Hi Good peoples I'm at a customers site who has already implimented a M$ AD system. They now though are starting to impliment SuSE clients & I now need to intergrate these clients into the M$ kerberos realm. I have (at great personal pain :-)) read the M$ link http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.as... But would like to know/hear of any experence any of you guys have in this area. 1 thing I have noticed is that the M$ handling os user names. Active Directory, by default, creates the X.500 standard cn parameter as firstname lastname rather than the user id that is used to login into the domain ( sAMAccountName attribute in the Active Directory). Any info / help & advice most welcome. Best regards Ade
On Fri, 9 Jan 2004, Adrian Bellini wrote:
Hi Good peoples I'm at a customers site who has already implimented a M$ AD system. They now though are starting to impliment SuSE clients & I now need to intergrate these clients into the M$ kerberos realm.
I share your pain. Literally. :-/
I have (at great personal pain :-)) read the M$ link http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.as... But would like to know/hear of any experence any of you guys have in this area. 1 thing I have noticed is that the M$ handling os user names. Active Directory, by default, creates the X.500 standard cn parameter as firstname lastname rather than the user id that is used to login into the domain ( sAMAccountName attribute in the Active Directory).
Before you do anything else: get "The Official Samba-3 HOWTO and Referance Guide" by John H. Terpstra and Jelmer R. Venooij from the Samba team. The info will appear online sometime this spring, but the book is truly good. You need to install the full Samba 3, in particular including the Winbind libraries. You need to make sure you're NOT running nscd. You obviously need Kerberos (The Heimdal rpms from SuSE 8.2 or 9.0 are fine). And you need to fiddle with configuration quite a bit. There are bits and pieces all over the net, the above book covers it all rather neatly. What you get then are random uid and gid for each user, changing when you reboots and varying between clients. Can be hacked, but it ain't easy. I'm still trying to solve in on a large scale student domain, for a smaller system where people use the same machine every time it shouldn't be as much of a problem. Bjørn -- Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a System administrator Fax: (+47) 555-89672 fractal; universal and Math. Department Mobile: (+47) 918 68075 infinitely repetitive. University of Bergen VIP: 81724 teknisk@mi.uib.no Email: bjornts@mi.uib.no http://www.mi.uib.no/
Hi Bjorn
Thanks very much for your answer - looks like there is going to be many long nights and valium ! involved here !.
Interesting that the M$ site doesn't make any reference to SAMBA 3 / winbind... wonder how they "did it" then ?
I'll be sure to keep you informed as/when I get anything - if nothing else a pain shared :-)
Best regards
Ade
On Jan 09, 2004 02:28 PM, Bjorn Tore Sund
On Fri, 9 Jan 2004, Adrian Bellini wrote:
Hi Good peoples I'm at a customers site who has already implimented a M$ AD system. They now though are starting to impliment SuSE clients & I now need to intergrate these clients into the M$ kerberos realm.
I share your pain. Literally. :-/
I have (at great personal pain :-)) read the M$ link http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.as... But would like to know/hear of any experence any of you guys have in this area. 1 thing I have noticed is that the M$ handling os user names. Active Directory, by default, creates the X.500 standard cn parameter as firstname lastname rather than the user id that is used to login into the domain ( sAMAccountName attribute in the Active Directory).
Before you do anything else: get "The Official Samba-3 HOWTO and Referance Guide" by John H. Terpstra and Jelmer R. Venooij from the Samba team. The info will appear online sometime this spring, but the book is truly good.
You need to install the full Samba 3, in particular including the Winbind libraries. You need to make sure you're NOT running nscd. You obviously need Kerberos (The Heimdal rpms from SuSE 8.2 or 9.0 are fine). And you need to fiddle with configuration quite a bit. There are bits and pieces all over the net, the above book covers it all rather neatly.
What you get then are random uid and gid for each user, changing when you reboots and varying between clients. Can be hacked, but it ain't easy. I'm still trying to solve in on a large scale student domain, for a smaller system where people use the same machine every time it shouldn't be as much of a problem.
Bjørn -- Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a System administrator Fax: (+47) 555-89672 fractal; universal and Math. Department Mobile: (+47) 918 68075 infinitely repetitive. University of Bergen VIP: 81724 teknisk@mi.uib.no Email: bjornts@mi.uib.no http://www.mi.uib.no/
Am Freitag, 9. Januar 2004 14:40 schrieb Adrian Bellini:
Hi Bjorn Thanks very much for your answer - looks like there is going to be many long nights and valium ! involved here !. Interesting that the M$ site doesn't make any reference to SAMBA 3 / winbind... wonder how they "did it" then ?
I'll be sure to keep you informed as/when I get anything - if nothing else a pain shared :-) Best regards Ade
It's not that much nights... to get it running, but some to fix it for your needs... Four steps: - Install kerberos (suse supplies heimdal, even though some don't like or trust that - it works) - Get and Install the newest suse samba 3 rpms from suse people (ftp://ftp.suse.com/pub/people/gd/samba3) Try them. Check Them. For my purposes they work. Tell me about problems... ;-) - Change /etc/krb5.conf and smb.conf for your realm (both) and ads support (samba only) - Use "kinit" to get tickets from your ADS "net" to join the domain. "klist" lists your tickets. Obviously, you only need a ticket for joining the domain, afterwards user/password data are supplied without active ticket. Is that true? I found two ADS behaving that way.. Then the real work starts: Changing smb.conf to fit your needs ... and pam and winbind and ldap and and and Enjoy! ;-)
On Jan 09, 2004 02:28 PM, Bjorn Tore Sund
wrote: On Fri, 9 Jan 2004, Adrian Bellini wrote:
Hi Good peoples I'm at a customers site who has already implimented a M$ AD system. They now though are starting to impliment SuSE clients & I now need to intergrate these clients into the M$ kerberos realm.
I share your pain. Literally. :-/
I have (at great personal pain :-)) read the M$ link http://www.microsoft.com/windows2000/techinfo/planning/security/k erbsteps.asp But would like to know/hear of any experence any of you guys have in this area. 1 thing I have noticed is that the M$ handling os user names. Active Directory, by default, creates the X.500 standard cn parameter as firstname lastname rather than the user id that is used to login into the domain ( sAMAccountName attribute in the Active Directory).
Before you do anything else: get "The Official Samba-3 HOWTO and Referance Guide" by John H. Terpstra and Jelmer R. Venooij from the Samba team. The info will appear online sometime this spring, but the book is truly good.
You need to install the full Samba 3, in particular including the Winbind libraries. You need to make sure you're NOT running nscd. You obviously need Kerberos (The Heimdal rpms from SuSE 8.2 or 9.0 are fine). And you need to fiddle with configuration quite a bit. There are bits and pieces all over the net, the above book covers it all rather neatly.
What you get then are random uid and gid for each user, changing when you reboots and varying between clients. Can be hacked, but it ain't easy. I'm still trying to solve in on a large scale student domain, for a smaller system where people use the same machine every time it shouldn't be as much of a problem.
Bjørn -- Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a System administrator Fax: (+47) 555-89672 fractal; universal and Math. Department Mobile: (+47) 918 68075 infinitely repetitive. University of Bergen VIP: 81724 teknisk@mi.uib.no Email: bjornts@mi.uib.no http://www.mi.uib.no/
-- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
:-)
It's the " and " " and "" and "" and " part that ""worries" me :-)...
This looks like it's going to be loads of fun ... :-)
Thanks very much - I have the feeling this "thread" could get like "War & Peace" ..
Best regards & have a nice weekend gents..
Ade
On Jan 09, 2004 03:04 PM, Markus Feilner
Am Freitag, 9. Januar 2004 14:40 schrieb Adrian Bellini:
Hi Bjorn Thanks very much for your answer - looks like there is going to be many long nights and valium ! involved here !. Interesting that the M$ site doesn't make any reference to SAMBA 3 / winbind... wonder how they "did it" then ?
I'll be sure to keep you informed as/when I get anything - if nothing else a pain shared :-) Best regards Ade
It's not that much nights... to get it running, but some to fix it for your needs... Four steps: - Install kerberos (suse supplies heimdal, even though some don't like or trust that - it works) - Get and Install the newest suse samba 3 rpms from suse people (ftp://ftp.suse.com/pub/people/gd/samba3) Try them. Check Them. For my purposes they work. Tell me about problems... ;-)
- Change /etc/krb5.conf and smb.conf for your realm (both) and ads support (samba only)
- Use "kinit" to get tickets from your ADS "net" to join the domain. "klist" lists your tickets.
Obviously, you only need a ticket for joining the domain, afterwards user/password data are supplied without active ticket. Is that true? I found two ADS behaving that way..
Then the real work starts: Changing smb.conf to fit your needs ... and pam and winbind and ldap and and and Enjoy! ;-)
On Jan 09, 2004 02:28 PM, Bjorn Tore Sund
wrote: On Fri, 9 Jan 2004, Adrian Bellini wrote:
Hi Good peoples I'm at a customers site who has already implimented a M$ AD system. They now though are starting to impliment SuSE clients & I now need to intergrate these clients into the M$ kerberos realm.
I share your pain. Literally. :-/
I have (at great personal pain :-)) read the M$ link http://www.microsoft.com/windows2000/techinfo/planning/security/k erbsteps.asp But would like to know/hear of any experence any of you guys have in this area. 1 thing I have noticed is that the M$ handling os user names. Active Directory, by default, creates the X.500 standard cn parameter as firstname lastname rather than the user id that is used to login into the domain ( sAMAccountName attribute in the Active Directory).
Before you do anything else: get "The Official Samba-3 HOWTO and Referance Guide" by John H. Terpstra and Jelmer R. Venooij from the Samba team. The info will appear online sometime this spring, but the book is truly good.
You need to install the full Samba 3, in particular including the Winbind libraries. You need to make sure you're NOT running nscd. You obviously need Kerberos (The Heimdal rpms from SuSE 8.2 or 9.0 are fine). And you need to fiddle with configuration quite a bit. There are bits and pieces all over the net, the above book covers it all rather neatly.
What you get then are random uid and gid for each user, changing when you reboots and varying between clients. Can be hacked, but it ain't easy. I'm still trying to solve in on a large scale student domain, for a smaller system where people use the same machine every time it shouldn't be as much of a problem.
Bjørn -- Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a System administrator Fax: (+47) 555-89672 fractal; universal and Math. Department Mobile: (+47) 918 68075 infinitely repetitive. University of Bergen VIP: 81724 teknisk@mi.uib.no Email: bjornts@mi.uib.no http://www.mi.uib.no/
-- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (3)
-
Adrian Bellini
-
Bjorn Tore Sund
-
Markus Feilner