[opensuse] Scope of logins via Windows Active Directory account
Is there any documentation (openSUSE 11.0) on the scope of where you can do logins authenticated with a Windows Active Directory server? For example, you can login via KDE, but not via ssh or at the console. Unless I am typing something wrong. I thought the Windows authentication was added to PAM, meaning that anything that uses PAM to authenticate a user would work. Also, which file system accesses can be authenticated this way? After you log in, I guess (do not know) that file systems (CIFS/SMB) on other machines that also authenticate in the same domain should be accessible. Without a password prompt? How about users not logged in that want to access a local CIFS/SMB share? I would think that they would be prompted and authenticated against the Windows AD. All this is mainly conjecture on my part. So, any docs at all that pertain to openSUSE11 would be greatly appreciated! Now that I have the login working, I must do more! -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696 And remember: It is RSofT and there is always something under construction. It is like talking about large city with all constructions finished. Not impossible, but very unlikely. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, Sep 03, 2008 at 04:23:35PM +0200, Roger Oberholtzer wrote:
Is there any documentation (openSUSE 11.0) on the scope of where you can do logins authenticated with a Windows Active Directory server?
There is a white paper with focus on SUSE Linux Enterprise 10 and how much efforts we put into Active Directory integration. http://www.novell.com/collateral/4622044/4622044.pdf is it. Not sure if it isn't much to much high level for your case.
For example, you can login via KDE, but not via ssh or at the console. Unless I am typing something wrong. I thought the Windows authentication was added to PAM, meaning that anything that uses PAM to authenticate a user would work.
PAM is very flexible in this regard. Please check /etc/pam.d/ and have in particular an eye on the common-* files.
Also, which file system accesses can be authenticated this way? After you log in, I guess (do not know) that file systems (CIFS/SMB) on other machines that also authenticate in the same domain should be accessible. Without a password prompt?
Applications like konqueror and nautilus using libsmbclient are able to use a Kerberos ticket. We've tested and demonstrated this quite heavily.
How about users not logged in that want to access a local CIFS/SMB share? I would think that they would be prompted and authenticated against the Windows AD.
What is a 'local' share her? Providedby Samba which isn't a member server of Active Directory?
Now that I have the login working, I must do more!
I hope you'll have a lot of fun... Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SuSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
participants (2)
-
Lars Müller -
Roger Oberholtzer