| 1 |
Hi stroller, |
| 2 |
that was actually interesting, but it didn't help me much... I do not manage |
| 3 |
the network, neither do I have any knowledge of it's working. I asked the |
| 4 |
help desk guys to help out, but all they managed is to get me someone that |
| 5 |
knew, after a 2 hours work, to mount the directories I needed manually. If I |
| 6 |
were to ask them I will have to be sure I am quite knowing the area so I |
| 7 |
could correctly describe to the Microsoft-trained network administrators |
| 8 |
what I want. If you could point me to an article of any kind (or to the |
| 9 |
relevant part in samba's huge documentation) I would be much grateful. |
| 10 |
thanks. |
| 11 |
|
| 12 |
On Fri, Aug 8, 2008 at 2:42 PM, Stroller <stroller@××××××××××××××××××.uk>wrote: |
| 13 |
|
| 14 |
> |
| 15 |
> On 7 Aug 2008, at 23:04, Andrey Falko wrote: |
| 16 |
> |
| 17 |
>> ... |
| 18 |
>> As far as I know, don't take my word for it, in order to use Active |
| 19 |
>> Directory on a GNU/Linux host, you need to setup LDAP and have it talk |
| 20 |
>> to AD. Unfortunately I don't know how to do this, perhaps this will |
| 21 |
>> help: http://www.linux.com/articles/40983 . |
| 22 |
>> |
| 23 |
> |
| 24 |
> Hi there, |
| 25 |
> |
| 26 |
> I understood Active Directory to be Microsoft's implementation of LDAP + |
| 27 |
> extensions. Or maybe it's a Microsoft's entirely own way of doing a |
| 28 |
> directory service, with LDAP support bolted on afterwards. Anyway, yes, |
| 29 |
> Linux hosts should indeed be able to talk LDAP to an AD server. |
| 30 |
> |
| 31 |
> On a domain that I manage we authenticate over Samba instead. I can't |
| 32 |
> entirely recall why I chose this method instead of AD, but I'm pretty sure |
| 33 |
> there were good reasons for it at the time. Once Samba is configured to to |
| 34 |
> do winbind - it obviously needs to know the name of the domain server &c - |
| 35 |
> one installs the PAM winbind module and references it in /etc/pam.d/ for any |
| 36 |
> Linux services one wishes to authenticate off the Windows server. Samba |
| 37 |
> then, presumably, acts as a client to the domain server and says "user X, |
| 38 |
> hash(password Y) wants to log on, is this ok?"; PAM passes the response back |
| 39 |
> to the service the user is trying to use. |
| 40 |
> |
| 41 |
> I think winbind alleviates some need to deal with Active Directory. I |
| 42 |
> really know nothing about AD - all I have to do is log on to the Windows |
| 43 |
> server (SBS 2003) and add a user to the domain in the Server Management For |
| 44 |
> Idiots program Microsoft so kindly provides. The user is able to |
| 45 |
> authenticate on the Linux box immediately after restarting Samba (and the |
| 46 |
> restart is probably only required because I've fouled-up the caching |
| 47 |
> configuration, or something). I also use pam_mkhomedir so that when the user |
| 48 |
> logs on to IMAP for the first time ~ is automagically created; I had to |
| 49 |
> reject Courier-IMAP in favour of Dovecot in order to be able to do this, as |
| 50 |
> IIRC Courier doesn't use the PAM type "session", and that's required to make |
| 51 |
> pam_mkhomedir work (Dovecot doesn't actually need to use this type, but adds |
| 52 |
> an option to open a PAM session specifically to enable mkhomedir to be used. |
| 53 |
> This is a requirement of pam_mkhomedir, NOT pam_winbind). |
| 54 |
> |
| 55 |
> What I have enjoyed about winbind is that it has (so far!) made adding |
| 56 |
> additional services easy. I needed to run an ftp server (allow only |
| 57 |
> 127.0.0.1) on the Linux machine, so that Squirrelmail's vacation plugin |
| 58 |
> could upload the users' vacation messages to their homedirs. To get the ftp |
| 59 |
> service (net-ftp/vsftpd) to authenticate off the same credentials was as |
| 60 |
> easy as copying the PAM settings for the already-working IMAP server to |
| 61 |
> /etc/pam.d/ftp (although I see that each is "sufficient" instead of |
| 62 |
> "required" in this case). I was quite surprised it worked so easily, quickly |
| 63 |
> and smoothly. Anyway, any user can sit at their Windows workstation, |
| 64 |
> CTRL-ALT-DEL and change their password and the IMAP server will now respect |
| 65 |
> their new credentials, which is the important thing (for me). |
| 66 |
> |
| 67 |
> Stroller. |
| 68 |
> |
| 69 |
> |
| 70 |
> |
Archives