suse in a windows network (authentication)
hi list i was wondering if I could somehow make my suse (10) authenticate versus my windows 2003 domain controller. I configured both ldap client and kerberos client in Yast2. Authentication works (the kerberos part).. but I still cannot log in because ldap isn't able to fetch user account information from my active directory which is because it's not using the kerberos credidentials to establish a gssapi connection. So I set up shell/home information in /etc/passwd. No password. Passwords are still being retrieved from the domain controller via kerberos. Big surprise -> login works. If I now issue a ldapsearch with the filter it already tried before (but with no valid bind) "(&(objectclass=User)(msSFU30Name=testuser))" it starts a SASL/GSSAPI authentication and successfully fetches the needed information. Why doesn't ldap use gssapi on logins then.. or where can I tell it to use it? Couldn't find any suitable option in Yast nor the config files themselves. Oh and no I don't want to use a dedicated user with a locally stored plaintext password to search active directory :) might anyone please help? best regards Roman Sommer
Op maandag 31 oktober 2005 12:23, schreef Roman Sommer:
i was wondering if I could somehow make my suse (10) authenticate versus my windows 2003 domain controller. I configured both ldap client and kerberos client in Yast2. Authentication works (the kerberos part).. but I still cannot log in because ldap isn't able to fetch user account information from my active directory which is because it's not using the kerberos credidentials to establish a gssapi connection.
Perhaps this just recently released article provides some required information: http://www.linuxjournal.com/article/8374 -- Richard Bos Without a home the journey is endless
For what it's worth, I've never gotten any distribution to communicate well with active directory. I know it can be done and there are many appliances and professionally built server products that work flawlessly. But using various desktop distributions I've never gotten authentication with active directory working reliably. One piece of advice, based on my limited successes make sure you have domain admin privileges, because you'll likely have to check the computer account in Active Directory Users and Computers. On 10/31/05, Richard Bos <radoeka@xs4all.nl> wrote:
Op maandag 31 oktober 2005 12:23, schreef Roman Sommer:
i was wondering if I could somehow make my suse (10) authenticate versus my windows 2003 domain controller. I configured both ldap client and kerberos client in Yast2. Authentication works (the kerberos part).. but I still cannot log in because ldap isn't able to fetch user account information from my active directory which is because it's not using the kerberos credidentials to establish a gssapi connection.
Perhaps this just recently released article provides some required information: http://www.linuxjournal.com/article/8374
-- Richard Bos Without a home the journey is endless
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-help@opensuse.org
Op maandag 31 oktober 2005 12:23, schreef Roman Sommer:
might anyone please help?
This http://sadms.sourceforge.net was just announced on freshmeat... SADMS takes care of handling configuration to achieve the integration of Linux hosts to an Active Directory domain, to the effect that:: Linux hosts become Windows domain hosts (and act either as station or server) Windows domain users become Linux users (authentication is offloaded to the domain But suse is not supported. -- Richard Bos Without a home the journey is endless
Richard Bos wrote:
Op maandag 31 oktober 2005 12:23, schreef Roman Sommer:
might anyone please help?
This http://sadms.sourceforge.net was just announced on freshmeat...
SADMS takes care of handling configuration to achieve the integration of Linux hosts to an Active Directory domain, to the effect that:: Linux hosts become Windows domain hosts (and act either as station or server) Windows domain users become Linux users (authentication is offloaded to the domain
But suse is not supported.
They have a source package. I know what I'll be playing with on Monday at work.
hi, first of all thanks for your reply. Of course I did have a look at sadms. I have it up running and it is working quite reliable. Anyway there's something that keeps me worried. I tried analyzing the network traffic and figured out it's a big mess :) Hard to trace, hard to follow hard to understand. A timeline schematic showing the complete login process would be superb. Unfortunately all the documentation consists of some poorly described screenshots. Maybe the winbind/samba documentation has more information to offer, I'll check that asap. As far as I could see it is using GSSAPI/SPNEGO as security layer which is okay. I just can't tell for sure if all communication is secured :-/ And still the kerberos/ldap solution seems to be a much cleaner way to go. If it just worked... :) -- Roman Sommer "The value of an idea lies in the using of it." (Thomas Edison) 2005/11/5, Richard Bos <radoeka@xs4all.nl>:
Op maandag 31 oktober 2005 12:23, schreef Roman Sommer:
might anyone please help?
This http://sadms.sourceforge.net was just announced on freshmeat...
SADMS takes care of handling configuration to achieve the integration of Linux hosts to an Active Directory domain, to the effect that:: Linux hosts become Windows domain hosts (and act either as station or server) Windows domain users become Linux users (authentication is offloaded to the domain
But suse is not supported.
-- Richard Bos Without a home the journey is endless
participants (4)
-
Alain Black -
Alexander Antoniades -
Richard Bos -
Roman Sommer