Windows Insider

Linux-Windows Single Sign-On

Follow these steps and have your users logging on at their Linux/Unix desktops with their Windows accounts.

I am an advocate of centralized identity management and I think Active Directory makes a great repository for user account information. Interoperability can be a challenge, though. For example, you may work in a mixed environment of Linux/Unix and Windows and want users to take advantage of their Windows accounts when logging on at a Linux/Unix machine. This provides single sign-on for users who otherwise would need to maintain two different sets of passwords.

A Modest Proposal
With this in mind, I set out to accomplish what I considered to be a fairly straightforward goal: Configure the Linux desktops and servers in my office to accept logins using accounts stored in AD. My metrics for success were relatively modest. I wanted to sit down at a Linux desktop, enter a set of Windows credentials, and get a KDE or Gnome desktop with a home directory that has appropriate access permissions.

Achieving this goal turned out to be a bit more challenging than anticipated. After spending lots of time reading through docs and chasing down hints and configuration snippets, I finally found the right combination of settings for all the different Linux flavors in my lab. The results were gratifying, though. I had seamless authentication with AD that could be used for initial login, file sharing, secure shell (ssh) and other network services.

To save you a little time in case you decide to give this interoperability experiment a try, I put together notes and screen shots that show how to configure AD authentication for Fedora Core 2 (and the Core 3 beta). To see examples and instructions for these other Linux flavors: SuSE Linux 9.1 Professional, Mandrake 10.1 and Xandros Desktop 2.5, visit my Web site at www.billboswellconsulting.com/linux-ad.html.

If you're a bottom-line kind of person, here's a quick summary. Xandros 2.5 has the slickest AD configuration of the bunch. Mandrakelinux and Fedora are fairly simple once you know where to add a few settings. SuSE required the most work, but Novell should have this corrected in Novell Linux Desktop.

In the examples here, I used a Windows Server 2003 domain called Company.com, flat name COMPANY. I retained the default Windows 2003 security settings, including SMB signing, LDAP signing and anonymous logon restrictions. I set the domain and forest functional level to Windows Server 2003 and left the Authentication Users group in Pre-Windows 2000 Compatible Access, the default Windows 2003 setting.

I installed Fedora Core 2 with the Workstation package options. During setup, I assigned a unique computer name of Fedora.company.com. Following the installation, I updated all packages using Yum, the Yellowdog Updater, Modified. (Other Linux flavors use different package managers.)

Initial Configuration
Regardless of Linux flavor, you'll work with the same elements when configuring AD authentication:

  • Name Service Switch (NSS): This is a set of capabilities built into the Linux C libraries that allow an application to select a source to validate authentication credentials.
  • Pluggable Authentication Modules (PAM): This extends the standard Unix password authentication mechanism to include central authentication databases such as LDAP, Kerberos, AD and so on.
  • Winbind with Samba: The winbind service uses Samba for configuration information. For AD interoperability, make sure your system is running a current version of Samba (3.05 or newer).
  • Kerberos: Winbind uses Kerberos to get tickets for accessing AD. A Windows domain controller acts as the Key Distribution Center (KDC).

To configure winbind in Fedora, launch the authconfig utility (see Figure 1) as superuser (root). Fedora has a GUI utility—system-config-authentication—but it doesn't make all the required configuration settings.

Figure 1. A Fedora authconfig utility showing the User Information screen.
Figure 1. A Fedora authconfig utility showing the User Information screen. (Click image to view larger version.)

Check the Use Winbind option, then click Next. The Winbind Settings screen opens (Figure 2.) Fill in the following settings (the entries you make in this screen aren't case sensitive):

  • Security Model: ADS
  • Domain: flat (NetBIOS) name for the domain (COMPANY)
  • Domain Controllers: Fully Qualified Domain Name (FQDN) for a domain controller (dc1.company.com)
  • ADS Realm: FQDN for the domain (company.com)
  • Template Shell: /bin/bash
Figure 2. If you use Samba, this is the Winbind Settings screen in authconfig.
Figure 2. If you use Samba, this is the Winbind Settings screen in authconfig. (Click image to view larger version.)

There's a Join Domain option, but don't select it. It might not work, and you won't get sufficient feedback to help resolve problems. For now, just click OK to save the changes you just entered.

When the authconfig window closes, the console window should show that winbind starts. If this fails, try starting the service manually with the following command:

/etc/init.d/winbind start

If winbind starts, it will appear on a ps process list like this:

# ps -A | grep winbind
3132 ? 00:00:00 winbindd
3133 ? 00:00:00 winbindd

If you get an error, search the Internet with the error message. It may take a while, but nearly always someone with a similar error will have posted a solution.

Configuration Files
Authconfig makes changes to three configuration files. Listings 1-3 show their contents, with comments and irrelevant information removed.

  • nsswitch (/etc/nsswitch.conf): The critical entries are passwd and group. Other Linux flavors don't bother assigning winbind to other services.
  • system-auth (/etc/pam.d/system-auth): PAM uses a stackable authentication scheme, and each element in the stack must be separately configured. Thankfully, authconfig does a good job of setting up system-auth. Otherwise, you have to do quite a bit of experimenting.
  • smb.conf (/etc/samba/smb.conf): The idmap entries are important because winbind uses them to maintain a correspondence between AD account names and the User IDs and Group IDs used by Linux. Fedora assigns a large range of potential IDs. Typically, other Linux flavors assign a range of 10000-20000.

Also, in smb.conf, note the home directory path inserted by authconfig, /home/%D/%U. A user, call him winuser1, from an AD domain, call it company.com, would get a home directory path of /home/COMPANY/ winuser1. Authconfig does not create the domain folder under /home. You must create it manually.

Joining an AD Domain
You can now join the Linux workstation to the AD domain using the Linux net command. Here's the syntax, with everything after the first line generated by net:

# net ads join -U administrator
administrator's password:
Using short domain name -- COMPANY
Joined 'FEDORA' to realm 'COMPANY.COM'

You'll see many different syntax examples for net ads if you browse the Internet. My example shows the bare minimum, which is all you really need.

Configure PAM
At this point, a Windows user trying to authenticate at the Linux desktop would get a series of errors because a local home directory isn't present. A PAM module—mkhomedir.so—automatically creates a home directory. To include this module as part of the login process, change two configuration files under /etc/pam.d (see Listings 4 and 5):

  • login: This file controls authentication from a console prompt.
  • gdm: This file controls login from a graphical screen.

Always make copies of the original files before changing PAM files. You can lock yourself out of a system if you aren't careful.

After changing the PAM files, restart the desktop. This is a quick way to ensure that authconfig made the correct boot settings for the required services.

At the login window following restart, Fedora prompts for a name. Enter the Windows account name in domain\user format, such as company\winuser1, then enter the password when prompted. (Other Linux flavors present a selection list of Windows accounts. The option to display a selection list is available in Fedora, but it is not the default setting.)

You can configure smb.conf so that you don't need to enter a domain name, which is fine if you have one AD domain but a little cumbersome if you have several.

At this point, when the login succeeds, you'll get an announcement about creating a home directory for the user. The permissions assigned to the home directory use the AD account of the user.

Rock On
If you can't get the steps to work, e-mail me with the particulars. This can be a finicky configuration, and you want to make sure you're in the right state of mind. During the testing I did for this column, I played Jeff Beck's album, You Had It Coming. I found track six, "Loose Cannon," especially good when setting PAM files. Give it a try.

More Information

Listing 1: nsswitch.conf

passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files
aliases: files nisplus

Listing 2: smb.con

[global]
workgroup = COMPANY
server string = Samba Server
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba/%m.log
max log size = 50
security = ads
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = no
password server = w2k3-dc1.company.com w2k3-dc1.company.com
realm = COMPANY.COM

Listing 3: system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid <>
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

Listing 4: gdm (PAM configuration file)

#%PAM-1.0
auth required pam_env.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

Listing 5: login (PAM configuration file)

#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_selinux.so multiple
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

comments powered by Disqus

Reader Comments:

Sun, Feb 2, 2014

Regarding the Group Authentication. For example: I have 5 users named user1, user2, user3,user4 and user5. And each user has a dieffrent groups belong. Ex. user1 belong to group1, user2 belong to group2, user3 belong to group3, user4 belong to group5. Now the question is? Using the squid_ldap_group how you will authenticate users belongs to dieffrent group what sort of parameters will i do. Because in your example you only authenticate a user in a particular group not on so many groups. http://ucaqvcguw.com [url=http://pszlrxjei.com]pszlrxjei[/url] [link=http://blemfkep.com]blemfkep[/link]

Sat, Jan 18, 2014

Clear, invoematifr, simple. Could I send you some e-hugs?

Tue, Jan 12, 2010 Asim samba server as Domaincontrolar

Kindly send information how we can joint Rhel4 samba domain controller with winxp or how to add machine winxp in Rhel4 samba domain controller

Mon, Feb 2, 2009 Anonymous Anonymous

.,,,,,,,,,,,,,,,,,,,,,,,

Sat, Jan 24, 2009 Anonymous Anonymous

lavidjio

Thu, Jan 22, 2009 Anonymous Anonymous

lavidjio

Tue, Nov 25, 2008 Anonymous Anonymous

hUfNmN himamaster hi

Sat, Aug 23, 2008 Anonymous Anonymous

MtDXgC window media player

Tue, Apr 1, 2008 Anonymous Anonymous

Carrie anger bereavement irreversibly,Fomalhaut crossbars.

Thu, Jul 19, 2007 Robin Singapore

The configuration file is correct, just now I mistyped some words, so it didn't work fine, thank u for providing such a good guide

Thu, Jul 19, 2007 Robin Singapore

Thank you very much, I followed this artical , and got my problem solved! one other question: I followed the configuration file as above, Why each time I log in linux with windows account, I should type password twice to log in , but if I use local account , no such problem happened, what is wrong, what should I modify to solve the problem? Thank u

Thu, Jul 12, 2007 James Austin

Anyone have any luck with FC6 (I keep getting locked out of my computer when I modify the PAM files)??

Sat, Jun 9, 2007 Binu Chennai

Thanks Bill. Your article saved a lot of time for me. I had to use NIS
to get the same UID as the UID in the samba server, i have linux and windows clients for the samba server. I am trying to mount linux home dir for linux clients. Windows works smooth.

Wed, Feb 28, 2007 darkblue Anonymous

to Tim:
I would like to authorize a AD group's user to logon linux clients. but I don't know the relationship between linux gid and AD's group id. How to figure it out?

Thu, Feb 8, 2007 Brijesh Shukla Japan

Hi Bill,
thanks, I dont know much about AD, but I made Linux and Active directory integration succesfully using this paper
thanks

Sun, Dec 24, 2006 Frank Moore Tulsa

Sorry but - Xandros 2.5?? Thats a really old version - and it still is tops in its class. Try the new 4.1, its all that and more!!

Wed, Sep 13, 2006 Brian UK

FC5 you need authconfig-gtk. Which is the gui version.

Mon, Jul 31, 2006 sedrik sweden

To autocreate the directories on the first logon enter this to system-auth

required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022

This will copy the entry of /etc/skel to the user home dir specified in smb.cnf with the user level 755

Sun, Jul 30, 2006 tonyzoc Buffalo NY

Has anyone tried this with Fedora Core 5? My first attempt failed andf I locked myself out. I'm going to try iy again and be sure I backup everything. One thing different with FC5 is there no longer is a GUI for authconfig. Now it's command line...(a step forward?)

Tue, Jul 11, 2006 Nige sf

Great article and works really well, however I was wondering if anyone has tried this in a multi domain environment? I cannot seem to authenticate via different domains - anyone else had any experience of this?

thanks

Nige

Thu, Jul 6, 2006 Moses Moore Montreal

Big problem with this method: UIDs and GIDs are based on a simple increment-in-order-fetched method. So, after starting winbind, if my first operation is 'id moomo', then that username will get (and have cached) the first UID in the range specified. If, however, the cache files are destroyed or lost, and the next operation is 'id lamph', then lamph gets the UID that was formerly moomo's... including access to all of moomo's files.

Samba mentions an option called "idmap backend," but this option is not compiled into the samba-3.0.14a package from RedHat Fedora Core 4 (RHEL 4 uses samba-3.0.10, which doesn't seem compatible with ActiveDirectory 2003).

Wed, Jun 7, 2006 smith india

sir
i have configured ldap in fedoracor4.i can login in linux platform.but how can a windows user be able to login ias ldapuser.what are the steps or changes to be applied to the ldap cofiguration.

Thu, Apr 20, 2006 Anonymous Anonymous

Got me started on the right path

Wed, Feb 15, 2006 balaji india

Dear Sir,
When I join the windows 2003 domain using command net ads join -U administrator I am getting the error message
" utils/net_ads.c:ads_tartup(186) ads_connect: no such file (or) directory.
please tell me how to do it.

With Regards
R.Balaji

Wed, Feb 15, 2006 balaji india

Dear sir,
I tried the way to u said but when i run this net ads join -U administrator---- im getting the error the following error is displayed "[2006/02/15 15:51:02] utils/net-ads.c:ads_startup(186)
ads_connect: No such file or directory" and another one when I start winbind service I am getting error
" audit(1139998420.585:0) avc:denied {create } for pid=3851 exe=/usr/sbin/winbindd name=winbindd.log scontext=root:system_r:winbind_t tcontext=root:object:samba_log_t tclass=file"
please tell me how to do it.

with Regards
R.Balaji

Thu, Feb 2, 2006 humbletech99 london

oops, mean to type Linux, doh. That's what happens when you doing other things at work while typing! Yes, the link doesn't work, this also doesn't inspire confidence. Maybe the article was considered so weak he couldn't get any more work and also had to give up his domain!

Thu, Feb 2, 2006 humbletech99 london

I have to say that this is not a very detailed article and hence I found it of no real use until I went away and read some proper docs, coming back I can see references to stuff, but no real explanation and I think this won't work unless you know the background stuff. Telling people to use Redhat's own config tools is a terrible idea. Distro tools suck and shouldn't be used, it should be generic across Linnux.

Wed, Feb 1, 2006 balaji chennai

Dear Sir,

I need step by step configuration in windows 2003 migration with RHEL4

With Regards
R.Balaji

Thu, Jan 5, 2006 manunnko Anonymous

Dear Team,
I used the configurations as done by Bill in FC4 but could not work for me. The ADC is in Win2k. The FC4 server was made the member of ADC successfully and all the groups and names can be seen from FC4 server. I have however, been able to set up a Printing Server using CUPS and is working fine using the ADC authentication parameters. The only problem am getting is loging into the FC4 using ADC authentication parameters. The error am getting while login into FC4 server using ADC authentication parameters is "pam_ winbind[ ] : request failed: No such user, PAM error was 10, NT error was NT_STATUS_NO_SUCH_USER". Kindly assist the way forward. Thanks in advance. Emmanuel

Wed, Jan 4, 2006 veerabose india

Dear sir, i tried the way tou said but when i run this net ads join -U administrator----
im getting the error

[2006/01/04 23:05:25, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password administrator@CHENNAIBPO.COM failed: Cannot find KDC for requested realm
[2006/01/04 23:05:25, 0] utils/net_ads.c:ads_startup(186)
ads_connect: Cannot find KDC for requested realm

please tell me how to do it

thanks and regards
bose

Thu, Dec 22, 2005 Humbletech99 London

I found this article only to be a skim through without proper explanation of how or why and is very limited to Red Hat distro. I'm using gentoo, debian and suse. I'm definitely no greenhorn, been into Linux for years, but I think Linux is a little bit too much haslle sometimes, even for me. Better desktop? not on your life... I've got a nice Linux desktop at home, as well as an XP and a CLI server, but it took huge amount of work to get Linux looking and working properly, lots of little hacks everywhere on Debian for fixes, definitely not worth the time/effort for work cos you have to change job yearly to get reasonable wages nowadays and start again...

OS X is far superior to Linux, and Windows marginally beats OS X thanks to monopolistic compatability issues unfortunately.

Anyway, if anyone has come across some proper Documentation on how to do this, please post URL here....

Mon, Dec 19, 2005 Jinu chennai,India

I try this steps in FC4. But it is not work for me .I am using 2k3 server netbios name qlc-server ,domain name quantumleap.co.in ip address 192.168.2.1 . Please help me to configure my linux system to authenticate using windows domain

Thu, Dec 8, 2005 Dalek FL

In /etc/pam.d/login, where should the line

session required pam_mkhomedir.so skel=/etc/skel umask=0077

be? Because I had it before

# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open

and it would not create the account, but in /etc/pam.d/gdm I added it as the last line. When I logged in from the login screen (after creating the /home/COMPANY directory), it created the account automagically. So, I am guessing the location of the line may be important. Am I correct?

Fri, Nov 25, 2005 Paul Swartout UK

Many thanks for this article. It's saved me many hours and days of pain to get this working. I was up and running in 30 mins! The only problem I have @ present is that some Gnome applications don't like spaces in the user name and as we use real name logins within out ADS set up the HOME$ is created with spaces. I'm sure there is a workaround to this (hardcode HOMEDIR$) but everything else works 100%.

Wed, Nov 23, 2005 Chris Australia

I have the same problem a few people here have mentioned - when I try to log in with a windows account, I get "Authentication Failed" messages. The syslogs on the Fedora client throws up the error "Client not found in Kerberos Database, and the syslogs on the 2003 server throws up:

Source Event ID Last Occurrence Total Occurrences
Security 537 23/11/2005 2:25 PM 13 *
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.14
Source Port: 1786

Any ideas where I have gone wrong?

Fri, Nov 4, 2005 Anonymous Anonymous

I got the following error:
04.11 22:57 Nov 4 22:56:17 localhost login[4941]: initgroups: Operation not permitted

What cold it be?

Thu, Oct 27, 2005 Tony Z Buffalo

How are user rights determined? I am logged into FC4 with my Windows domian account (an admin account) but I can't access everything...like I can't see a CDROM when it's inserted unless I'm logged in as root. Where and how are local rights determined for domain accounts?

Fri, Oct 7, 2005 Tony Z Buffalo

My problem with 2003 SP1 was solved when I upgraded to Samba 3.0.14a. I've since added a notebook to the domain but I had allot of trouble getting past the login screen. At login there was a problem finding the domain controller. I have a host setting for the domain controller, but nothing worked until I added the IP address of the DC in authconfig. I didn't have to do this on the desktop. I'm not sure why this is happening. Anyone have any ideas? I have a fixed IP on the machine and I do specify 2 machines in the DNS setting. Sometimes the DNS setting for the DC disappears...maybe the DNS setting are being reset from the DHCP server?

Thu, Sep 22, 2005 mohan india

Hey,
The above coloum was wonderful, i had a situation to solve with in a redline and i had no hope as everthing failed, atlast u saved me by my neck, thnx man you work is awsome please continue the researches and update us all

KEEP UP THE GOOD WORK MAN.

Tue, Sep 20, 2005 Pburdick Pacific.edu

Let me add my kudos to BBoswell. A very complete artical. However even with this assistance, it took most of the summer getting SSO authentication against AD. The biggest issue was 'joining' computers to the domain. This worked very inconsistently from one computer to another. We found that creating the Computer object in AD just prior to the join helped to avoid conflicts.

Like Martin & Lasse above, I now need to mount remote directory as the users home. I have tried
smbmount to Win2K3: mounts but XSessions fail because of inability to create symbolic links to local /tmp files
smbmount to NAS: folder disappears and access denied
mount.cifs to NAS: mounts but XSessions fail because of inability to create symbolic links to local /tmp files
Installed Services for Unix (SFU) on Win2K3 and used mount.nfs: Server and client say it mounts but permissions denied any access.
Since I do not control the domain, I cannot install SFU NIS on domain controllers. All I can administer is Win2K3 server running SFU and some limited control of AD OU's.
If anyone has any suggestion on how to make any one of these mounting methods work it would be greatly appreciated.
Please contact pburdick@pacific.edu

Thu, Aug 25, 2005 Martin & Lasse Denmark

Great article. It works great on FC4. And if you edit the krb.conf file, user can log in without having to type the Domain.

But does anyone know, how to mount a users homedrive, when logging in? The share is located on a 2003 server.

Wed, Jul 27, 2005 Pete Ajax

It worked for so many others I guess I did something wrong. After my attempt at this with Fedora 4 core I could not log on as root nor as a user in my 2003 SP1 AD.
I am reloading Fedora right now. Good article. I may actually learn some Linux.

pw

Mon, Jun 27, 2005 N Gopu Chennai

Good one...

Thu, Jun 16, 2005 Anonymous Anonymous

this has been ripped off of redmondmag's site and does not contain the required conf file listings, you morons!

Mon, May 23, 2005 stacey poulsbo,washington

Worked good for me, Thanks

Tue, May 17, 2005 Brian Claremont

Great article, and very helpful. Manages to point the way through a complicated process without getting bogged down in the details. Had a few problems I had to work out myself, but I'm very glad I found this page. As for the critics, Googling your error message really is one of the best ways to troubleshoot, for the very reasons Bill wrote: someone's probably made the same mistake before.

Tue, Apr 26, 2005 James Melbourne, Australia

In answer to Mathew, the UID is taken from the AD so Windows users are given the same UID across Linux machines.

Mon, Apr 18, 2005 Nerak99 Anonymous

Really useful article.
My user accounts in windows live at ''servername'username$. How can I automount their windows domain home when tehy log in to the linux box?

I think sunburntkamel's comment is just petty. As for Novell man. I wanted to do this to experiment in one depratment in a large site. I am not going to dump a large AD install of 2000+ users. The whole point of this is that Linux can live with just about anything, unlike several other large players in the OS market place.

Fri, Apr 15, 2005 Joshua Atlanta

I am using FC3 and have joined my ADS domain. I can see and get to shares but when it comes time to use a single logon I always recieve an "Authentication Failed" message. I am using the latest Samba 3.0.14a distribution with the W23SP1 fix. What am I doing wrong?

Thu, Apr 14, 2005 bryan ohio

There is a winbind patch for that problem. not sure if samba 3.014 will address it or not. i guess i'll find out today and report.

Thu, Apr 7, 2005 Brian B Calgary AB

I have the same problem as Tony. I redirected my authentication to a DC that has not been upgraded to SP1 for now. This is only a temporary fix as upgrading the rest of the Dc's is inevitable. Can anybody help out here?

Wed, Apr 6, 2005 Tony Z Buffalo NY

I just installed Windows 2003 Server SP1 and lost my ablility to login from Fedora. I checked my settings and rejoined the domain and was told I al already in the domain. I'm uninstalling SP1 to see what happens....any ideas?

Fri, Mar 18, 2005 Scott Gillis Edgewater, MD

GREAT JOB Bill,
As a frustrated Died in the Wool Windows System Admin. I was going nuts trying to figure out how to make a Linux machine do a Single Sign-On. Google searches returned hundreds of suggestions, but this was the only article I found that allowed me to get my feet wet. I believe that Micro$ofts decision on licensing is going to hurt them in the long run, many of my friends & Admins that I know are starting to look to Linux to see if it can replace their Micro$oft Desktops. More articles on the subject are worth their weight in gold. Now we need a good article on how to set up scripts to map the Windows shares to the Linux box.

Fri, Feb 25, 2005 Matthew Koundakjian San Bernardino, CA

It would appear that this solution will mean that a given windows user will get a unique Unix UID on every Unix machine she or he logs into. If so, that's not good. What's required to get a unique user to have a consistent user id on every Unix system and all be tied to one Windows ADS login?

Fri, Feb 18, 2005 Xptential Chicago

1/1/05 – Better Idea says: Ditch Linux and simply use Windows. No complicated configuration. No hassles.
1/2/05 – Even better idea says: Ditch Windows n Linux and simply use Mac OS X. No complicated configuration, No adware/malware/viruses, *Really* no hassles. :P
JUST GO BACK TO OLD WAYS !!! DITCH COMPUTERS LOL

Wed, Feb 9, 2005 Laurence S. Eraut P.O. Box 2128, Beaverton 97075

All this computerese is above me, I'm a has-been. If you meet Bill, tell him he ought to incorporate Linux or it will replace him. Also tell Bill his natural father wishes to meet him, to phone (future number in Salem) 503 588-8255.
Very Truly,
Laurence

Mon, Jan 10, 2005 Pasha Anonymous

P.S. I see that my email is not automatically included... its shabalin(AT)in.tum.de

Mon, Jan 10, 2005 Pasha Munich, Germany

I am a student at the CDTM (www.cdtm.de) and we a running a workshop on Security, particular topic of my group is Single Sign-In. We are looking for enthusiasts who have ideas and maybe custom solutions for the problem, with further plans to arrange exchange of ideas. The project is supported by both Munich Universities and Deutsche Telekom Innovation Center. Please contact me anyone interested. Will be also helpful if you could forward the message to suitable people. thank you, sorry for being offtopic..

Fri, Jan 7, 2005 SAForensic Ohio

If you are in a large Enterprise and it has been decided to implement LDAP or you have an LDAP implementation running like Novell's, CA's, or IBM's among some of the major companies besides Microsoft's AD. You may have found it troublesome to communicate from AD to LDAP.

You might want to look at using a Freebie from M$ to assist the communications like their SFU. You might want to consider the use of M$'s newer program called ADAM.

ADAM means Active Directory Application Mode. It is, " A full
featured yet flexible LDAP directory that can leverage the native security
mechanisms of the Windows platform." " ... ADAM supports some non-AD
features and can run on both Windows 2003 and Windows XP Service Pack 1.
Unlike AD, multiple instances of ADAM can run on a server, including a
domain controller, and you can specify which ports an ADAM instance listens
on for LDAP requests. "

It can be downloaded from Microsoft's web site. The package is a little
larger than 8 MBs. You can gain a sense of how this Mode can address the
problem of integrating directory security with OS security by reviewing John
Howie's article from Windows & .Net Magazine " Getting to Know ADAM "at
their web site www.winnetmag.com . The article's number is # 42450 of the
June 2004 issue.

If you need to learn more about ADAM and additional features go to
www.microsoft.com/windowsserver2003/adam/default.mspx . At this location
you can download white papers, reviewer guides, and the ADAM Feature Pack.
-Rabbit

Wed, Jan 5, 2005 Juan Q Miami

I would use SFU or eDirectory, as for the guy who said to use Windows only, he's never seen a Linux desktop and how far superior it is over a standard Windows install out of the box.

Wed, Jan 5, 2005 Anonymous Anonymous

In regards to restricting user accounts who can login to the linux boxes, you can make the default shell in the samba config a copy of bash (i.e. bash-nt), chmod o-x it and make the group owner an NT group. That way you can control who can logon to Linux servers through group membership in AD instead of having to manage a bunch of junk locally on each server.

Tue, Jan 4, 2005 Anonymous Anonymous

How about SFU (free) from Microsoft, making the AD DC's act as NIS servers as well for *nix hosts? Or is that way too old and insecure?

Tue, Jan 4, 2005 Stephen Corvallis

Hi Brett. Perhaps you could post a short article on the MWVLUG website or talk about it in tonight's meeting?

Tue, Jan 4, 2005 Brett Corvallis

We've done this in a bit different way - we didn't use samba or winbind. Of course we're also running RedHat 9 or less. To help overcome the problem with every windoes user being able log into the Linux servers, we give the windows users almost no access what-so-ever. Then we assign windows groups to SUDOERS and give groups of people rights to do more advanced and specific tasks. -Brett

Mon, Jan 3, 2005 Tim Herndon, VA

One thing left out is that if you do this, then ANY windows account will be able to log into your Linux server.
Adding lines like:
account lib/security/$ISA/pam_succeed_if.so login = bgates

to the pam.d/system_auth file would allow you to restrict users based on login.

valid parameters to pam_succeed_if.so include 'login', 'gid', 'uid', 'shell', etc, allowing quite a range of flixibility with regards to limiting access to the unix servers from the windows users. -Tim

Mon, Jan 3, 2005 NixerX Maine

To Greg.
Well said. Thank You, It would be nice if people would be more appreciative of this type of work. many people dont seem to realize that Linux is not windows so it will take some time to get used to ! Damn brats ( lol ) :P
-Nx

Mon, Jan 3, 2005 Brainee Anonymous

Does this work for a laptop configuration as well? One of the main things about the early versions for Xandros were that "cached credentials" weren't working (you had to be connected to that network only) so it was useless for laptops because you'd always have one profile for outside and one for inside the building. Does this setup work when you aren't connected to the AD network, like Win2k or XP does?

Sun, Jan 2, 2005 sunburntkamel chicago

this article is a complete waste of everyone's time. "google for your error message"? that's so sloppy it's unbelievable you even got this thing posted. at least point people in the direction of the relevant config files. there are several very important config files that need to be modified, which you provide some examples of at the end, but don't explain when to modify them, where they are, or what they do. i've done this very thing with a SUSE workstation, and this article glosses over everything that was difficult about it. even from an FC3 perspective, you jump from topic to topic, without any clear outline or set of steps. it's this sort of weak writing that gives linux a bad name to the windows users an article like this would be helpful to.

Sun, Jan 2, 2005 Even better idea Anonymous

Ditch Windows n Linux and simply use Mac OS X. No complicated configuration, No adware/malware/viruses, *Really* no hassles. :P

Sat, Jan 1, 2005 Better Idea Anonymous

Ditch Linux and simply use Windows. No complicated configuration. No hassles.

Sat, Jan 1, 2005 Pete Anonymous

Thanks for the great article. I have been looking for an easy how-to like this for a while.
I set it up on my FC3 box. When trying to login via ssh I can authenticate, but the home directory does not get created on the fly.
I have modified the login and gdm files to include mkhomedir.so, do I need to edit something else for ssh logins?

Fri, Dec 31, 2004 LadyNred Canada

I agree with gh3ng1s. If you really want interoperability with Windows, Linux, NetWare, Mac etc. Install eDirectory instead of AD. eDirectory plays nice with everyone.

Fri, Dec 31, 2004 Windows Admin AZ

Great article, but I don’t think a lot of everyday users are going to run out and try this on there desktop. I had been noticing a trend to use Linux (red hat) in large corporation in different roles where cost saving can be made. Most corporations have two I.T. divisions: Windows and UNIX team. The UNIX groups usually deploy and maintain Linux servers that are used to saving money over utilizing larger UNIX servers.
My question is can the same principles be used on Linux servers? Applying Windows AD users/groups to Linux (red hat) servers for something like file server? Most IT security groups frown on Samba stating it’s not security for corporate use.
Thx
Windows Admin

Thu, Dec 30, 2004 gh3ng1s Anonymous

I have a much simpler solution - ditch AD and install Novell's eDirectory. It will install natively on both Windows and Linux and gives you a much simpler and far more robust method of managing all your accounts.

Thu, Dec 30, 2004 Anonymous Anonymous

Hi,
Something like a year ago I faced similair project. The outcome is quite different, though.
1. it was not AD but NT-domain authentication system.
2. among over 200 users there, only a fractions ever needed UNIX access (apart from server diskspace). 2-3 really required shell.
A single-sing-on was do-able as you described above - with the only difference, that logins would be goverend by domain master brawser, not the AD - but I've chosen agains it.
The reasons were:
1. I haven't found a consise info on safety of NT-domain cryptography... and if it's at least as secure as /etcshadow-SHA1. (I understand, that AD uses kerberos, so this securiti concern is not an issue there).
2. my domain users mainly needed e-mail access, so their careing for strong password selection is ... none.
So, for me an article on MSW-UNIX single-sing-on would be of some help if:
1. it covered comparition of NT-domain (SAMBA-LDAP or cource) v.s. /etc/shadow password repository security.
2. it showed a way to allow users to 'upgrade' their access to cover full UNIX shell access, too - once they peeked a stronger password.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.