Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [suse-security] Kerberos & M$ AD
From: Adrian Bellini (Adrian.Bellinicardium.se)
Date: Fri Jan 09 2004 - 08:40:07 CST
It's the " and " " and "" and "" and " part that ""worries" me :-)...
This looks like it's going to be loads of fun ... :-)
Thanks very much - I have the feeling this "thread" could get like "War & Peace" ..
Best regards & have a nice weekend gents..
On Jan 09, 2004 03:04 PM, Markus Feilner <listsfeilner-it.net> wrote:
> Am Freitag, 9. Januar 2004 14:40 schrieb Adrian Bellini:
> > Hi Bjorn
> > Thanks very much for your answer - looks like there is going to be
> > many long nights and valium ! involved here !. Interesting that the
> > M$ site doesn't make any reference to SAMBA 3 / winbind... wonder how
> > they "did it" then ?
> > I'll be sure to keep you informed as/when I get anything - if nothing
> > else a pain shared :-) Best regards
> > Ade
> It's not that much nights... to get it running, but some to fix it for
> your needs...
> Four steps:
> - Install kerberos (suse supplies heimdal, even though some don't like
> or trust that - it works)
> - Get and Install the newest suse samba 3 rpms from suse people
> Try them. Check Them. For my purposes they work. Tell me about
> problems... ;-)
> - Change /etc/krb5.conf and smb.conf for your realm (both) and ads
> support (samba only)
> - Use "kinit" to get tickets from your ADS
> "net" to join the domain.
> "klist" lists your tickets.
> Obviously, you only need a ticket for joining the domain, afterwards
> user/password data are supplied without active ticket.
> Is that true? I found two ADS behaving that way..
> Then the real work starts: Changing smb.conf to fit your needs ... and
> pam and winbind and ldap and and and
> > On Jan 09, 2004 02:28 PM, Bjorn Tore Sund <bjorntsmi.uib.no> wrote:
> > > On Fri, 9 Jan 2004, Adrian Bellini wrote:
> > > > Hi Good peoples
> > > > I'm at a customers site who has already implimented a M$ AD
> > > > system. They now though are starting to impliment SuSE clients &
> > > > I now need to intergrate these clients into the M$ kerberos
> > > > realm.
> > >
> > > I share your pain. Literally. :-/
> > >
> > > > I have (at great personal pain :-)) read the M$ link
> > > > http://www.microsoft.com/windows2000/techinfo/planning/security/k
> > > >erbsteps.asp But would like to know/hear of any experence any of
> > > > you guys have in this area. 1 thing I have noticed is that the M$
> > > > handling os user names. Active Directory, by default, creates the
> > > > X.500 standard cn parameter as firstname lastname rather than the
> > > > user id that is used to login into the domain ( sAMAccountName
> > > > attribute in the Active Directory).
> > >
> > > Before you do anything else: get "The Official Samba-3 HOWTO and
> > > Referance Guide" by John H. Terpstra and Jelmer R. Venooij from the
> > > Samba team. The info will appear online sometime this spring, but
> > > the book is truly good.
> > >
> > > You need to install the full Samba 3, in particular including the
> > > Winbind libraries. You need to make sure you're NOT running nscd.
> > > You obviously need Kerberos (The Heimdal rpms from SuSE 8.2 or 9.0
> > > are fine). And you need to fiddle with configuration quite a bit.
> > > There are bits and pieces all over the net, the above book covers
> > > it all rather neatly.
> > >
> > > What you get then are random uid and gid for each user, changing
> > > when you reboots and varying between clients. Can be hacked, but
> > > it ain't easy. I'm still trying to solve in on a large scale
> > > student domain, for a smaller system where people use the same
> > > machine every time it shouldn't be as much of a problem.
> > >
> > > Bjørn
> > > --
> > > Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is
> > > like a System administrator Fax: (+47) 555-89672
> > > fractal; universal and Math. Department Mobile: (+47) 918
> > > 68075 infinitely repetitive. University of Bergen VIP:
> > > 81724
> > > tekniskmi.uib.no Email: bjorntsmi.uib.no
> > > http://www.mi.uib.no/
> Mit freundlichen Grüßen
> Markus Feilner
> Linux Solutions, Training, Seminare und Workshops - auch Inhouse
> Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
> fon: +49 941 70 65 23 - mobil: +49 170 302 709 2
> web: http://feilner-it.net mail: mfeilnerfeilner-it.net
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-helpsuse.com
> Security-related bug reports go to securitysuse.de, not here
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here