RE: Authenticating Linux systems to MS AD using Kerberos

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Bill Wesson
Date:  
To: plug-discuss
Subject: RE: Authenticating Linux systems to MS AD using Kerberos
If you have a Microsoft AD controller and you'd like to authenticate
your Linux systems to it, here's a simple way:

These instructions are taken from a RedHat box so some things might be
different for other distros:

Edit /etc/krb5.conf and change all the domain/realm info to your
company's values. Make sure these are in capital letters because the
connection will fail for some stupid Microsoft reason if not. The
"kdc" line is your AD controller.

Next, edit /etc/pam.d/system-auth to include this line after the auth
line with pam_env.so:
auth sufficient /lib/security/pam_krb5.so

And change the auth line for pam_unix.so to this:
auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass

You need to make sure the Linux box and the AD controller have
approximately the same time or else the Kerberos authentication will
fail. Use ntp or rdate or whatever to keep them in sync.

Now all that you need on the Linux box is the account name. The
password you supply will be the password stored in AD.
~M

--
Get Firefox!
http://getfirefox.com/
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

++++++++++++++++++++++++++++

Is this method to authenticate the computer or the user or both to MS-AD?

I would guess that creating a computer account in MS-AD is not automatic?
One would create the computer account in MS-AD and then have the Linux
computer authenticate to MS-AD. At this point MS-AD would automatically
associate the Linux computer with the MS-AD computer account?

I'm trying to think why it is important to have the computer authenticate.
Maybe only the user needs to authenticate?

So you have Kerberos authentication -- that means you can access active
directory. The MS-AD isn't the resources or shares, though. To use the
resources in a MS-AD, wouldn't you use SMB (samba)?

So once a Linux system is authenticated to MS-AD without samba, then what?
What would you have MS-AD control access to? LDAP -- an address book?

Matt, I'm truly interested in what your post offers to a mixed environment.
I have been of the impression that samba was all that was needed or wanted.

Thanks,
Bill Wesson


---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss