[TriLUG] PAM question(s)

Paul G. Szabady Paul at ThyService.com
Mon Nov 6 17:27:32 EST 2006


David,

Very interesting.  I'm not sure they'll let us implement NIS, but this is
definitely worth looking into.

In the interim, we've gone to using straight kerberos authentication, but
now we're getting complaints because people don't know when to use
domain\username vs username to authenticate.

As we move forward, we've been told that the power-to-be *might* extend
the AD schema to allow us to utilize ldap.  After a long conversation, it
appears their knowledge of ldap is limited at best.  They did inform us of
an ADAM server that was available for us to use for testing, but *we*
would have to tell them how to configure it for our use.  Nice, huh?


-- 
Paul
@ Thy Service

> new bit of information of interest to this thread, sorta, quoted from my
> $boss:
>
> "Windows 2003 Server R2 has a new feature called "Identity Management
> for UNIX," which includes an Active Directory-integrated NIS service.
> All Red Hat boxes are preconfigured with the ability to authenticate
> to NIS, and with minor tweaking, you can get them to auto-create home
> directories the first time a valid NIS user logs in (similar to how
> Windows XP boxes create user profiles). R2 also includes an NFS server
> and client, and a Posix-compatible operating environment (like
> Cygwin). I wonder if you can install gcc on 2003 R2 and compile and
> run bash?"
>
> That might open some doors for alternatives.  I haven't tried this...
>
>
> On 11/2/06, David McDowell <turnpike420 at gmail.com> wrote:
>> Is this what you want?
>>
>> http://www.turnpike420.net/linux/Apache_ADS_AuthLDAP.txt
>>
>> David
>>
>>
>>
>> On 11/2/06, Paul G. Szabady <Paul at thyservice.com> wrote:
>> > Greetings,
>> >
>> > Is it at all possible to authenticate users via http/.htaccess using
>> their
>> > Windows AD (native mode) domain accounts without a local user account?
>>  I
>> > have made the following changes and it works fine if there's a local
>> user
>> > account.  I'm trying to stay away from winbind and don't control our
>> AD
>> > forest, so I'm not sure we can get ldap extensions in the AD.
>> >
>> > If this is not possible with the means I've mentioned, can anyone
>> suggest
>> > any alternatives they've used or seen in use?
>> >
>> > This would mainly be on RHEL3 & RHEL4 boxes, although I have two sun
>> > servers that I need to do something with as well.
>> >
>> > In the /etc/httpd/conf/httpd.conf file I added:
>> > AuthPAM_FallThrough on
>> > AuthPAM_Enabled on
>> >
>> > In the /etc/pam.d/ config files I changed httpd and system-auth to:
>> >
>> > [root at server pam.d]# cat httpd
>> > #%PAM-1.0
>> > auth required /lib/security/$ISA/pam_env.so
>> > auth sufficient /lib/security/$ISA/pam_krb5.so
>> > auth required /lib/security/$ISA/pam_deny.so
>> > account required /lib/security/$ISA/pam_krb5.so
>> > [root at server pam.d]#
>> >
>> > [root at server pam.d]# cat system-auth
>> > #%PAM-1.0
>> > # This file is auto-generated.
>> > # User changes will be destroyed the next time authconfig is run.
>> > auth        required      /lib/security/$ISA/pam_env.so
>> > auth        sufficient    /lib/security/$ISA/pam_krb5.so
>> > ccache=/tmp/krb5cc_%u
>> > auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
>> nullok
>> > auth        required      /lib/security/$ISA/pam_deny.so
>> >
>> > account     required      /lib/security/$ISA/pam_unix.so
>> >
>> > password    required      /lib/security/$ISA/pam_cracklib.so retry=3
>> type=
>> > password    sufficient    /lib/security/$ISA/pam_unix.so nullok
>> > use_authtok md5 shadow
>> > password    required      /lib/security/$ISA/pam_deny.so
>> >
>> > session     required      /lib/security/$ISA/pam_limits.so
>> > session     required      /lib/security/$ISA/pam_unix.so
>> > [root at server pam.d]#
>> >
>> > Any help would be appreciated!
>> >
>> > --
>> > Paul
>> > @ Thy Service
>> >
>> >
>> > --
>> > TriLUG mailing list        :
>> http://www.trilug.org/mailman/listinfo/trilug
>> > TriLUG Organizational FAQ  : http://trilug.org/faq/
>> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>> >
>>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>




More information about the TriLUG mailing list