On Thu, 2004-04-29 at 01:00, Yonah Russ wrote: > Active directories is very heavy on kerberos- it's theoretically > possible to use the same kerberos for both the active directory and > linux- I've read you can even convince active directories to use a linux > kerberos server. Heavy on kerberos ? this is not theory. I have done it more then once. it works. AD itself can not use non MS-Kerberos. AD clients, on the other hand, can be configured to authenticate against KerberosV non-Microsoft realm (kadmin utility - support tools).
> > I only briefly looked into this b/c it means switching to kerberized > deamons, etc. very annoying. Depends upon your needs. pam_krb5 solves most of the problems. [snip] There are several approaches to SSO in this situation: 1) extending W2K AD schema to incorporate Posix schema extensions (using Services For Unix schema extensions) and to use Microsoft's LDAP as Posix account settings store, while doing either Kerberos or LDAP+SSL authentication. Downside: you need to be the AD admin and understand the impact on security (this approach will require weakening AD security) 2) W2K3 schema lets you create user objects of inetOrgPerson class, instead of default "user" class. This one is standard RFC class and can be used by Linux clients. Downside: depending on the AD size and applications installed, there might be some issues and again, it requires to alter the AD defaults and perform some conversions in AD 3) The way I do it: - Linux LDAP which pulls it's data from AD (sAMAccountName, givenName, sn, well... whatever is useful and you want from AD) and import it into OpenLDAP, keeping the relevant attributes in sync. - Linux client uses OpenLDAP as it's nsswitch backend. The user's password in OpenLDAP is a special entry that points to user's Kerberos principal in AD. - User trying to logon is looked up in OpenLDAP, it's Kerberos principal is pulled and the user is authenticated using pam_krb5 module. All that said, if you do not mind having the users configured locally (/etc/passwd), and yet have the authenticate against AD, the setup is pretty simple. All you need to do is to edit /etc/krb5.conf and /etc/rkb5.realms files and make sure the username in /etc/passwd matches the username in AD (you will of course need to adjust the PAM to use pam_krb5). Guy -- Smith & Wesson - the original point and click interface ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
