Comments on: Complete Linux-AD Authentication Details http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/ The weblog of an IT pro specializing in virtualization, storage, and servers Fri, 05 Dec 2008 07:21:38 +0000 http://wordpress.org/?v=2.6 By: Linux-AD Integration, Version 4 « Junji’s Blog Site http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/#comment-40778 Linux-AD Integration, Version 4 « Junji’s Blog Site Wed, 20 Aug 2008 08:14:53 +0000 http://blog.scottlowe.org/?p=143#comment-40778 [...] are looking for information on using Linux with a previous version of Windows, please refer back to this article.  The only significant changes in the process involve the mapping of the LDAP attributes; [...] [...] are looking for information on using Linux with a previous version of Windows, please refer back to this article.  The only significant changes in the process involve the mapping of the LDAP attributes; [...]

]]> By: Deependra Singh Shekhawat http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/#comment-40171 Deependra Singh Shekhawat Sat, 26 Jul 2008 04:33:11 +0000 http://blog.scottlowe.org/?p=143#comment-40171 Hi, Very excellent tutorial. I was able to authenticate Linux machines from Active Directory on windows server 2003. Kerberos part really helped me alot. Will be reading your article regarding NFS mounts next. Again thanks alot. Hi,

Very excellent tutorial. I was able to authenticate Linux machines from Active Directory on windows server 2003.

Kerberos part really helped me alot.

Will be reading your article regarding NFS mounts next.

Again thanks alot.

]]> By: User http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/#comment-40065 User Tue, 15 Jul 2008 18:51:31 +0000 http://blog.scottlowe.org/?p=143#comment-40065 I have followed the instructions as above but without using SFU as post 3. However getent passwd username returns nothing. /etc/ldap.conf looks correct. Can you help? I have followed the instructions as above but without using SFU as post 3. However getent passwd username returns nothing. /etc/ldap.conf looks correct.

Can you help?

]]> By: slowe http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/#comment-39666 slowe Tue, 01 Jul 2008 21:48:54 +0000 http://blog.scottlowe.org/?p=143#comment-39666 Greg, Great point--adding a local user is a great way to help isolate some of the different components involved in this kind of integration project. This at least lets you determine if the problem is Kerberos, LDAP, PAM, or something else entirely. Thanks for reading! Greg,

Great point–adding a local user is a great way to help isolate some of the different components involved in this kind of integration project. This at least lets you determine if the problem is Kerberos, LDAP, PAM, or something else entirely.

Thanks for reading!

]]> By: Greg Kenoyer http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/#comment-39660 Greg Kenoyer Tue, 01 Jul 2008 16:34:38 +0000 http://blog.scottlowe.org/?p=143#comment-39660 Ryan, While you may never come back to this page I thought I should just answer for future readers. I am also on this path and am trying to tie my AD to RHEL v5.1/2 workstations. I encountered the same issue (able to generate tickets but cannot logon). I was able to finally log on when I created (via adduser script) a local account that matched the AD account. I am still trying to get the username map and the winbind methods to work...but at least I know that the other 'stuff' is working. Ryan, While you may never come back to this page I thought I should just answer for future readers. I am also on this path and am trying to tie my AD to RHEL v5.1/2 workstations.
I encountered the same issue (able to generate tickets but cannot logon). I was able to finally log on when I created (via adduser script) a local account that matched the AD account. I am still trying to get the username map and the winbind methods to work…but at least I know that the other ’stuff’ is working.

]]> By: Ryan http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/#comment-36215 Ryan Thu, 13 Mar 2008 21:53:38 +0000 http://blog.scottlowe.org/?p=143#comment-36215 Hi, Just a shot in the dark to hopefully get a response. I realize this article is a bit old. Anyways, I've been working on Red Hat/AD authentication for a little while now and I managed to get my Red Hat version AS4 authenticating to the AD server just fine. However, when I follow the exact same steps on a Red Hat ES3 server, it doesn't work. Kerberos configures properly (I can generate tickets for AD users no problem) but cannot logon or anything else. I tried making my ldap.conf file the same as yours (adding a few attributes) but still nothing. I also read you mention there are differences between Red hat versions regarding system-auth. Both my files are word for word identical. Is there something I should be doing differently for ES3 and AS4? Thanks, Ryan Hi,

Just a shot in the dark to hopefully get a response. I realize this article is a bit old.

Anyways, I’ve been working on Red Hat/AD authentication for a little while now and I managed to get my Red Hat version AS4 authenticating to the AD server just fine. However, when I follow the exact same steps on a Red Hat ES3 server, it doesn’t work.
Kerberos configures properly (I can generate tickets for AD users no problem) but cannot logon or anything else.
I tried making my ldap.conf file the same as yours (adding a few attributes) but still nothing. I also read you mention there are differences between Red hat versions regarding system-auth. Both my files are word for word identical.
Is there something I should be doing differently for ES3 and AS4?

Thanks,
Ryan

]]> By: Alex http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/#comment-34156 Alex Wed, 14 Nov 2007 22:22:13 +0000 http://blog.scottlowe.org/?p=143#comment-34156 Trying to follow this, but having a hell of a time with Kerberos. I follow the directions here and get the following Warning/Error WARNING: Account DEVSERVER$ is not a user account (uacflags=0x1021). WARNING: Resetting DEVSERVER$'s password may cause authentication problems if DEVSERVER$ is being used as a server. Reset DEVSERVER$'s password [y/n]? y WARNING: pType and account type do not match. This might cause problems. I then copy the resulting keytab file to the server and try: kinit -V -k -t ./devserver.keytab host/devserver.dsgi.us and get the following message: kinit(v5): Key table entry not found while getting initial credentials Any idea what I am doing wrong? Trying to follow this, but having a hell of a time with Kerberos. I follow the directions here and get the following Warning/Error

WARNING: Account DEVSERVER$ is not a user account (uacflags=0×1021).
WARNING: Resetting DEVSERVER$’s password may cause authentication problems if DEVSERVER$ is being used as a server.

Reset DEVSERVER$’s password [y/n]? y
WARNING: pType and account type do not match. This might cause problems.

I then copy the resulting keytab file to the server and try:
kinit -V -k -t ./devserver.keytab host/devserver.dsgi.us

and get the following message:
kinit(v5): Key table entry not found while getting initial credentials

Any idea what I am doing wrong?

]]> By: slowe http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/#comment-31229 slowe Tue, 27 Mar 2007 15:30:30 +0000 http://blog.scottlowe.org/?p=143#comment-31229 Chris, I believe you'll need the Server for NIS component (this actually installs the schema extensions and the add-in for Active Directory Users and Computers), but I think most of the rest of it is not needed. However, it's been a while since I did this. Do you have access to Windows Server 2003 R2? It includes SFU 3.5 and uses a newer (and, in my opinion, more compatible) set of schema extensions for UNIX attributes. Chris,

I believe you’ll need the Server for NIS component (this actually installs the schema extensions and the add-in for Active Directory Users and Computers), but I think most of the rest of it is not needed. However, it’s been a while since I did this. Do you have access to Windows Server 2003 R2? It includes SFU 3.5 and uses a newer (and, in my opinion, more compatible) set of schema extensions for UNIX attributes.

]]> By: chris dolese http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/#comment-31221 chris dolese Tue, 27 Mar 2007 02:25:49 +0000 http://blog.scottlowe.org/?p=143#comment-31221 keytab file creation ... i wound up having to use whats below : ktpass -princ host/mylinuxserver.mydomain.com@LANDAIR -mapuser MYDOMAIN\mylinuxserver$ -crypto DES-CBC-MD5 -pass mypassword -ptype KRB5_NT_PRINCIPAL -out mykeytabfilename keytab file creation …

i wound up having to use whats below :

ktpass -princ host/mylinuxserver.mydomain.com@LANDAIR -mapuser MYDOMAIN\mylinuxserver$ -crypto DES-CBC-MD5 -pass mypassword -ptype KRB5_NT_PRINCIPAL -out mykeytabfilename

]]> By: chris dolese http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/#comment-31210 chris dolese Mon, 26 Mar 2007 18:20:39 +0000 http://blog.scottlowe.org/?p=143#comment-31210 does anyone have specifics on what options should be taken and how for the install of of microsoft SFU 3.5 does anyone have specifics on what options should be taken and how for the install of of microsoft SFU 3.5

]]>