[CentOS] Sso the Linux way?

Wed Nov 14 03:10:14 UTC 2007
redhat at mckerrs.net <redhat at mckerrs.net>

----- Original Message ----- 
From: "Jason Pyeron" <jpyeron at pdinc.us> 
To: "CentOS mailing list" <centos at centos.org> 
Sent: Wednesday, November 14, 2007 12:23:17 PM (GMT+1000) Australia/Brisbane 
Subject: [CentOS] Sso the Linux way? 

So I was googling around about this over the last week and here is what I 
found: 


nis/yp is for some reason bad. 
Kerbos is holy, but no how-to's that don't involve windows and active 
directory. 


What is the recommended sso approach for centos? Where are there examples / 
docs to follow? 

Jason 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
- - 
- Jason Pyeron PD Inc. http://www.pdinc.us - 
- Sr. Consultant 10 West 24th Street #100 - 
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - 
- - 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 

This message is for the designated recipient only and may contain 
privileged, proprietary, or otherwise private information. If you 
have received it in error, purge the message from your system and 
notify the sender immediately. Any other use of the email by you 
is prohibited. 


_______________________________________________ 
CentOS mailing list 
CentOS at centos.org 
http://lists.centos.org/mailman/listinfo/centos 

-- 
This message has been scanned for viruses and 
dangerous content by MailScanner, and is 
believed to be clean. 


Jason, 

I've just finished writing up the solaris 9/10 version of what you are looking for, amounted to about 10 pages ! As an exercise in illustrating (to managment, with a view to ditching solaris and moving to RHEL) how much easier this sort of thing is in linux (RHEL/CENTOS) I have taken some notes on how to do it; 

I can't remember if authconfig updates the /etc/krb5.conf file automatically ( I think it does) but it should look similar to this or you will not be able to join your server to the domain; 


[libdefaults] 
default_realm = MYCORP.NET.AU 

[realms] 
MYCORP.NET.AU = { 
kdc = dc1.mycorp.net.au 
kdc = dc2.mycorp.net.au 
} 

[domain_realms] 
.kerberos.server = MYCORP.NET.AU 



You can test the kerberos stuff is working by doing; 

kinit user at MYCORP.NET.AU 

then 

klist 

and finally to destory the ticket; 


kdestroy 

Don't even bother going any further if this does not work. 


1. ensure samba server packages are installed 
2. ensure DNS forward and reverse entries are accurate 
3. ensure your server is time synced accurately (kerberos steps above will fail if not) 
4. run authconfig or the 'tui' version 
5. Tick/Star both the 'winbind' options for user and authentication 
6. Next page - choose 'ads' as security model and fill in the rest of the details, e.g. DOMAIN and DC, ensure that the 'ADS Realm' is your FQDN from the krb5.conf file e.g. MYCORP.NET.AU in uppercase 
7. Click join domain and enter your AD user/password 
8. Check you /etc/samba/smb.conf and it should have all the necessary bits set approriately 

If you successfully joined the domain then domain users should now be able to access any defined shares and even ssh onto the box provided you chose a valid login shell, create the necessary 'template homedir' and update your pam system-auth and add the following; 

session required pam_mkhomedir.so skel=/etc/skel umask=0022 

You can also limit who can login with ssh by editing the /etc/pam.d/sshd and adding something like; 

auth required pam_succeed_if.so user ingroup unix-admins 


where 'unix-admins' is an AD group. 


Authconfig will automatically update /etc/nsswitch.conf and add the 'winbind' entry for passwd, shadow and group. 


Let us know if this works for you. 


Cheers. 






-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20071114/dba02253/attachment-0005.html>