[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] can I authenticate ltsp users against win2000AD?



On Wed, 2002-07-10 at 01:53, Mike Rambo wrote:
> 
> Is there any way to get the terminal workstation logons to authenticate
> against this 2000AD setup instead of local files? I have seen options
> for authenticating over smb (and nis, ldap etc) when I have installed
> systems but I haven't ever played with them.
> 
> Can this be done?
> 
> Thanks.

It is definitely possible when using Winbind.  Winbind can act as an
authentication source for Linux, mapping the NT RID to Unix UID's and
GID's.

At the University of Hawaii this past week we were exploring the
possibility of using Winbind to integrate a room full of dual boot
Windows XP and Red Hat Linux 7.3 desktops into an existing Windows .NET
beta Active Directory (one lab only, don't worry), but we ran into two
issues that made us change our mind at least for this semester.

1) The RID to UID mapping is stored in a simple database file on each
machine.  This means that synchronizing the UID's across a room full of
independent computers can be a pain.  We thought about remote mounting
this database file over NFS, but decided against it.  When we asked
about this RID mapping synchronization issue some programmer at HP said,
"We're working on it."

This however wouldn't be a problem for you because you would have only
one Winbind RID mapping database to worry about. 

2) I was thinking about integrating the above Winbind with an nfs
mounted /home directory.  Yeah, not entirely secure, but good enough
until we can figure out transparent user-only network directory mounts
after authentication.  Some already existing PAM module allowed the
creation of a home directory if it didn't already exist.  After that
point I was thinking about using smbmount to mount that users home
directory at ~/Home after login.  Unfortunately we were completely
unable to get SMB file connections to work to the Windows.NET beta
server.  I suspect that they changed the protocol again to lock out
Samba.  Anyone know if the Samba developers would like to SSH into our
test network and debug this?  We would give full VNC access to the
Windows.NET and Windows XP, and SSH to a Linux box.  Or perhaps it is
just a configuration option on the .NET server that would need to be
changed.

Anyway, without working file mounts and the problematic RID mapping
synchronization, we decided to make the Linux authentication and file
storage separate for the semester.  We are now using OpenLDAP and NFS
for those desktops when they boot into Linux.

And again, you wouldn't have a problem here because you have Windows
2000 as your Active Directory controller.

I wish you luck.

Warren Togami
warren togami com






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]