Comments on: SLED Integration into Active Directory http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/ The weblog of an IT pro specializing in virtualization, storage, and servers Tue, 09 Mar 2010 22:15:38 +0000 http://wordpress.org/?v=abc hourly 1 By: Planet Malaysia http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/comment-page-1/#comment-40647 Planet Malaysia Fri, 15 Aug 2008 08:42:45 +0000 http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/#comment-40647 If you're looking for SLES9, probably you can check here: http://www.planetmy.com/blog/how-to-authenticate-to-active-directory-on-suse-linux-9/ If you’re looking for SLES9, probably you can check here:
http://www.planetmy.com/blog/how-to-authenticate-to-active-directory-on-suse-linux-9/

]]> By: Courtney http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/comment-page-1/#comment-37331 Courtney Fri, 02 May 2008 20:02:59 +0000 http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/#comment-37331 While I have managed to get this solution to work with SLES 10, it takes between 20-30 seconds to log in with a domain account. Using network monitor on my domain controller I've narrowed this down to a problem with kerberos. The trace shows that within a fraction of a second there is a KRB_ERROR. Exactly 10 seconds later there is another kerberos query, but it appears to succeed. There is no activity for another 10 seconds, and then the authentication succeeds a few seconds later. There are no errors in syslog on the Linux server, and the log files specified in the krb5.conf file are empty. Has anyone else seen a problem similar to this? My krb5.conf file is identical to the one in this article (with the domain names changed of course). While I have managed to get this solution to work with SLES 10, it takes between 20-30 seconds to log in with a domain account. Using network monitor on my domain controller I’ve narrowed this down to a problem with kerberos. The trace shows that within a fraction of a second there is a KRB_ERROR. Exactly 10 seconds later there is another kerberos query, but it appears to succeed. There is no activity for another 10 seconds, and then the authentication succeeds a few seconds later. There are no errors in syslog on the Linux server, and the log files specified in the krb5.conf file are empty.

Has anyone else seen a problem similar to this? My krb5.conf file is identical to the one in this article (with the domain names changed of course).

]]> By: Sven http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/comment-page-1/#comment-36380 Sven Tue, 18 Mar 2008 15:23:44 +0000 http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/#comment-36380 Hi! I configured my linux box (openSuSE 10.2) as described in this article and nearly all works perfect. AD users can login into KDE as well as root can. Both can login remotely with SSH too. AD users get their home directory mounted with pam_mount from windows file server per nfs. So far it's perfect. But: no one can login into console or when linux box is in runlevel 3. Can someone approve this please? My /etc/pam.d/common-*-pc files look as follows: account sufficient pam_krb5.so account required pam_unix2.so auth optional pam_mount.so auth required pam_env.so auth sufficient pam_krb5.so auth required pam_unix2.so password required pam_pwcheck.so nullok password sufficient pam_winbind.so password required pam_unix2.so nullok use_first_pass use_authtok session optional pam_mount.so session required pam_limits.so session required pam_unix2.so session optional pam_umask.so BTW: without the line “password sufficient pam_winbind.so” it was not possible to change user password when expired because the cursor is jumping between two password fields. Regards, Sven Hi!

I configured my linux box (openSuSE 10.2) as described in this article and nearly all works perfect. AD users can login into KDE as well as root can.
Both can login remotely with SSH too. AD users get their home directory mounted with pam_mount from windows file server per nfs. So far it’s perfect.

But: no one can login into console or when linux box is in runlevel 3. Can someone approve this please?

My /etc/pam.d/common-*-pc files look as follows:

account sufficient pam_krb5.so
account required pam_unix2.so
auth optional pam_mount.so
auth required pam_env.so
auth sufficient pam_krb5.so
auth required pam_unix2.so
password required pam_pwcheck.so nullok
password sufficient pam_winbind.so
password required pam_unix2.so nullok use_first_pass use_authtok
session optional pam_mount.so
session required pam_limits.so
session required pam_unix2.so
session optional pam_umask.so

BTW: without the line “password sufficient pam_winbind.so” it was not possible to change user password when expired because the cursor is jumping between two password fields.

Regards,
Sven

]]> By: Lars Müller http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/comment-page-1/#comment-36068 Lars Müller Mon, 10 Mar 2008 12:37:41 +0000 http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/#comment-36068 The configuration (Samba, krb5, NSS) created by YaST is kerberized. Therefore authentication is possible as soon as the Domain Controller is available. And after a first login to Microsoft's (MS) Active Directory (AD) environment even off line use is possible. By intention the SUSE Linux solution doesn't require any modification to MS AD. It's aimed to be a drop in replacement. In addition it's still possible to change the configuration without any conflict to YaST. Check http://suse.de/~lmuelle with a link to a white paper. The configuration (Samba, krb5, NSS) created by YaST is kerberized. Therefore authentication is possible as soon as the Domain Controller is available. And after a first login to Microsoft’s (MS) Active Directory (AD) environment even off line use is possible.

By intention the SUSE Linux solution doesn’t require any modification to MS AD. It’s aimed to be a drop in replacement.

In addition it’s still possible to change the configuration without any conflict to YaST.

Check http://suse.de/~lmuelle with a link to a white paper.

]]> By: Peter http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/comment-page-1/#comment-34658 Peter Fri, 14 Dec 2007 13:36:02 +0000 http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/#comment-34658 The yast2 approach only maps AD users to Unix accounts on the local machine, it's no true single sign on solution. In contrary, this solution stores Unix UIDs in Active Directory, you have network-wide authentication. The yast2 approach only maps AD users to Unix accounts on the local machine, it’s no true single sign on solution.

In contrary, this solution stores Unix UIDs in Active Directory, you have network-wide authentication.

]]> By: Benjamin Knust http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/comment-page-1/#comment-34373 Benjamin Knust Tue, 27 Nov 2007 11:03:17 +0000 http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/#comment-34373 Hi nice blog ! I would like to pick up Adams and Nachos question ? Can anyone tell where benefits are and especially Adams question "how this approach compares to the yast2 module" ? Greetz ps. I saw the date anyway :-) Hi nice blog !

I would like to pick up Adams and Nachos question ?
Can anyone tell where benefits are and especially
Adams question “how this approach compares to the yast2 module” ?

Greetz

ps. I saw the date anyway :-)

]]> By: Adam Spiers http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/comment-page-1/#comment-33809 Adam Spiers Fri, 19 Oct 2007 18:12:02 +0000 http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/#comment-33809 I would also love to know how this approach compares to the yast2 module for AD integration which is built into SLED10. From my limited experience they do pretty much the same thing, but the yast2 module just requires filling in a few boxes and clicking the mouse a few times. I would also love to know how this approach compares to the yast2 module for AD integration which is built into SLED10. From my limited experience they do pretty much the same thing, but the yast2 module just requires filling in a few boxes and clicking the mouse a few times.

]]> By: slowe http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/comment-page-1/#comment-33475 slowe Mon, 24 Sep 2007 11:09:31 +0000 http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/#comment-33475 Jeff, Actually, the Novell Cool Solutions article was also submitted by Shannon VanWagner (the same reader to which I attributed the instructions in this article; see the first sentence). This article was published on 3/22/07; the Novell Cool Solutions article was published on 4/4/07. So it would appear that this article is NOT a "copy and paste" from another site. Thanks for reading! Jeff,

Actually, the Novell Cool Solutions article was also submitted by Shannon VanWagner (the same reader to which I attributed the instructions in this article; see the first sentence). This article was published on 3/22/07; the Novell Cool Solutions article was published on 4/4/07. So it would appear that this article is NOT a “copy and paste” from another site.

Thanks for reading!

]]> By: Jeff http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/comment-page-1/#comment-33473 Jeff Mon, 24 Sep 2007 07:32:27 +0000 http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/#comment-33473 Copy and Paste from : http://www.novell.com/coolsolutions/feature/18851.html Copy and Paste from :
http://www.novell.com/coolsolutions/feature/18851.html

]]> By: Nacho http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/comment-page-1/#comment-33383 Nacho Mon, 17 Sep 2007 10:16:40 +0000 http://blog.scottlowe.org/2007/03/22/sled-integration-into-active-directory/#comment-33383 Hi, SLED 10 already comes with AD authentication, are there any improvements using this method? Regards Hi, SLED 10 already comes with AD authentication, are there any improvements using this method?
Regards

]]>