LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Single Sign On and Active Directory

[ILUG] Single Sign On and Active Directory

Mark Kilmartin mrk at europe.renre.com
Mon Aug 16 10:01:44 IST 2004 

Ok a quick overview of what we are doing and the problem.

Firstly changing Active Directory is not an option (unfortunately)

We are setting up single sign on here for a mixed Linux windows network.

First we set up Kerberos for the authentication and it is working
perfectly against AD.

Secondly we installed the needed Schema changes to support Linux boxes
using AD4Unix, this seems to be working fine and we can add the extra
information for our Linux boxes, e.g. uid, gid, home directory. etc.

Next we set up LDAP on the Linux boxes, this is working to the extent
that we can use ldapsearch to retrieve information from the AD.

Next we install nss_ldap to allow nss to retrieve information from AD.
Our nssswitch contains the following.
passwd:	compat ldap
group:	compat ldap
shadow:	compat

now using getent passwd we see users that are in AD
getent group also returns AD groups.

So everything is looking good so we remove users from /etc/passwd and
/etc/group that also exist in AD.
At this point logins stop working for users that are only in AD.

At login we get the following message.
"Authentication service cannot retrieve authentication info"

I have tracked the problem down to the fact that users that are in AD
don't have an entry in the shadow file.
I tried add "shadow:	compat ldap" to the nssswitch file but this does
not make any difference.

Relevant parts from the /etc/pam.d/login file are.
auth 	sufficient	pam_krb5.so
auth	sufficient	pam_unix.so use_first_pass nullok

account	required	pam_unix.so
session	required	pam_unix.so




Between the two of us here we have done a lot of RTFM and lots of
googling and most things we have seen indicate our setup should be
working.

Obviously adding every user into the shadow file is not an option.

One thing I did come across in my searching is if the password field in
the passwd file is listed as "*K*" (Which apparently indicates you will
be using kerberos) instead of "x" as it is to indicate there is a shadow
entry, and as the nss_ldap module returns it then login works without
having a shadow entry.

In summary I think I need one of two things.

1) Get nss_ldap to give me shadow entries.
or 2) Get nss_ldap to report the password field of passwd as "*K*"


Sorry for such a long mail.
MArk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.linux.ie/pipermail/ilug/attachments/20040816/8a6503c2/attachment.pgp

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell