Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Operating Systems Software Windows Linux

Linux+Windows Single Sign-on 40

Posted by timothy from the what-a-concept dept.
musichead writes "Bill Boswell (writing for redmondmag.com) has posted an interesting article on configuring Linux clients to utilize a single sign-on and play nicely in a Microsoft Active Directory network. The article focuses on Fedora Core 2 (and the Core 3 beta), but he has examples and instructions for SuSE Linux 9.1 Professional, Mandrake 10.1 and Xandros Desktop 2.5 on his website."
This discussion has been archived. No new comments can be posted.

Linux+Windows Single Sign-on More

Linux+Windows Single Sign-on

Comments Filter:
  • XP Home won't log onto domains. It's bloody annoying for geeks with several computers in the house...
    • RTFA, XP Home doesn't come up.
      • no, but the guy was just making a point that this is useless with most (legit)xp installs at home.
      • I did read the article - it's obviously aimed at corporate use where they're unlikely to have XP Home, but at the same time my ears pricked up when I read the article summary, only to remember that my plans of doing something similar at home had been dashed by Microsoft removing the domain functionality from XP Home.

        I admit it, it's not that apropos to the discussion, but I did fancy having another gripe about it!
    • XP Home won't log onto domains. It's bloody annoying for geeks with several computers in the house...
      It sure would be. Good thing real geeks don't use Windows. :P

  • mit has single sign-on using kerberos (Score:4, Informative)

    by lysander ( 31017 ) on Wednesday January 05, 2005 @09:43AM (#11263264)
    Not that many sites use kerberos, but mit has had single sign-on with kerberos [mit.edu] for quite some time.
  • However this will be useful information to have on had the next time I propose a Linux server to my M$ Centric managment.

    I wonder why the various Linux Vendors have not had some kind of setting during install to allow authentication to an Active Directory. It would make the "Linux infiltration" simpler!

    • Re:Odd seeing this come from Redmond... (Score:4, Informative)

      by Glamdrlng ( 654792 ) on Wednesday January 05, 2005 @12:19PM (#11264713)
      I wonder why the various Linux Vendors have not had some kind of setting during install to allow authentication to an Active Directory.
      I haven't made use of it yet, but during install Suse9.2 gives you the option of pointing the authentication piece to active directory.
    • Actually its not. A big selling point with Windows 2000 and SFU was that between Kerberos, a LDAP based directory, and a NIS/LDAP gateway would allow interoperability between existing UNIX installations. They have had several white papers on this for some time.

      Last time I installed Red Hat, sometime around version 7.3 or 8, there was a choice to authenticate against SMB and LDAP, both would allow auth against the Active Directory. I would assume that it was dropped from Fedora since its target wasn't enter
      • Why "assume" that ?
        Joining AD with fedora is trivial, and is basically the same as in RHEL.
        • But is it part of the installation? It was in Red Hat 8, but appears to have since been dropped. Manually joining the AD is trivial for almost every distro depending on how you want to auth against the AD, but it used to be in Red Hat's installer. I thought about it for a moment, came up with what I thought would be a possability as to why it was dropped and then when it seemed that it was a good option, I assumed that it or something similar could be the reason it is no longer included in the installation
          • In Fedora (and future RHEL), lots of things are moving from the installation to the firstboot(and some things are assumed to be configure by the user now).
            The system-config-authentication is the same as (will be) in RHEL, Fedora just just a step or two in front of the current RHEL.)
    • Mandrake has had Windows Domain (ie NT4) support during installation since Mandrake 9.1. It supported AD in some AD configurations (ie "Allow anonymous searches in AD" or something like that).

      Full AD support is available in 10.1 and Corporate Desktop 3.

  • Easier the other way (Score:3, Interesting)

    by gregmac ( 629064 ) on Wednesday January 05, 2005 @10:56AM (#11263931) Homepage
    I've had "single sign-on" for a while now, using Samba as my PDC (originally replaced my NT server about 3 years ago). It wasn't overly difficult to set up, but basically it's running LDAP at the very bottom, and Samba users LDAP as it's database. I can also authenticate from other linux boxes directly against the LDAP server.

    I also integrated a number of web applications into it so they authenticate against the LDAP server as well. This isn't always quite as nice - you usually have to type your user/pass in again - but at least it's synchronized with your main account.

    As far as end-users are concerned, the result is the same. None of my end-users know any difference between running on this or a Windows server, I don't have any more work to do (things seem to break less than they did with NT .. but I never had stats on this so I can't say for sure) and it's a lot easier to get updates now. And above all, it saves us a lot of money in licencing fees.
    • Are you running Kerberos under/with the LDAP, as well? I'm trying to proceed in this direction, though I want to start with LDAP/SASL/Kerberos first, and add Samba after. There have been two readily available documents on how to do this, though I don't have URLs handy at the moment. I've also seen rumblings that the Samba team doesn't like OpenLDAP, and is planning to add their own LDAP service to a future release. So I'm not sure how that will play out against the solution I'm pursuing.
      • If your going to go all out that way, Pick up Kerberos: The Definitive Guide and LDAP System Administration from O'reilly. Both cover initial installations and interoperability with other Authentication stores and are very good references.

        I am setting up at home a UNIX kerberos realm and have a Windows 2000 AD using a cross-realm trust and LDAP referals. When I get around to finnishing it, including pamifying Slackware, I should have a complete SSO across all my systems.
    • Problem with Samba and Windows NT. I never figured out how to get this thing working without sending the password credentials as "plain text" in the registry. Which absolutely defeats the purpose of even logging in if you have no security anyways.

    • Those are good reasons to set things up that way. I've done the same thing in small offices. I stress "small" offices.

      There are good reasons to do things the other way around. That is, a network of Windows AD servers providing the SSO and Unix clients authenticating against them.

      I run a large distributed network where I rely on Windows capabilities to minimize maintenance on client desktops. Group Policy is at the top of the list here. When Linux can natively subsitute itself for an AD controller ins
      • Linux with Samba 3 can be a 2000 PDC/kerberos KDC/LDAP auth server. However, while it can enforce GP, you still need a windows-based box to create and manage the GPOs.
        • I know what you're talking about, having researched its capabilities recently. It's still beta and unpolished. I am not trusting a production environment to it.

          Thanks, though.

  • Just tried this out. (Score:3, Informative)

    by Godeke ( 32895 ) * on Wednesday January 05, 2005 @01:28PM (#11265577)
    Having for a long time intended to link my Linux box to my home LAN's AD, this was just the ticket to try it. Overall things went well, although the instructions completely skip over the actual configuration of the krb5.conf file.

    In particular, this is a huge oversite because things don't work as expected. After some googling I discovered that you must specify the domain as MYDOMAIN.LOCAL, all caps. This must be done in several places, otherwise it throws cryptic errors.

    With that one proviso in place, I would say the rest of the instructions were sufficient for me to figure it out in 30 minutes. Both directions authenticate properly.
    • In the event that there is no configured krb5.conf kerberos will use DNS lookups to find the appropriate _kerberos service records, unless for some reason your installation was configured not to. If your domain is named the same as your kerberos realm and there are no spcial requirements that have to be placed in the krb5.conf, it is often preferable to use DNS to locate KDC's.

      One exception is authenticating Windows clients against a non-Windows KDC's since Windows will only use DNS to locate Windows KDC's
  • Does this work with a laptop configuration? I was a beta tester for Xandros when they first started doing Domain Authentication and one of the big complaints I had was that I had 2 profiles to have to manage (1 logged into AD, 1 when not logged in) and it's a real pain. Does this setup work with "cached credentials so that I can log into my profile, even if it doesn't authenticate to my AD server?

  • Further Resources (Score:2, Informative)

    by olyar ( 591892 )
    FWIW, here's some links to more info on getting this done...

    One is the official HOWTO
    http://us4.samba.org/samba/docs/man/Samba-HOWTO-Co llection/winbind.html [samba.org]

    The other is from the Samba 3 by Example
    http://us4.samba.org/samba/docs/man/Samba-Guide/ke rberos.html [samba.org]

Slashdot Top Deals

Algebraic symbols are used when you do not know what you are talking about. -- Philippe Schnoebelen

Close