| 1 |
Thanks for your tips. |
| 2 |
I'm having problems now to authenticate without winbind. Using only LDAP and Kerberos. |
| 3 |
|
| 4 |
Kerberos appears to be working, but I cannot "ssh" to machine for example. |
| 5 |
|
| 6 |
auth ~ # kinit viniciusferrao |
| 7 |
Password for viniciusferrao@×××××××.BR: |
| 8 |
auth ~ # klist |
| 9 |
Ticket cache: FILE:/tmp/krb5cc_0 |
| 10 |
Default principal: viniciusferrao@×××××××.BR |
| 11 |
|
| 12 |
Valid starting Expires Service principal |
| 13 |
11/01/11 17:00:53 11/02/11 03:01:05 krbtgt/IF.UFRJ.BR@×××××××.BR |
| 14 |
renew until 11/02/11 17:00:53 |
| 15 |
|
| 16 |
Any insights? |
| 17 |
|
| 18 |
On Oct 31, 2011, at 1:01 PM, Brian Kroth wrote: |
| 19 |
|
| 20 |
> Vinícius Ferrão <viniciusferrao@××××××××××.br> 2011-10-30 18:48: |
| 21 |
>> Hello Brian, |
| 22 |
>> |
| 23 |
>> Can you give-me some advices on how to implement this? I haven't installed UNIX Services for Windows. UID and GID is mapped through SAMBA at this moment. |
| 24 |
> |
| 25 |
> I don't even think that that's necessary anymore (though I haven't dealt with it personally in a while). My understanding was that the R2 version of Windows Server's AD schema just included the uidNumber, gidNumber, homeDirectory, loginShell, etc. attributes in AD's ldap. You could manage them through another tab on the user/group object properties in mmc. |
| 26 |
> |
| 27 |
> Past that it wasn't any more difficult than pointing your Linux hosts at any other ldap. I think the only catch was that that AD wants a proxy user to bind as in order to do the searches. |
| 28 |
> |
| 29 |
> Brian |
| 30 |
> |
| 31 |
>> On 30/10/2011, at 17:55, Brian Kroth <bpkroth@×××××.com> wrote: |
| 32 |
>> |
| 33 |
>>> gregorcy <gregorcy@××××××××.edu> 2011-10-29 10:52: |
| 34 |
>>>> What's missing: OpenLDAP replication from AD? Is this possible? Is this |
| 35 |
>>>> needed? Since I want another machines (running Linux) to authenticate it |
| 36 |
>>>> will be a good idea only ONE machine get information from AD and |
| 37 |
>>>> everyone else authenticate natively on this Gentoo Machine. |
| 38 |
>>>> |
| 39 |
>>>> No this is not needed. If you are in a mixed environment (I think) it |
| 40 |
>>>> is much easier to just use AD as the one directory service and join all |
| 41 |
>>>> your linux boxes to it. As long as your idmap ranges match your users |
| 42 |
>>>> will have the same uid on all boxes. |
| 43 |
>>> |
| 44 |
>>> I agree with this except for the need to "join all your linux boxes". AD is really just ldap+kerberos. Most of the time you don't need the headache of kerberos and can just use the ldap component. Modern AD schemas include all the of necessary attributes support for having Linux clients talk to it directly for uid/gid mapping, which is much nicer since it avoids the complexity of any samba requirements when you don't need them (eg: mail, web, etc.). |
| 45 |
>>> |
| 46 |
>>> </cent></cent> |
| 47 |
>>> |
| 48 |
>>> Brian |
| 49 |
> |
| 50 |
> |
Archives