Sharing my experience with SSO of Linux clients to Active Directory.
Over the last 2 years or so, i had a great deal of trouble getting and _keeping_ authentication to our Win2000/Win2003 Active Directory system working from OpenSUSE and CentOS clients. ADS authentication would work until reboot, a few days, a month max. We'll see how long this lasts.
Another problem was dealing with the fact that i setup dns in AD using aMixedCaseDomain.com name. Had to add all variants to the [realms] and [domain_realm] names to /etc/krb5.conf. snslatc.hp.com, snslatc.HP.com, SNSLATC.HP.COM ...
Over the weekend i gave up on CentOS and tried Fedora because Fedora repositories have SaMBa 3.2, but CentOS only has 3.0. SaMBa 3.2 supports sasl sign and seal (hashing and encryption) and supports NTLMv2 better and using winbind with ADS.
Still had problems with Fedora. Since i had to change the hostname in the middle of the process and update krb5.conf as mentioned above and i noticed that somehow dNSHostName in Active Directory was set to "HOST/localhost:localdomain" which clearly cannot be correct. So i used SysInternals LDAP Explorer (ADExplorer.exe) to change the entry in ActiveDirectory to remove any reference to localhost. Unless i changed /etc/hosts to not have rmonster in "127.0.0.1 localhost.localdomain localhost rmonster", deleted from WinAD and rejoined.
dNSHostName: rmonster.snslatc.hp.com servicePrincipalName: CIFS/rmonster.snslatc.hp.com servicePrincipalName: CIFS/rmonster servicePrincipalName: HOST/rmonster.snslatc.hp.com servicePrincipalName: HOST/rmonster
Is the line "servicePrincipalName: CIFS/rmonster.snslatc.hp.com" only required when you want your Linux box shares to show to other clients (Windows)?
Successfully joined and authenticating using Fedora, but really want to use CentOS and have group policy support from likewise.
Rob Townley wrote:
Over the weekend i gave up on CentOS and tried Fedora because Fedora repositories have SaMBa 3.2, but CentOS only has 3.0. SaMBa 3.2 supports sasl sign and seal (hashing and encryption) and supports NTLMv2 better and using winbind with ADS.
Rebuild the samba src rpms on CentOS?
I gave up on integrating windows+(insert any OS here) integration years ago, not worth the headaches.
nate
nate wrote:
Rob Townley wrote:
Over the weekend i gave up on CentOS and tried Fedora because Fedora repositories have SaMBa 3.2, but CentOS only has 3.0. SaMBa 3.2 supports sasl sign and seal (hashing and encryption) and supports NTLMv2 better and using winbind with ADS.
Rebuild the samba src rpms on CentOS?
I gave up on integrating windows+(insert any OS here) integration years ago, not worth the headaches.
less headaches
use Services For Unix in your AD.
if you need winbind, use the samba rpms from Sernet.
almost all my nightmares with integrations with AD+winbind was resolved with this ones.
-- Black Hand
We've had good luck with this approach: http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/
Basically using the Windows 2003 R2 schema extensions (as opposed to SFU) and Identity Management for Unix mmc.
On Mon, Aug 18, 2008 at 4:17 PM, BlackHand < yonsy@blackhandchronicles.homeip.net> wrote:
nate wrote:
Rob Townley wrote:
Over the weekend i gave up on CentOS and tried Fedora because Fedora
repositories have SaMBa 3.2, but CentOS only has 3.0. SaMBa 3.2 supports sasl sign and seal (hashing and encryption) and supports NTLMv2 better and using winbind with ADS.
Rebuild the samba src rpms on CentOS?
I gave up on integrating windows+(insert any OS here) integration years ago, not worth the headaches.
less headaches
use Services For Unix in your AD.
if you need winbind, use the samba rpms from Sernet.
almost all my nightmares with integrations with AD+winbind was resolved with this ones.
-- Black Hand
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, Aug 18, 2008 at 4:50 PM, David Miller dmiller@ccim.us wrote:
We've had good luck with this approach: http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/
Basically using the Windows 2003 R2 schema extensions (as opposed to SFU) and Identity Management for Unix mmc.
On Mon, Aug 18, 2008 at 4:17 PM, BlackHand < yonsy@blackhandchronicles.homeip.net> wrote:
nate wrote:
Rob Townley wrote:
Over the weekend i gave up on CentOS and tried Fedora because Fedora
repositories have SaMBa 3.2, but CentOS only has 3.0. SaMBa 3.2 supports sasl sign and seal (hashing and encryption) and supports NTLMv2 better and using winbind with ADS.
Rebuild the samba src rpms on CentOS?
I gave up on integrating windows+(insert any OS here) integration years ago, not worth the headaches.
less headaches
use Services For Unix in your AD.
if you need winbind, use the samba rpms from Sernet.
almost all my nightmares with integrations with AD+winbind was resolved with this ones.
-- Black Hand
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
i forgot about EnterpriseSamba - thanks for the link. Maybe i wont compile on CentOS because EnterpriseSamba has a repository now - * http://ftp.sernet.de *for Yum, debs, and YaST. Fedora seems to be working fairly well, but i won't really trust it until i have put it thru about 2 months of use.
Scott Lowe also has an article on Win2003R1. (A license to Win2003R1 does not give you a license to Win2003R2 - It has to be purchased.) There are so many more comments and user experiences on his blog now - thanks for the link.
-
BlackHand -
David Miller -
nate -
Rob Townley