If you have a Microsoft AD controller and you'd like to authenticate your Linux systems to it, here's a simple way: These instructions are taken from a RedHat box so some things might be different for other distros: Edit /etc/krb5.conf and change all the domain/realm info to your company's values. Make sure these are in capital letters because the connection will fail for some stupid Microsoft reason if not. The "kdc" line is your AD controller. Next, edit /etc/pam.d/system-auth to include this line after the auth line with pam_env.so: auth sufficient /lib/security/pam_krb5.so And change the auth line for pam_unix.so to this: auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass You need to make sure the Linux box and the AD controller have approximately the same time or else the Kerberos authentication will fail. Use ntp or rdate or whatever to keep them in sync. Now all that you need on the Linux box is the account name. The password you supply will be the password stored in AD. ~M -- Get Firefox! http://getfirefox.com/ --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss ++++++++++++++++++++++++++++ Is this method to authenticate the computer or the user or both to MS-AD? I would guess that creating a computer account in MS-AD is not automatic? One would create the computer account in MS-AD and then have the Linux computer authenticate to MS-AD. At this point MS-AD would automatically associate the Linux computer with the MS-AD computer account? I'm trying to think why it is important to have the computer authenticate. Maybe only the user needs to authenticate? So you have Kerberos authentication -- that means you can access active directory. The MS-AD isn't the resources or shares, though. To use the resources in a MS-AD, wouldn't you use SMB (samba)? So once a Linux system is authenticated to MS-AD without samba, then what? What would you have MS-AD control access to? LDAP -- an address book? Matt, I'm truly interested in what your post offers to a mixed environment. I have been of the impression that samba was all that was needed or wanted. Thanks, Bill Wesson --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss