OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [suse-security] Kerberos & M$ AD

From: Adrian Bellini (Adrian.Bellinicardium.se)
Date: Fri Jan 09 2004 - 07:40:21 CST

Hi Bjorn
Thanks very much for your answer - looks like there is going to be many long nights and valium ! involved here !.
Interesting that the M$ site doesn't make any reference to SAMBA 3 / winbind... wonder how they "did it" then ?

I'll be sure to keep you informed as/when I get anything - if nothing else a pain shared :-)
Best regards
Ade

On Jan 09, 2004 02:28 PM, Bjorn Tore Sund <bjorntsmi.uib.no> wrote:

>
> On Fri, 9 Jan 2004, Adrian Bellini wrote:
>
> > Hi Good peoples
> > I'm at a customers site who has already implimented a M$ AD system.
> > They now though are starting to impliment SuSE clients & I now need to
> > intergrate these clients into the M$ kerberos realm.
>
> I share your pain. Literally. :-/
>
> > I have (at great personal pain :-)) read the M$ link
> > http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
> > But would like to know/hear of any experence any of you guys have in this area.
> > 1 thing I have noticed is that the M$ handling os user names.
> > Active Directory, by default, creates the X.500 standard cn parameter as
> > firstname lastname rather than the user id that is used to login into
> > the domain ( sAMAccountName attribute in the Active Directory).
>
> Before you do anything else: get "The Official Samba-3 HOWTO and Referance
> Guide" by John H. Terpstra and Jelmer R. Venooij from the Samba team. The
> info will appear online sometime this spring, but the book is truly good.
>
> You need to install the full Samba 3, in particular including the Winbind
> libraries. You need to make sure you're NOT running nscd. You obviously
> need Kerberos (The Heimdal rpms from SuSE 8.2 or 9.0 are fine). And you
> need to fiddle with configuration quite a bit. There are bits and pieces
> all over the net, the above book covers it all rather neatly.
>
> What you get then are random uid and gid for each user, changing when you
> reboots and varying between clients. Can be hacked, but it ain't easy.
> I'm still trying to solve in on a large scale student domain, for a smaller
> system where people use the same machine every time it shouldn't be as
> much of a problem.
>
> Bjørn
> --
> Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a
> System administrator Fax: (+47) 555-89672 fractal; universal and
> Math. Department Mobile: (+47) 918 68075 infinitely repetitive.
> University of Bergen VIP: 81724
> tekniskmi.uib.no Email: bjorntsmi.uib.no http://www.mi.uib.no/
>

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here