Gentoo Archives: gentoo-user

From: brunogola <brunogola@×××××××××.br>
To: gentoo-user <gentoo-user@l.g.o>
Cc: stroller <stroller@××××××××××××××××××.uk>
Subject: Re: [gentoo-user] Samba !
Date: Fri, 06 Jan 2006 16:28:47
Message-Id: ISOIXB$1ED670A4D052DC170D15A61A8F1DF5E7@terra.com.br
1 Thanks for your help, i'll try to explain a little better what i've already have and what i wanna do :-)
2
3 >
4 > On 6 Jan 2006, at 12:32, brunogola wrote:
5 > >
6 > > I have a machine running linux, and i'm authenticating in a
7 > > windows 2000 domain (Active directory) using
8 > > samba, winbind and kerberos.
9 >
10 > Hi there,
11 >
12 > I've done some of this recently, and I don't think you need active
13 > directory, winbind AND kerberos. My understanding is that all three
14 > are separate mechanisms for authenticating *nix users against a
15 > Windows domain.
16 >
17 > Active directory is MS's name for LDAP, so if you use that then your
18 > applications would be compiled using the LDAP USE flag & would treat
19 > the MS server as an LDAP server. I don't believe its schema's are
20 > terribly good for *nix users - I use Winbind, which uses PAM to
21 > appear part of the local authentication process and pass these on to
22 > the Windows DC.
23 >
24
25 My notebook running linux is already authenticating against the win. domain (AD). I've done this using samba,
26 kerberos5 and winbind (pam modules etc), thats woring perfectly :-)
27
28 Now, what i need : my desktop (that is another linux machine) authenticanting against my notebook, using samba,
29 but the problem is that samba is already configured @ the notebook as a AD Domain member :S.
30
31 > > What i need to know is if there is a way of making some other machines
32 > > authenticate in this machine, and this machine will ask the
33 > > password for the windows 2000 domain (only for some
34 > > users, and the user need to be in the /etc/passwd).
35 >
36 > It would be helpful if you gave an example of which programs /
37 > services on which machines (A, B and C??) you need to be able
38 > authenticate in this way.
39 >
40
41 Well, the principal service is a VMWare GSX Server running on my notebook, i need to be able to authenticate
42 (using the vmware-console) from any machine in my network (windows or linux). I think the vmware thing is the
43 less important part, cause it should be easy editing pam.d/vmware-authd after everthing is configured.
44
45 > > Let me explain: i have a user 'bob' that is not a user in
46 > > the domain, but it has your username and password on my linux
47 > > machine, so he can authenticate. I have a user
48 > > bgola who has the username on the AD and on the linux machine, but
49 > > the password isnt on the linux machine, only
50 > > on the AD. He can authenticate too.
51 > > Resuming: my linux machine will use the username database from its
52 > > own but the password database from its own
53 > > AND from the AD.
54 >
55 > I believe that in this situation it would be unusual to give the
56 > bgola a username on the Linux machine - he has one on the AD, so if
57 > you use Winbind then he doesn't need one on the Linux box. He can
58 > have a homedir, since he may need to store files on the Linux box,
59 > but that's not the same, I think, as having an account.
60 >
61
62 I want to have bgola on the linux machine for a control propose, or, only authenticate if the user exists on
63 the machine. This is already working for console/ssh/etc on the Notebook.
64
65 > For instance on my Linux/Winbind machine on an AD:
66 >
67 > $ getent passwd | grep -e stroller -e ned
68 > stroller:x:1000:100::/home/stroller:/bin/bash
69 > ned:x:10012:10000:Some Geezer:/home/DOMAIN/ned:/bin/false
70 > $ grep -e stroller -e ned /etc/passwd
71 > stroller:x:1000:100::/home/stroller:/bin/bash
72 > $ ls -ld ~stroller ~ned
73 > drwxr-xr-x 3 ned domain users 160 Jan 6 06:32 /home/DOMAIN/ned
74 > drwxr-xr-x 5 stroller users 272 Jan 6 03:58 /home/stroller
75 >
76 > Both users can authenticate, depending on how the /etc/pam.d/
77 > the_authenticating_service is set up. I use pam_mkhomedir.so to
78 > create a home directory for any users authenticating via Winbind, but
79 > beware this only works for services which call PAM "session" directives.
80 >
81 > I used this guide to set it all up: http://www.samba.org/samba/docs/
82 > man/Samba-HOWTO-Collection/winbind.html#id2621482
83 >
84 > Please CC me should you reply to the list with further questions,
85 >
86 > Stroller.
87 >
88 >
89 > --
90 > gentoo-user@g.o mailing list
91 >
92 >
93
94 Resume: I need to transform my notebook (that is a AD Domain Member) in a Auth server, but with out leaving the
95 AD Domain Member status, because it will need to get the passwd for some accounts from the AD Server.
96
97
98 Thanks for your help,
99 Bruno Gola
100
101
102 --
103 gentoo-user@g.o mailing list

Replies

Subject Author
Re: [gentoo-user] Samba ! Stroller <stroller@××××××××××××××××××.uk>