1 |
Hi stroller, |
2 |
that was actually interesting, but it didn't help me much... I do not manage |
3 |
the network, neither do I have any knowledge of it's working. I asked the |
4 |
help desk guys to help out, but all they managed is to get me someone that |
5 |
knew, after a 2 hours work, to mount the directories I needed manually. If I |
6 |
were to ask them I will have to be sure I am quite knowing the area so I |
7 |
could correctly describe to the Microsoft-trained network administrators |
8 |
what I want. If you could point me to an article of any kind (or to the |
9 |
relevant part in samba's huge documentation) I would be much grateful. |
10 |
thanks. |
11 |
|
12 |
On Fri, Aug 8, 2008 at 2:42 PM, Stroller <stroller@××××××××××××××××××.uk>wrote: |
13 |
|
14 |
> |
15 |
> On 7 Aug 2008, at 23:04, Andrey Falko wrote: |
16 |
> |
17 |
>> ... |
18 |
>> As far as I know, don't take my word for it, in order to use Active |
19 |
>> Directory on a GNU/Linux host, you need to setup LDAP and have it talk |
20 |
>> to AD. Unfortunately I don't know how to do this, perhaps this will |
21 |
>> help: http://www.linux.com/articles/40983 . |
22 |
>> |
23 |
> |
24 |
> Hi there, |
25 |
> |
26 |
> I understood Active Directory to be Microsoft's implementation of LDAP + |
27 |
> extensions. Or maybe it's a Microsoft's entirely own way of doing a |
28 |
> directory service, with LDAP support bolted on afterwards. Anyway, yes, |
29 |
> Linux hosts should indeed be able to talk LDAP to an AD server. |
30 |
> |
31 |
> On a domain that I manage we authenticate over Samba instead. I can't |
32 |
> entirely recall why I chose this method instead of AD, but I'm pretty sure |
33 |
> there were good reasons for it at the time. Once Samba is configured to to |
34 |
> do winbind - it obviously needs to know the name of the domain server &c - |
35 |
> one installs the PAM winbind module and references it in /etc/pam.d/ for any |
36 |
> Linux services one wishes to authenticate off the Windows server. Samba |
37 |
> then, presumably, acts as a client to the domain server and says "user X, |
38 |
> hash(password Y) wants to log on, is this ok?"; PAM passes the response back |
39 |
> to the service the user is trying to use. |
40 |
> |
41 |
> I think winbind alleviates some need to deal with Active Directory. I |
42 |
> really know nothing about AD - all I have to do is log on to the Windows |
43 |
> server (SBS 2003) and add a user to the domain in the Server Management For |
44 |
> Idiots program Microsoft so kindly provides. The user is able to |
45 |
> authenticate on the Linux box immediately after restarting Samba (and the |
46 |
> restart is probably only required because I've fouled-up the caching |
47 |
> configuration, or something). I also use pam_mkhomedir so that when the user |
48 |
> logs on to IMAP for the first time ~ is automagically created; I had to |
49 |
> reject Courier-IMAP in favour of Dovecot in order to be able to do this, as |
50 |
> IIRC Courier doesn't use the PAM type "session", and that's required to make |
51 |
> pam_mkhomedir work (Dovecot doesn't actually need to use this type, but adds |
52 |
> an option to open a PAM session specifically to enable mkhomedir to be used. |
53 |
> This is a requirement of pam_mkhomedir, NOT pam_winbind). |
54 |
> |
55 |
> What I have enjoyed about winbind is that it has (so far!) made adding |
56 |
> additional services easy. I needed to run an ftp server (allow only |
57 |
> 127.0.0.1) on the Linux machine, so that Squirrelmail's vacation plugin |
58 |
> could upload the users' vacation messages to their homedirs. To get the ftp |
59 |
> service (net-ftp/vsftpd) to authenticate off the same credentials was as |
60 |
> easy as copying the PAM settings for the already-working IMAP server to |
61 |
> /etc/pam.d/ftp (although I see that each is "sufficient" instead of |
62 |
> "required" in this case). I was quite surprised it worked so easily, quickly |
63 |
> and smoothly. Anyway, any user can sit at their Windows workstation, |
64 |
> CTRL-ALT-DEL and change their password and the IMAP server will now respect |
65 |
> their new credentials, which is the important thing (for me). |
66 |
> |
67 |
> Stroller. |
68 |
> |
69 |
> |
70 |
> |