----- Original Message -----
From: "Jason Pyeron" <jpyeron@pdinc.us>
To: "CentOS mailing list" <centos@centos.org>
Sent: Wednesday, November 14, 2007 12:23:17 PM (GMT+1000) Australia/Brisbane
Subject: [CentOS] Sso the Linux way?
So I was googling around about this over the last week and here is what I
found:
nis/yp is for some reason bad.
Kerbos is holy, but no how-to's that don't involve windows and active
directory.
What is the recommended sso approach for centos? Where are there examples /
docs to follow?
Jason
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Sr. Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately. Any other use of the email by you
is prohibited.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Jason,
I've just finished writing up the solaris 9/10 version of what you are looking for, amounted to about 10 pages ! As an exercise in illustrating (to managment, with a view to ditching solaris and moving to RHEL) how much easier this sort of thing is in linux (RHEL/CENTOS) I have taken some notes on how to do it;
I can't remember if authconfig updates the /etc/krb5.conf file automatically ( I think it does) but it should look similar to this or you will not be able to join your server to the domain;
[libdefaults]
default_realm = MYCORP.NET.AU
[realms]
MYCORP.NET.AU = {
kdc = dc1.mycorp.net.au
kdc = dc2.mycorp.net.au
}
[domain_realms]
.kerberos.server = MYCORP.NET.AU
You can test the kerberos stuff is working by doing;
kinit user@MYCORP.NET.AU
then
klist
and finally to destory the ticket;
kdestroy
Don't even bother going any further if this does not work.
1. ensure samba server packages are installed
2. ensure DNS forward and reverse entries are accurate
3. ensure your server is time synced accurately (kerberos steps above will fail if not)
4. run authconfig or the 'tui' version
5. Tick/Star both the 'winbind' options for user and authentication
6. Next page - choose 'ads' as security model and fill in the rest of the details, e.g. DOMAIN and DC, ensure that the 'ADS Realm' is your FQDN from the krb5.conf file e.g. MYCORP.NET.AU in uppercase
7. Click join domain and enter your AD user/password
8. Check you /etc/samba/smb.conf and it should have all the necessary bits set approriately
If you successfully joined the domain then domain users should now be able to access any defined shares and even ssh onto the box provided you chose a valid login shell, create the necessary 'template homedir' and update your pam system-auth and add the following;
session required pam_mkhomedir.so skel=/etc/skel umask=0022
You can also limit who can login with ssh by editing the /etc/pam.d/sshd and adding something like;
auth required pam_succeed_if.so user ingroup unix-admins
where 'unix-admins' is an AD group.
Authconfig will automatically update /etc/nsswitch.conf and add the 'winbind' entry for passwd, shadow and group.
Let us know if this works for you.
Cheers.
--
This message has been scanned for viruses and
dangerous content by
MailScanner, and is
believed to be clean.