1 |
Thanks for your help, i'll try to explain a little better what i've already have and what i wanna do :-) |
2 |
|
3 |
> |
4 |
> On 6 Jan 2006, at 12:32, brunogola wrote: |
5 |
> > |
6 |
> > I have a machine running linux, and i'm authenticating in a |
7 |
> > windows 2000 domain (Active directory) using |
8 |
> > samba, winbind and kerberos. |
9 |
> |
10 |
> Hi there, |
11 |
> |
12 |
> I've done some of this recently, and I don't think you need active |
13 |
> directory, winbind AND kerberos. My understanding is that all three |
14 |
> are separate mechanisms for authenticating *nix users against a |
15 |
> Windows domain. |
16 |
> |
17 |
> Active directory is MS's name for LDAP, so if you use that then your |
18 |
> applications would be compiled using the LDAP USE flag & would treat |
19 |
> the MS server as an LDAP server. I don't believe its schema's are |
20 |
> terribly good for *nix users - I use Winbind, which uses PAM to |
21 |
> appear part of the local authentication process and pass these on to |
22 |
> the Windows DC. |
23 |
> |
24 |
|
25 |
My notebook running linux is already authenticating against the win. domain (AD). I've done this using samba, |
26 |
kerberos5 and winbind (pam modules etc), thats woring perfectly :-) |
27 |
|
28 |
Now, what i need : my desktop (that is another linux machine) authenticanting against my notebook, using samba, |
29 |
but the problem is that samba is already configured @ the notebook as a AD Domain member :S. |
30 |
|
31 |
> > What i need to know is if there is a way of making some other machines |
32 |
> > authenticate in this machine, and this machine will ask the |
33 |
> > password for the windows 2000 domain (only for some |
34 |
> > users, and the user need to be in the /etc/passwd). |
35 |
> |
36 |
> It would be helpful if you gave an example of which programs / |
37 |
> services on which machines (A, B and C??) you need to be able |
38 |
> authenticate in this way. |
39 |
> |
40 |
|
41 |
Well, the principal service is a VMWare GSX Server running on my notebook, i need to be able to authenticate |
42 |
(using the vmware-console) from any machine in my network (windows or linux). I think the vmware thing is the |
43 |
less important part, cause it should be easy editing pam.d/vmware-authd after everthing is configured. |
44 |
|
45 |
> > Let me explain: i have a user 'bob' that is not a user in |
46 |
> > the domain, but it has your username and password on my linux |
47 |
> > machine, so he can authenticate. I have a user |
48 |
> > bgola who has the username on the AD and on the linux machine, but |
49 |
> > the password isnt on the linux machine, only |
50 |
> > on the AD. He can authenticate too. |
51 |
> > Resuming: my linux machine will use the username database from its |
52 |
> > own but the password database from its own |
53 |
> > AND from the AD. |
54 |
> |
55 |
> I believe that in this situation it would be unusual to give the |
56 |
> bgola a username on the Linux machine - he has one on the AD, so if |
57 |
> you use Winbind then he doesn't need one on the Linux box. He can |
58 |
> have a homedir, since he may need to store files on the Linux box, |
59 |
> but that's not the same, I think, as having an account. |
60 |
> |
61 |
|
62 |
I want to have bgola on the linux machine for a control propose, or, only authenticate if the user exists on |
63 |
the machine. This is already working for console/ssh/etc on the Notebook. |
64 |
|
65 |
> For instance on my Linux/Winbind machine on an AD: |
66 |
> |
67 |
> $ getent passwd | grep -e stroller -e ned |
68 |
> stroller:x:1000:100::/home/stroller:/bin/bash |
69 |
> ned:x:10012:10000:Some Geezer:/home/DOMAIN/ned:/bin/false |
70 |
> $ grep -e stroller -e ned /etc/passwd |
71 |
> stroller:x:1000:100::/home/stroller:/bin/bash |
72 |
> $ ls -ld ~stroller ~ned |
73 |
> drwxr-xr-x 3 ned domain users 160 Jan 6 06:32 /home/DOMAIN/ned |
74 |
> drwxr-xr-x 5 stroller users 272 Jan 6 03:58 /home/stroller |
75 |
> |
76 |
> Both users can authenticate, depending on how the /etc/pam.d/ |
77 |
> the_authenticating_service is set up. I use pam_mkhomedir.so to |
78 |
> create a home directory for any users authenticating via Winbind, but |
79 |
> beware this only works for services which call PAM "session" directives. |
80 |
> |
81 |
> I used this guide to set it all up: http://www.samba.org/samba/docs/ |
82 |
> man/Samba-HOWTO-Collection/winbind.html#id2621482 |
83 |
> |
84 |
> Please CC me should you reply to the list with further questions, |
85 |
> |
86 |
> Stroller. |
87 |
> |
88 |
> |
89 |
> -- |
90 |
> gentoo-user@g.o mailing list |
91 |
> |
92 |
> |
93 |
|
94 |
Resume: I need to transform my notebook (that is a AD Domain Member) in a Auth server, but with out leaving the |
95 |
AD Domain Member status, because it will need to get the passwd for some accounts from the AD Server. |
96 |
|
97 |
|
98 |
Thanks for your help, |
99 |
Bruno Gola |
100 |
|
101 |
|
102 |
-- |
103 |
gentoo-user@g.o mailing list |