> If you have a Microsoft AD controller and you'd like to authenticate
> your Linux systems to it, here's a simple way:
>
> These instructions are taken from a RedHat box so some things might be
> different for other distros:
>
> Edit /etc/krb5.conf and change all the domain/realm info to your
> company's values. Make sure these are in capital letters because the
> connection will fail for some stupid Microsoft reason if not. The
> "kdc" line is your AD controller.
>
> Next, edit /etc/pam.d/system-auth to include this line after the auth
> line with pam_env.so:
> auth sufficient /lib/security/pam_krb5.so
>
> And change the auth line for pam_unix.so to this:
> auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass
>
> You need to make sure the Linux box and the AD controller have
> approximately the same time or else the Kerberos authentication will
> fail. Use ntp or rdate or whatever to keep them in sync.
>
> Now all that you need on the Linux box is the account name. The
> password you supply will be the password stored in AD.
> ~M
>
> --
> Get Firefox!
> http://getfirefox.com/
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ++++++++++++++++++++++++++++
>
> Is this method to authenticate the computer or the user or both to MS-AD?
>
> I would guess that creating a computer account in MS-AD is not automatic?
> One would create the computer account in MS-AD and then have the Linux
> computer authenticate to MS-AD. At this point MS-AD would automatically
> associate the Linux computer with the MS-AD computer account?
>
> I'm trying to think why it is important to have the computer authenticate.
> Maybe only the user needs to authenticate?
>
> So you have Kerberos authentication -- that means you can access active
> directory. The MS-AD isn't the resources or shares, though. To use the
> resources in a MS-AD, wouldn't you use SMB (samba)?
>
> So once a Linux system is authenticated to MS-AD without samba, then what?
> What would you have MS-AD control access to? LDAP -- an address book?
>
> Matt, I'm truly interested in what your post offers to a mixed environment.
> I have been of the impression that samba was all that was needed or wanted.
>
> Thanks,
> Bill Wesson
Using the Kerberos method I described is just a simple way to
authenticate users to AD for services running on a Linux box. The
account has to exist in AD and it has to be created on the Linux box,
although no password needs to be set. Then whenever you want to SSH
or FTP or whatever to that particular Linux box, it checks with AD to
authenticate you. The computer doesn't need to be listed in AD, just
the user account name.
~M
--
Get Firefox!
http://getfirefox.com/
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss