i was wondering if I could somehow make my suse (10) authenticate versus my windows 2003 domain controller. I configured both ldap client and kerberos client in Yast2. Authentication works (the kerberos part).. but I still cannot log in because ldap isn't able to fetch user account information from my active directory which is because it's not using the kerberos credidentials to establish a gssapi connection.
So I set up shell/home information in /etc/passwd. No password. Passwords are still being retrieved from the domain controller via kerberos. Big surprise -> login works. If I now issue a ldapsearch with the filter it already tried before (but with no valid bind) "(&(objectclass=User)(msSFU30Name=testuser))" it starts a SASL/GSSAPI authentication and successfully fetches the needed information. Why doesn't ldap use gssapi on logins then.. or where can I tell it to use it? Couldn't find any suitable option in Yast nor the config files themselves.
I don't know about using doing this with ldap directly, but if you have Kerberos working and you've successfully joined your computer to the domain. You're really close. Let's test to make sure. Do the following as root from the command line: To test Kerberos: kinit administrator The above command will prompt for a password. Enter the password of your 2K3 domain administrator. If you have renamed your domain administrator account use the name instead with the kinit command. If you receive no errors Kerberos is working. To test winbind: wbinfo -g The above command should give you a list of groups in you Active directory. Try it with the -u switch to see a list of users. Let us know what your results are and we can help you further. Cheers, Daniel