[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] can I authenticate ltsp users against win2000AD?

On Wed, Jul 10, 2002 at 03:47:16AM -1000, Warren Togami wrote:
> On Wed, 2002-07-10 at 01:53, Mike Rambo wrote:

> > Is there any way to get the terminal workstation logons to authenticate
> > against this 2000AD setup instead of local files? I have seen options
> > for authenticating over smb (and nis, ldap etc) when I have installed
> > systems but I haven't ever played with them.

> > Can this be done?

> > Thanks.

> It is definitely possible when using Winbind.  Winbind can act as an
> authentication source for Linux, mapping the NT RID to Unix UID's and
> GID's.

I understand that Microsoft also provides a package dealy to support the
Unix LDAP schemas in the Active Directory, obviating the need for winbind
(i.e., at that point you can use pam_krb5 and nss_ldap without any special
Samba code).  You should in any case use pam_krb5 for authentication
rather than pam_winbind, as direct Kerberos auth is simply a better fit.

Personally, I think even getting the password database unified goes a long
way in helping to ease administrative pains.

> 1) The RID to UID mapping is stored in a simple database file on each
> machine.  This means that synchronizing the UID's across a room full of
> independent computers can be a pain.  We thought about remote mounting
> this database file over NFS, but decided against it.  When we asked
> about this RID mapping synchronization issue some programmer at HP said,
> "We're working on it."

> This however wouldn't be a problem for you because you would have only
> one Winbind RID mapping database to worry about. 

The "we're working on it" has been echoed on the samba-technical mailing
list; but maintaining the RID->UID map in the Active Directory itself is a
more elegant solution, if you can get it to work.

> Unfortunately we were completely unable to get SMB file connections to 
> work to the Windows.NET beta server.  I suspect that they changed the 
> protocol again to lock out Samba.  Anyone know if the Samba developers 
> would like to SSH into our test network and debug this?  We would give 
> full VNC access to the Windows.NET and Windows XP, and SSH to a Linux 
> box.  Or perhaps it is just a configuration option on the .NET server 
> that would need to be changed.

You would have to ask the Samba Team directly, but I suspect you would get
a 'yes' from at least one member of the Team.  My guess would be that it
has to do with the not-quite-supported SignAndSeal stuff.

Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]