Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
I have 2 questions for you all... 1: Have anybody set up or have good ducumentation of a single sing on system for linux. Like NIS or something but much ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Engineer
    Join Date
    Apr 2003
    Location
    Sweden
    Posts
    796

    I have 2 questions.. Single sign on on Linux, SAMBA and AD


    I have 2 questions for you all...

    1: Have anybody set up or have good ducumentation of a single sing on system for linux. Like NIS or something but much more secure and better.. Its even better if someone have succeeded to connect the user autentication with an Active directory or NT network. Ldap?? Kerberos?? some PAM modification??

    2: Have anybody used SAMBA with active directory..and whats the difference on SAMBA with NT-networks. Any good docs?? Threads??

    Regards
    Regards

    Andutt

  2. #2
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    I don't think that there is anything wrong with NIS in the way that it serves its purpose excellently. It isn't really made for implementing single logins over the network, but rather to share the system databases (such as /etc/passwd) over the network. No matter what you use, you will still need something like it.
    However, to implement a better and more secure setup, I would disable NIS from publishing the actual password field from /etc/passwd and then use kerberos to do the authentication itself. But like I said, you will still need NIS to publish user names to UID mappings and the like, and for that purpose, I don't think that there is anything wrong with NIS.

  3. #3
    Linux Engineer
    Join Date
    Apr 2003
    Location
    Sweden
    Posts
    796
    I refuse to use NIS...its a policy for me. It didnt work good at all when i used it on HPUX. So we skip that part.

    Are there any way to connect pam against any ldap catalog or something?? Active Directory on Windows??

    Kerberos?? or any other suggestion that dont include NIS.

    Samba integrated with Active directory?? have anyone read something?

    Regards
    Regards

    Andutt

  4. #4
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Huh? What do you have against NIS? I'm using it all the time, and except for a buggy old version of ypserv (that I have now upgraded) I haven't experienced a single problem whatsoever with it.

    You can probably find an LDAP PAM module somewhere, just remember to get an nsswitch module as well.

    I find it somewhat disturbing that you would prefer active directory before NIS, though. Where does this hatred come from?

    The thing with kerberos is that although it might be an excellent authentication solution, I don't think that it includes any nsswitch functionality. That's what you use NIS for.

  5. #5
    Linux Engineer
    Join Date
    Apr 2003
    Location
    Sweden
    Posts
    796
    I found very good information on how to fix this. To integrate SAMBA and Active directory you have to use kerberos and openldap to be able to talk with AD. Here is a good howto..

    http://asia.cnet.com/itmanager/netad...9081966,00.htm

    I also found a way to make a single signon solution for Linux integrated with Active directory. Then you have to use a nonsupported(Microsoft doesnt support anything they havent done there selfs) MKS AD4Unix module to install on the AD-server.. Here is a good howto for that.

    http://www.securityfocus.com/infocus/1563

    If anyone more then me are gona try this...please paste progress logs here on this tread.

    Regards
    Regards

    Andutt

  6. #6
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    You're actually going to taint your Linux system with MS technology? I'm disappointed...

  7. #7
    Linux Engineer
    Join Date
    Apr 2003
    Location
    Sweden
    Posts
    796
    Dolda you cant mean that you are a "religios" one... a religios man can never be as good as a nonreligious man. There are good and bad sides on every operationsystem...... at least i think so..

    At least im gona try it out, hopefully i´m learning something and for the second i see the need of somekind solution.. i have over 100server to administrate and patching + create/modifying useraccounts isnt the work i want to do every day.

    The SAMBA stuff i must do because we are in a migrating face to AD and i want the users that are using samba to be resolved against the domain instead of localy...My samba servers are now joined with an NT domain. And thats working without problems...

    Regards
    Regards

    Andutt

  8. #8
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Although I am zealous in my quest against Microsoft, I don't think that I'm that religious. It's just that I always prefer an open standard over a closed one, since it's almost always easier to find documentation, multiple implementations, and to extend it to your needs. Further on, AD wasn't made for UNIX, so therefore I'd prefer a standard that was designed with UNIX in mind, such as NIS or LDAP. And, to be honest, I see almost no good sides to Windows in the light of UNIX. Would you be as kind as to point them out for me?

    I can only speak for myself, but I have always seen samba as an integration service between UNIX and Windows. If I were to design a network with SMB parts, I would have all my master data in standard UNIX databases, and then just use samba to "distribute" them to the nodes requiring SMB. But maybe that's just me?

  9. #9
    Linux Engineer
    Join Date
    Apr 2003
    Location
    Sweden
    Posts
    796
    The positive thing is..

    That we are using a Mircosoft based plattform for our users and desktops.. all useraccounts already exists there. I see no reason for me to build a unixbased useraccounts database if we already have on in hand. I dont think we are gona migrate desktops to linux yet for a while..

    I think there are many good sides with MS products, the first then easieness...fast easy to set up, Almost dangerous easy.., i think Exhange their mail-system is one of the best things they have done. I have worked a lot with MS also, and i cant say that everything with it is bad.

    You are absolutly right about the documentation and the lack of openess..

    For SAMBA.. i dont want to use niether NFS,or samba where there are not an absolutly requirement for it.. Both for security pourpuses and administration time...

    Regards
    Regards

    Andutt

  10. #10
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Fast and easy to set up? I think RedHat is at least as easy to set up, especially if you're using kickstart files, and in my experience the RH installation process is also faster than any Windows installation. But that doesn't really matter, since it is the complete system that matters, not the installation process. I have worked a bit with Win2K servers, and I just find that you can't really do anything useful with them, and when you want to configure anything, you have to go through all these fancy GUI tools, which takes at least 10 times longer than doing the same task with a UNIX shell or a text editor for editing text configuration files.

    I don't know much about Exchange, though. I've never worked with email on MS-based systems. Can you tell me how it works, and how it is better than sendmail/imapd?

    And then, of course, there is, like you mentioned, Microsoft's lack of openess. You know, it's not only so much as lacking in the documentation; it's almost as if they relied on security through obscurity and obfuscation. You know, that is almost the main thing that makes me go crazy every time I try to use a Windows "solution". It might work somewhat good (by Windows' standards) as long as you use it exactly for what it was designed for. But as soon as you try to extend it, it's not so much that it doesn't work as that it doesn't actually have the capabilities of being extended. And even if it could be extended, it's virtually impossible to find any information of how to do it. The same thing happens when you get errors. Sometimes, it's virtually impossible to even find out what the error is.

    For example, I was supposed to fix a problem a local school had with their intranet (driven by IIS) a couple of months ago. The problem was in a component that was driven by MS IDC (internet database connector, you know?). Every time you tried to view the page, you got a 500 internal error returned. And that is all you got. Not a bit more information. Nothing. And since 500 is the HTTP error code for internal server error, there was simply no information that I could look up. I looked at the file and found that it was using an ODBC data source, so I looked at that and fixed some errors, and that took care of some pages, but there were still those that gave 500 errors. And this time, I just couldn't find anything. The data sources looked correct, the SQL statements were syntactically correct, the database existed, and the logs gave exacty the same information: error 500. I actually ended up in giving up on the whole thing, something I would never, ever have to do on a Linux system. I mean, can you imagine that? It just says "error", and nothing more! That is Microsoft in a nutshell for me. I have gotten a lot of variations on the same theme as well, such as "error -1928572839", "internal API error", "error code 1043", "winsock error 10061", and my absolute favorite: "The action could not be completed" (OK, I tried to translate it from Swedish, so I don't know if that's the official translation, but the meaning is the same). Sometimes, an error just pops up, and the title bar says "Error" and the "description" is something chosen from the above, so not only do you not know what error it is, you don't even know what program has encountered the error! Isn't that just wonderful?

    And then we have Microsoft's "knowledge base"... At this local school, we have a lot of problems with filenames that are too long, so Windows Explorer just refuses to remove them. It took me a whole lot of debugging just to find out that the cause was that the filename was to long, since the only "error" I got was a beep from the PC speaker. I must still admit that it is admirable for a Microsoft application to actually error out on such a condition instead of segfaulting from buffer overflow, though... But anyway, I searched MS's KB on it, and I actually did find it. And you know what they say? "Microsoft has acknowledged that this is an error". Now thank you, Microsoft! That really helps me! They also suggest a pair of extremely unelegant workarounds, such as moving the parent directory to a lower directory in order to decrease the file name length, but they haven't even thought of providing an actual bug fix! I mean seriously, what if this directory must remain in place for the system to work? How could I then move it to a lower directory to delete a file in it? And how about a bugfix? Isn't that wonderful as well?

    Oh well, I've got some of my feelings out now.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •