and servicePrincipalName
Sharing my experience with SSO of Linux clients to Active Directory. Over the last 2 years or so, i had a great deal of trouble getting and _keeping_ authentication to our Win2000/Win2003 Active Directory system working from OpenSUSE and CentOS clients. ADS authentication would work until reboot, a few days, a month max. We'll see how long this lasts. Another problem was dealing with the fact that i setup dns in AD using aMixedCaseDomain.com name. Had to add all variants to the [realms] and [domain_realm] names to /etc/krb5.conf. snslatc.hp.com, snslatc.HP.com, SNSLATC.HP.COM ... Over the weekend i gave up on CentOS and tried Fedora because Fedora repositories have SaMBa 3.2, but CentOS only has 3.0. SaMBa 3.2 supports sasl sign and seal (hashing and encryption) and supports NTLMv2 better and using winbind with ADS. Still had problems with Fedora. Since i had to change the hostname in the middle of the process and update krb5.conf as mentioned above and i noticed that somehow dNSHostName in Active Directory was set to "HOST/localhost:localdomain" which clearly cannot be correct. So i used SysInternals LDAP Explorer (ADExplorer.exe) to change the entry in ActiveDirectory to remove any reference to localhost. Unless i changed /etc/hosts to not have rmonster in "127.0.0.1 localhost.localdomain localhost rmonster", deleted from WinAD and rejoined. dNSHostName: rmonster.snslatc.hp.com servicePrincipalName: CIFS/rmonster.snslatc.hp.com servicePrincipalName: CIFS/rmonster servicePrincipalName: HOST/rmonster.snslatc.hp.com servicePrincipalName: HOST/rmonster Is the line "servicePrincipalName: CIFS/rmonster.snslatc.hp.com" only required when you want your Linux box shares to show to other clients (Windows)? Successfully joined and authenticating using Fedora, but really want to use CentOS and have group policy support from likewise. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20080818/44065b35/attachment-0005.html>
nate
2008-Aug-20 02:41 UTC
[CentOS] Win2000 / Win2003 ADS dnsHostName and servicePrincipalName
Rob Townley wrote:> Over the weekend i gave up on CentOS and tried Fedora because Fedora > repositories have SaMBa 3.2, but CentOS only has 3.0. SaMBa 3.2 supports > sasl sign and seal (hashing and encryption) and supports NTLMv2 better and > using winbind with ADS.Rebuild the samba src rpms on CentOS? I gave up on integrating windows+(insert any OS here) integration years ago, not worth the headaches. nate