As I see it, you need to achieve two things:
1. You need to find an authentication protocol that both Win2k/XP and
Linux will be happy with.
See
http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerber
os.asp
With Win2k you have two :-p choices: NTLM and M$kerberos
NTLM is not a problem - Samba/PAM will do this. _But_ if you're on a
native-mode domain you might not have this option.
2. You need to set up the AD infrastructure to provide you access to the
domain ie an AD machine account for your Linux box. And you need to
support LDAP "authentication" on your Linux box. As others have pointed
out, PAM and SAMBA do this.
The documentation that comes with SAMBA is very good.
You can find the PAM admin guide at
http://www.us.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html
I think a howto on this would be great, as it's almost certainly
something that comes up over and over again.
BTW in terms of integrating with Windows networks,
http://www.lycoris.com/ comes with a remarkably effective out of the box
configuration. Unfortunately, it doesn't have much in the way of the
sort of tools and apps you'd expect from a modern Linux distro - it's
targeted at users who need the Internet, LAN, and basic office suite
functionality. I briefly installed it a while back and the first time I
opened the "Network Browser" I saw domains and machines on the LAN that
I'd never seen from Windoze (good thing, not bad - they did exist)!
Matthew Gaylard
-----Original Message-----
From: Breathnach, Proinnsias (Dublin)
[mailto:breatpro at exchange.ie.ml.com]
Sent: 15 May 2002 13:15
To: Matthew Gaylard; Tor Bendiksen; Breathnach, Proinnsias (Dublin)
Cc: ilug at linux.ie
Subject: RE: [ILUG] Active Directory
http://www.oo-services.com/articles/sso.html
Looks like an interesting link ...
I'll let y'all know how this progresses ... looks like we'll have some
form
of LDAP auth here though, although for now I'm going to assume the worst
!!
P
> -----Original Message-----
> If you have the misfortune of working in a "native-mode" Win2k domain
it
> may only support Microsoft's Kerberos implementation as the
> authentication mechanism, in which case I think things can get
awkward.
>> As I understand it, the Active Directory is used for access control,
> rather than authentication per se.
>> Microsoft have made their extension to the krb5 ticket open - but not
> for GPL software (samba). I'm not sure whether this is in fact an
> obstacle or not, but I'd be very interested to hear in your progress,
as
> I'll be facing this issue soon - on one of the networks I have to plug
> into the administrator has been threatening to go the Win2k krb only
> route.
>
**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or the
sender immediately and do not disclose the contents to any one or make copies.
** This email was scanned for viruses, vandals and malicious content **
**************************************************************************************************
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
