[BBLISA] Single sign-on help requested

Mark Manley mwmanley at gmail.com
Thu Aug 23 09:56:39 EDT 2007 

That's not completely true.  He can set up cross-realm authentication in
Kerberos to have AD accept the TGTs and vice-versa.  This way, people can
use their Unix credentials to access AD resources.  There is plenty of
documentation on the Microsoft site and on the Internet about setting it up.

On 8/23/07, Sean OMeara <someara at gmail.com> wrote:
>
> Scott:
>
> If you want TRUE single sign on capabilities and you intend to involve
> Windows in any way, you absolutely have to use an Active Directory as
> your kerberos KDC. There is ABSOLUTELY NO WAY around it. (unless of
> course you're adventurous enough to use samba4)
>
> By TRUE sigle sign on I mean:
> passwordless authentication to network resources (ssh, samba shares/
> NFSv4 servers, (homedirs!) apache/mod_spnego, jabber/sasl, ssh/gssapi,
> ldap/sasl, AFS, the works) from both the XP clients and the linux/unix
> clients.
>
> The only way to do it is:
> authentication
> *Active Directory KDC + LDAP + RPC for windows
> authentication/authorization
> *Active Directory KDC for unixland kerberos authentication
>
> authorization
> * Active Directory ldap server schema extensions (ms SFUv3.5) to house
> the unix posix data (uid, gid, homedir, shell, supplemental gids
> ((/etc/group))
>
> or
> * seperate ldap resource (openldap, fedoraDS) dedicated to housing the
> unix posix data
> * scripting fun to keep your groups in order
>
> The reason for this lies in the way Windows handles the authorization
> part of the sign on process. ( unix clients dig their authorization
> data out of ldap, windows clients have it returned in the PAC field
> within their kerberos ticket)
>
> It's actually not that bad really.... AD can be manipulated from the
> linux command line via samba tools (net ads user add, net ads group
> delete, etc)
>
> ......
>
> now barring all that... if what you meant by "single sign on" is
> actually "unified passwords", then you can do it without AD using
> samba and ldap no problem. (well, only small problems anyway)
>
>
> No matter what you'll have to maintain TWO password databases, one for
> windows, and one for everyone else.
>
> The standard configuration for this is one of the two of these:
>
> a)
> authentication
> * Windows NT4 style NTLMv2 Samba v3 authentication
> * Samba looks at an ldap backend for:
> sambaLMPassword:
> sambaNTPassword:
>
> * unixland clients attempt a bind to the ldap server, testing against the
> field:
> userPassword
>
> authorization:
> Samba looks at an ldap backend for, and then returns to the windows
> machine via rpc:
> sambaAcctFlags
> sambaPrimaryGroupSID:
> sambaLogonTime:
> sambaPasswordHistory
> sambaSID
> sambaPwdCanChange:
> sambaAcctFlags:
> sambaPwdLastSet:
> sambaPwdMustChange
>
> b)
> authentication:
> samba stuff for windows
> unixland looks to an MIT or Heimdal KDC for authentication
>
> authorization:
> same stuff for windows
> unixland looks in the ldap directory for:
> uidNumber
> gidNumber
> homeDirectory
> groups information
>
> The consequences of the dual password sources will boil down to this:
>
> When a user changes his password via the unix passwd utility, it will
> only change:
> the userPassword field in the ldap record or the password on the
> kerberos principal.
>
> Windows users change it via samba, which can call a script to change
> both the sambaNTPassword fields and the userPassword fields in the
> ldap record.
>
> I'm not sure if its possible to have samba call a script to set the
> sambaNTPassword and change the kerberos princ.
>
> PS if you're going to get kerberos involved in any way, every machine
> needs to be able to resolve their FQDN, both forward and reverse. This
> means you either need to maintain lots of /etc/hosts entries in the
> form:
>
> 127.0.0.1        localhost        localhost.localdomain
> 127.0.0.1        somebox.mit.edu sombox
>
> or proper 1 to 1 mapped forward and reverse DNS.
>
> If your machine can't correctly do
> hostname and hostname -f, kerberos will NOT WORK.
>
> .....
>
> To answer your questions about the homedirs:
>
> You want a fileserver running both samba and NFS.
> Windows clients will use roaming profiles to mount their homedirs via
> SMB, linux will use NFS.
>
> Your error messages look like your ldap server isnt running.
>
> -s
>
>
>
> PS I live around the corner from MIT and I'm much better at explaining
> things when people buy me ronnie burgers ;)
>
> -s
>
>
> On 8/23/07, Scott Ehrlich <scott at mit.edu> wrote:
> > I have a RHEL5 Server and some dual-boot XP/CentOS 5 systems (Linux
> systems all
> > 64-bit).   All Linux is out-of-box, with all packages, minus
> international
> > languages, installed.  No patching has been done.
> >
> > On the server, I selected system-config-authentication and enabled LDAP
> for
> > User Information, Kerberos, LDAP, and SMB for Authentication, and Shadow
> and
> > MD5 Passwords, along with Authenticate system accounts by network
> services for
> > Options.
> >
> > All machines are on an isolated LAN, with no DNS server (I could always
> enable
> > and configure DNS on the server if it helps the cause).
> >
> > I also don't know if it matters, but the server is running the
> virtualization
> > kernel (xen), but the clients are not.
> >
> > I only have LDAP service enabled on the server.   Kerberos services are
> enabled
> > on both client and server.
> >
> > I tweaked the LDAP and Kerberos settings using the CentOS/RH GUIs, and
> have the
> > clients looking to the RH box for authentication.
> >
> > I also have the firewall enabled, but am letting kerberos and ldap ports
> > through as tcp.
> >
> > During a login test, /var/log/messages on the client showed:
> >
> > lin1 gdm[pid]: nss_ldap: failed to bind to LDAP server
> ldap://192.168.1.100:
> > Can't contact LDAP server
> >
> > lin1 gdm[pid]: nss_ldap: reconnecting to LDAP server (sleeping 32
> seconds)...
> >
> > lin1 dbus-daemon: nss_ldap: failed to bind to LDAP server
> ldap://192.168.1.100:
> > Can't contact LDAP server
> >
> > lin1 dbus-daemon: dss_ldap: failed to bind to LDAP server...
> >
> > lin1 xfs: ...
> >
> >
> > During boot time, Starting system message bus: [long pause] then error
> messages
> > about DB_CONFIG and /var/lib/ldap, the usual cannot find DB_CONFIG in
> > /var/lib/ldap, showing the example.com instead of my customized ldap
> settings,
> > etc.
> >
> > I've checked openldap.org, but I figured if the configuration appears to
> be
> > simplified via an included GUI, I shouldn't have much trouble gettigns
> things
> > going.
> >
> > Anyway, what am I missing?   Anything special RH 5 is doing compared to
> the
> > openldap docs?
> >
> > Both servers have been rebooted since adding the respective ports in the
> > firewall.
> >
> > The goal is a to permit my test user, created on the server, to sit at a
> > workstation, boot into either Linux or XP, and get their home directory.
> >
> > Ideally, the server only needs to consist of one account for them, which
> they
> > get upon login on the workstation.
> >
> > I want to highly restrict _any_ third-party tools/apps/etc.   I will be
> happy
> > to take suggestions and leads, but I want to try and rely on what RH has
> > provided.
> >
> > Thanks for any insight/help.
> >
> > Scott
> >
> > _______________________________________________
> > bblisa mailing list
> > bblisa at bblisa.org
> > http://www.bblisa.org/mailman/listinfo/bblisa
> >
>
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.bblisa.org/pipermail/bblisa/attachments/20070823/d62a63a0/attachment.htm

More information about the bblisa mailing list