On Fri, 2011-08-05 at 12:09 +0200, Lars Müller wrote:
On Fri, Aug 05, 2011 at 11:46:53AM +0200, Roger Oberholtzer wrote:
On Fri, 2011-08-05 at 11:00 +0200, Lars Müller wrote:
/etc/sysconfig/displaymanager:DISPLAYMANAGER_AD_INTEGRATION
That allows you to log in to the AD domain from, say, KDM. This must be set even to get to the place where a password can be considered expired. But that is not necessarily the same as what to do when the AD password is found to have expired. If the OP says he is getting the message that his password is expired, should he be expecting KDM to have popped up a window where he can enter a new password that can be set in the AD? I think this is what he is curious about, and apparently does not see.
The full password change process - you see a message like "Your password has expired!" or "Your password will expire in n days!") - happens on display manager level.
If that's no longer the case please feed bugzilla.
Having said that, what happens with a regular Linux account password if it is set to expire? Does KDM offer a place to enter a new one?
While on the topic of AD, aside from not needing to set up an account on the Linux machine, what else can logging in via AD offer on openSUSE?
You earn real single sign on aka the environent is kerberized.
But here I might have missed your question. Please be more verbose about what you mean with "what else can logging in via AD offer on openSUSE".
I was curious if there were any things that could be set up on Linux as a result of this AD login. I guess these are outside the AD login per-se. But having got the AD login makes one want to try more things that are no doubt beyond AD login. Once one has completed step A, there is always step B, C, etc... Us users are never satisfied.
Sorry, this is for a simple minded guy like me hard to parse. Please be more tangible or talk to a good doctor, therapist, your dog, wife ... ;)
What we need to see are use cases and questions. Real world issues and not hypothetical hypothesis.
I actually took them out of my response because I am sure they are not related to AD authorization. Or at least only tangentially related to AD. But the act of being authorized via AD implies that one might take the next step and access services typically provided to those who have been authorized in the AD. And in the Windows world that is not limited to authentication. What these things are of course depends on the AD to which you have logged on. I feel there is more stuff waiting there. Just waiting for me to access it. Of course, SAMBA plays a role here. But, to me, it is all a bit diffuse and too full of jargon to know where to proceed. One example usage: After logging in to AD, can I have access to my home directory no matter where I am? Obviously I can set this sort of thing up in Linux with a linux login. But what can be done with an AD login? Remember that I can log in to a Linux machine via AD without a previous account on that machine. It is created on-the-fly. How can I get the AD login to make available the user's home directory as defined in the AD? I do not know that AD calls it a home directory. But there is usually a common storage area defined for each user. Another example (veering off thread topic- I think...): Our business as a whole uses Windows and AD. Except for those in my group who use openSUSE. The things that I see that are interesting are perhaps not really related to AD. But, I cannot know that as I do not use AD. For example, when a Windows user logs in, it is determined (1) which printers they are authorized to use and (2) their default printer queue is set to access the one closest to their location. This works company-wide as one zips about with their laptop. Printouts seem to pop out of the printer just down the corridor. No matter in which corridor you find yourself. Is this location service in any way related to AD. I do not necessarily mean the printer stuff - it is just a concrete example. But what else could be set up on Linux based on info in the AD? For a while our company used the Novell login. I was using the Novell Linux Client to try to get access to things the Novell login made available. The company have dropped the Novell client and now all is in AD. Of course, if you cannot change an expired password, there could be issues with
One simple example: open firefox and try to access outlook web access. If you did all right you got a TGT - check this with the klist tool after login - and this allows you to get a particular service ticket.
We did many presentations regarding this in the last years. Maybe we have to tape a short one again at the upcoming openSUSE conference.
Which is btw a good place to kick several Samba guys in their lazy back side. :)
Thanks.
Lars
Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org