[TriLUG] ldap authentication from Active directory or NTDS
Magnus
chrish at trilug.org
Thu Jan 8 06:23:15 EST 2004
On Wednesday, January 7, 2004, at 02:46 PM, spain at ncssm.edu wrote:
> I have a small network running active directory with a RH9 server
> running Samba,apache/mysql..
And a MUA that is sending uglified HTML email. Please fix that.
> I would like samba to pull a useraccounts from Active Directory to
> authenticate users for access to fileshares.. Does anyone have easy
> instructions on using PAM to set this up?
I'm in the middle of doing something like this now at $WORK. The gist
of it is that Active Directory does not have the right schema to handle
*NIX users, and must be extended. For <$100 MSRP you can get MS
Services For UNIX (SFU). This will, among other things, extend you
schema and give you MMC snap-ins to manage *NIX user attributes on the
same objects as Windows users. That's step one.
Now how to pull that data out of Active Directory once it's in? You
could use LDAP, true. Or you could be lazy and use NIS. The passwords
are in Kerberos so NIS isn't nearly as bad as it normally would be.
You can set up Linux to auth against Kerberos with no mods to your
Windoze box. Just run authconfig on your RH box and on the second
screen tell it to auth against your AD server. Caveat: The MS
implementation of Kerberos is incomplete and you won't have an Admin
Server. You'll have to sort out some other method for users to change
their passwords. If you're only running Linux on the file server, this
shouldn't be a concern. I've got Linux desktops where it becomes more
of an issue.
Once you've got all the right fields filled out in authconfig, PAM will
take over. Nothing special to do in Samba then as the AD users will be
able to mount Samba shares as easily as local users.
--
C. Magnus Hedemark
http://trilug.org/~chrish
"The only way to keep your health is to eat what you don't want, drink
what you don't like, and do what you'd rather not." - Mark Twain
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20040108/7f332299/attachment.pgp>
More information about the TriLUG
mailing list