Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Mike Gerdts (Michael.Gerdtsalcatel.com)
Date: Mon Oct 22 2001 - 10:02:52 CDT
I have no expertise in this area. What you outline below does seem
quite reasonable, though. You may also want to take a look at winbind
that comes with Samba 2.2.2. It can make your Linux box become a member
of an NT domain through the use of a daemon called winbindd and a PAM
module. So long as you are running Win2k such that it is in NT Domain
compatibility mode (or whatever it is called), I think that you should
have a working solution.
If you are concerned about security, NIS is probably not what you want.
It exposes encrypted passwords and the NIS server can be rather easily
On Mon, 2001-10-22 at 01:24, Lengyel, Florian wrote:
> Dear Pam community,
> I'll write up the operational hijinx I'm up to with this; for now, here's a
> progress (or regress) report for your delectation.
> I'm in the process of integrating pam_krb5 with services for unix 2.0 to
> enable windows 2k users to authenticate into a linux box that is a member
> of the w2k domain (which happens by default to be the kerberos realm), so
> 1. the users under linux are UID/GID mapped to a w2k sid via NIS+ SFU 2.0
> user/group name mapping. It's necessary to define a GID not lower than 1000
> (or 500 - the exact lower bound doesn't matter for conceptual purposes, so
> bear with me, all you insufferable fuss budgets out there ;)
> 2. the home directory of the user is the nfs automounted windows user share.
> 3. users are defined in one and only one place: active directory. Period.
> The need for ANY user specific system administration under linux is ZERO.
> That means, no more useradd commands, or their equivalent under linuxconf.
> Requirements 1 and 2 work without kerberos authentication without any
> trouble, but it's only half of what you and I want. Microsoft has step by
> step instructions to add a LINUX box to a w2k kerberos realm, but I can't
> locate these from where I'm writing. The PAM community is too exquisitely
> cool to spell out the details, but I'm not, and I will in a subsequent post.
> There are a couple things I need to verify, and the answers aren't
> forthcoming (they will be from me, but I'll wager the gross national product
> that Microsoft won't volunteer to tell you what I'm about to ask).
> First, at the moment, in my configuration, the NIS master isn't the W2k
> domain controller; why should anyone care, you wonder?
> Well, there's a serious operational issue here. Adding SFU 2.0 extends
> active directory, so that user properties will have UNIX attributes, such as
> a UID/GID pair, and so that you can specify how the user's share should be
> NFS exported. However, if the passwd database resides on a LINUX box
> functioning as the NIS master, you'll still have to define the user in two
> places: in active directory and in the NIS passwd database.
> This violates requirement 3.
> SFU 2.0 has a server for NIS called "server for NIS" along with a wizard
> that is supposed to facilitate moving the NIS master from your UNIX box to
> your domain controller. The question is whether once your domain controller
> is the NIS master, whether adding new users in active directory and setting
> their UNIX attributes is automatically reflected in Server for NIS's NIS
> maps. If so, then there's no need to add the user twice under LINUX, which
> goes a long way towards requirement 3. If not, then the rational response is
> to sulk, unless you have what the French call la belle indifference.
> Also, SFU 2.0 hasn't addressed the issue of copying /etc/skel files to the
> user's account once it's created under active directory - there isn't
> anything like /etc/skel in SFU 2.0. You have to create any initial dot
> configuration files and directories yourself in the user's w2k share.
> Ad interim, I've been sidetracked by several other high performance
> computing projects, but as soon as my W2K domain controller is up and
> running, I'll resume with my report to the pam community on this.
> -----Original Message-----
> From: BOUR Daniel
> To: 'pam-listredhat.com'
> Sent: 10/19/2001 11:30 AM
> Subject: Re:Re: pam_krb5 + SFU 2.0+ Windows 2000
> Can someone give me a methos to implement unified user authentification
> with Linux and Windows ?
> I want to register Linux accounts to Windows2000 KDC.
> Daniel BOUR.
> Pam-list mailing list
Pam-list mailing list