[TriLUG] ldap authentication from Active directory or NTDS

Magnus chrish at trilug.org
Thu Jan 8 06:23:15 EST 2004


On Wednesday, January 7, 2004, at 02:46  PM, spain at ncssm.edu wrote:

> I have a small network running active directory with a RH9 server 
> running Samba,apache/mysql..

And a MUA that is sending uglified HTML email.  Please fix that.

> I would like samba to pull a useraccounts from Active Directory to 
> authenticate users for access to fileshares..  Does anyone have easy 
> instructions on using PAM to set this up?

I'm in the middle of doing something like this now at $WORK.  The gist 
of it is that Active Directory does not have the right schema to handle 
*NIX users, and must be extended.  For <$100 MSRP you can get MS 
Services For UNIX (SFU).  This will, among other things, extend you 
schema and give you MMC snap-ins to manage *NIX user attributes on the 
same objects as Windows users.  That's step one.

Now how to pull that data out of Active Directory once it's in?  You 
could use LDAP, true.  Or you could be lazy and use NIS.  The passwords 
are in Kerberos so NIS isn't nearly as bad as it normally would be.

You can set up Linux to auth against Kerberos with no mods to your 
Windoze box.  Just run authconfig on your RH box and on the second 
screen tell it to auth against your AD server.  Caveat: The MS 
implementation of Kerberos is incomplete and you won't have an Admin 
Server.  You'll have to sort out some other method for users to change 
their passwords.  If you're only running Linux on the file server, this 
shouldn't be a concern.  I've got Linux desktops where it becomes more 
of an issue.

Once you've got all the right fields filled out in authconfig, PAM will 
take over.  Nothing special to do in Samba then as the AD users will be 
able to mount Samba shares as easily as local users.

--

C. Magnus Hedemark
http://trilug.org/~chrish
"The only way to keep your health is to eat what you don't want, drink 
what you don't like, and do what you'd rather not." - Mark Twain
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20040108/7f332299/attachment.pgp>


More information about the TriLUG mailing list