Comments on: Complete Linux-AD Authentication Details http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/ The weblog of an IT pro specializing in virtualization, storage, and servers Fri, 12 Mar 2010 13:44:56 +0000 http://wordpress.org/?v=abc hourly 1 By: Nisso Moyal http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/comment-page-1/#comment-43834 Nisso Moyal Wed, 11 Mar 2009 16:53:49 +0000 http://blog.scottlowe.org/?p=143#comment-43834 Slowe, forgot to mention that I have 2008 AD installed, I'm going to test your method with ubuntu clients. I saw your article about the 2008 server so I'll use that and will let you know if i have any issues. Slowe,
forgot to mention that I have 2008 AD installed, I’m going to test your method with ubuntu clients. I saw your article about the 2008 server so I’ll use that and will let you know if i have any issues.

]]> By: slowe http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/comment-page-1/#comment-43817 slowe Mon, 09 Mar 2009 18:14:06 +0000 http://blog.scottlowe.org/?p=143#comment-43817 Nisso, I don't think that the overhead of using LDAP is going to be all that much different from the overhead of using Winbind, but I don't have any objective data one way or another. And yes, it does work the way I describe above. Nisso,

I don’t think that the overhead of using LDAP is going to be all that much different from the overhead of using Winbind, but I don’t have any objective data one way or another.

And yes, it does work the way I describe above.

]]> By: Nisso Moyal http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/comment-page-1/#comment-43815 Nisso Moyal Mon, 09 Mar 2009 17:06:16 +0000 http://blog.scottlowe.org/?p=143#comment-43815 I'm about to add 200 linux users to my domain and thought about the option you offer but I was worried about the overhead of ldap server. I ran into this article and thought using it through winbind http://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx Does single sign on really work for you with the method that you described? I’m about to add 200 linux users to my domain and thought about the option you offer but I was worried about the overhead of ldap server.
I ran into this article and thought using it through winbind
http://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx

Does single sign on really work for you with the method that you described?

]]> By: Linux-AD Integration, Version 4 « Junji’s Blog Site http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/comment-page-1/#comment-40778 Linux-AD Integration, Version 4 « Junji’s Blog Site Wed, 20 Aug 2008 08:14:53 +0000 http://blog.scottlowe.org/?p=143#comment-40778 [...] are looking for information on using Linux with a previous version of Windows, please refer back to this article.  The only significant changes in the process involve the mapping of the LDAP attributes; [...] [...] are looking for information on using Linux with a previous version of Windows, please refer back to this article.  The only significant changes in the process involve the mapping of the LDAP attributes; [...]

]]> By: Deependra Singh Shekhawat http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/comment-page-1/#comment-40171 Deependra Singh Shekhawat Sat, 26 Jul 2008 04:33:11 +0000 http://blog.scottlowe.org/?p=143#comment-40171 Hi, Very excellent tutorial. I was able to authenticate Linux machines from Active Directory on windows server 2003. Kerberos part really helped me alot. Will be reading your article regarding NFS mounts next. Again thanks alot. Hi,

Very excellent tutorial. I was able to authenticate Linux machines from Active Directory on windows server 2003.

Kerberos part really helped me alot.

Will be reading your article regarding NFS mounts next.

Again thanks alot.

]]> By: User http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/comment-page-1/#comment-40065 User Tue, 15 Jul 2008 18:51:31 +0000 http://blog.scottlowe.org/?p=143#comment-40065 I have followed the instructions as above but without using SFU as post 3. However getent passwd username returns nothing. /etc/ldap.conf looks correct. Can you help? I have followed the instructions as above but without using SFU as post 3. However getent passwd username returns nothing. /etc/ldap.conf looks correct.

Can you help?

]]> By: slowe http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/comment-page-1/#comment-39666 slowe Tue, 01 Jul 2008 21:48:54 +0000 http://blog.scottlowe.org/?p=143#comment-39666 Greg, Great point--adding a local user is a great way to help isolate some of the different components involved in this kind of integration project. This at least lets you determine if the problem is Kerberos, LDAP, PAM, or something else entirely. Thanks for reading! Greg,

Great point–adding a local user is a great way to help isolate some of the different components involved in this kind of integration project. This at least lets you determine if the problem is Kerberos, LDAP, PAM, or something else entirely.

Thanks for reading!

]]> By: Greg Kenoyer http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/comment-page-1/#comment-39660 Greg Kenoyer Tue, 01 Jul 2008 16:34:38 +0000 http://blog.scottlowe.org/?p=143#comment-39660 Ryan, While you may never come back to this page I thought I should just answer for future readers. I am also on this path and am trying to tie my AD to RHEL v5.1/2 workstations. I encountered the same issue (able to generate tickets but cannot logon). I was able to finally log on when I created (via adduser script) a local account that matched the AD account. I am still trying to get the username map and the winbind methods to work...but at least I know that the other 'stuff' is working. Ryan, While you may never come back to this page I thought I should just answer for future readers. I am also on this path and am trying to tie my AD to RHEL v5.1/2 workstations.
I encountered the same issue (able to generate tickets but cannot logon). I was able to finally log on when I created (via adduser script) a local account that matched the AD account. I am still trying to get the username map and the winbind methods to work…but at least I know that the other ’stuff’ is working.

]]> By: Ryan http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/comment-page-1/#comment-36215 Ryan Thu, 13 Mar 2008 21:53:38 +0000 http://blog.scottlowe.org/?p=143#comment-36215 Hi, Just a shot in the dark to hopefully get a response. I realize this article is a bit old. Anyways, I've been working on Red Hat/AD authentication for a little while now and I managed to get my Red Hat version AS4 authenticating to the AD server just fine. However, when I follow the exact same steps on a Red Hat ES3 server, it doesn't work. Kerberos configures properly (I can generate tickets for AD users no problem) but cannot logon or anything else. I tried making my ldap.conf file the same as yours (adding a few attributes) but still nothing. I also read you mention there are differences between Red hat versions regarding system-auth. Both my files are word for word identical. Is there something I should be doing differently for ES3 and AS4? Thanks, Ryan Hi,

Just a shot in the dark to hopefully get a response. I realize this article is a bit old.

Anyways, I’ve been working on Red Hat/AD authentication for a little while now and I managed to get my Red Hat version AS4 authenticating to the AD server just fine. However, when I follow the exact same steps on a Red Hat ES3 server, it doesn’t work.
Kerberos configures properly (I can generate tickets for AD users no problem) but cannot logon or anything else.
I tried making my ldap.conf file the same as yours (adding a few attributes) but still nothing. I also read you mention there are differences between Red hat versions regarding system-auth. Both my files are word for word identical.
Is there something I should be doing differently for ES3 and AS4?

Thanks,
Ryan

]]> By: Alex http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/comment-page-1/#comment-34156 Alex Wed, 14 Nov 2007 22:22:13 +0000 http://blog.scottlowe.org/?p=143#comment-34156 Trying to follow this, but having a hell of a time with Kerberos. I follow the directions here and get the following Warning/Error WARNING: Account DEVSERVER$ is not a user account (uacflags=0x1021). WARNING: Resetting DEVSERVER$'s password may cause authentication problems if DEVSERVER$ is being used as a server. Reset DEVSERVER$'s password [y/n]? y WARNING: pType and account type do not match. This might cause problems. I then copy the resulting keytab file to the server and try: kinit -V -k -t ./devserver.keytab host/devserver.dsgi.us and get the following message: kinit(v5): Key table entry not found while getting initial credentials Any idea what I am doing wrong? Trying to follow this, but having a hell of a time with Kerberos. I follow the directions here and get the following Warning/Error

WARNING: Account DEVSERVER$ is not a user account (uacflags=0×1021).
WARNING: Resetting DEVSERVER$’s password may cause authentication problems if DEVSERVER$ is being used as a server.

Reset DEVSERVER$’s password [y/n]? y
WARNING: pType and account type do not match. This might cause problems.

I then copy the resulting keytab file to the server and try:
kinit -V -k -t ./devserver.keytab host/devserver.dsgi.us

and get the following message:
kinit(v5): Key table entry not found while getting initial credentials

Any idea what I am doing wrong?

]]>