----- Original Message ----- From: "Jason Pyeron" <jpyeron at pdinc.us> To: "CentOS mailing list" <centos at centos.org> Sent: Wednesday, November 14, 2007 12:23:17 PM (GMT+1000) Australia/Brisbane Subject: [CentOS] Sso the Linux way? So I was googling around about this over the last week and here is what I found: nis/yp is for some reason bad. Kerbos is holy, but no how-to's that don't involve windows and active directory. What is the recommended sso approach for centos? Where are there examples / docs to follow? Jason -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Sr. Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited. _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Jason, I've just finished writing up the solaris 9/10 version of what you are looking for, amounted to about 10 pages ! As an exercise in illustrating (to managment, with a view to ditching solaris and moving to RHEL) how much easier this sort of thing is in linux (RHEL/CENTOS) I have taken some notes on how to do it; I can't remember if authconfig updates the /etc/krb5.conf file automatically ( I think it does) but it should look similar to this or you will not be able to join your server to the domain; [libdefaults] default_realm = MYCORP.NET.AU [realms] MYCORP.NET.AU = { kdc = dc1.mycorp.net.au kdc = dc2.mycorp.net.au } [domain_realms] .kerberos.server = MYCORP.NET.AU You can test the kerberos stuff is working by doing; kinit user at MYCORP.NET.AU then klist and finally to destory the ticket; kdestroy Don't even bother going any further if this does not work. 1. ensure samba server packages are installed 2. ensure DNS forward and reverse entries are accurate 3. ensure your server is time synced accurately (kerberos steps above will fail if not) 4. run authconfig or the 'tui' version 5. Tick/Star both the 'winbind' options for user and authentication 6. Next page - choose 'ads' as security model and fill in the rest of the details, e.g. DOMAIN and DC, ensure that the 'ADS Realm' is your FQDN from the krb5.conf file e.g. MYCORP.NET.AU in uppercase 7. Click join domain and enter your AD user/password 8. Check you /etc/samba/smb.conf and it should have all the necessary bits set approriately If you successfully joined the domain then domain users should now be able to access any defined shares and even ssh onto the box provided you chose a valid login shell, create the necessary 'template homedir' and update your pam system-auth and add the following; session required pam_mkhomedir.so skel=/etc/skel umask=0022 You can also limit who can login with ssh by editing the /etc/pam.d/sshd and adding something like; auth required pam_succeed_if.so user ingroup unix-admins where 'unix-admins' is an AD group. Authconfig will automatically update /etc/nsswitch.conf and add the 'winbind' entry for passwd, shadow and group. Let us know if this works for you. Cheers. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20071114/dba02253/attachment-0004.html>