On Fri, 9 Jan 2004, Adrian Bellini wrote:
Hi Good peoples I'm at a customers site who has already implimented a M$ AD system. They now though are starting to impliment SuSE clients & I now need to intergrate these clients into the M$ kerberos realm.
I share your pain. Literally. :-/
I have (at great personal pain :-)) read the M$ link http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.as... But would like to know/hear of any experence any of you guys have in this area. 1 thing I have noticed is that the M$ handling os user names. Active Directory, by default, creates the X.500 standard cn parameter as firstname lastname rather than the user id that is used to login into the domain ( sAMAccountName attribute in the Active Directory).
Before you do anything else: get "The Official Samba-3 HOWTO and Referance Guide" by John H. Terpstra and Jelmer R. Venooij from the Samba team. The info will appear online sometime this spring, but the book is truly good. You need to install the full Samba 3, in particular including the Winbind libraries. You need to make sure you're NOT running nscd. You obviously need Kerberos (The Heimdal rpms from SuSE 8.2 or 9.0 are fine). And you need to fiddle with configuration quite a bit. There are bits and pieces all over the net, the above book covers it all rather neatly. What you get then are random uid and gid for each user, changing when you reboots and varying between clients. Can be hacked, but it ain't easy. I'm still trying to solve in on a large scale student domain, for a smaller system where people use the same machine every time it shouldn't be as much of a problem. Bjørn -- Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a System administrator Fax: (+47) 555-89672 fractal; universal and Math. Department Mobile: (+47) 918 68075 infinitely repetitive. University of Bergen VIP: 81724 teknisk@mi.uib.no Email: bjornts@mi.uib.no http://www.mi.uib.no/