Logging in from Fedora Linux clients to Windows 2000 server with ADS
From: PAG (gulawani_at_hathway.com)
Date: 05/13/04
- Previous message: Jeff Vian: "Re: My Linux partitions are lost."
- In reply to: Paul Alexander: "Re:Alcatel Speedtouch"
- Next in thread: Bob Marcan: "Re: Logging in from Fedora Linux clients to Windows 2000 server with ADS"
- Reply: Bob Marcan: "Re: Logging in from Fedora Linux clients to Windows 2000 server with ADS"
- Reply: Nigel Wade: "Re: Logging in from Fedora Linux clients to Windows 2000 server with ADS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 13 May 2004 18:28:19 +0530 To: For users of Fedora Core releases <fedora-list@redhat.com>
Hi everyone,
I want to convert some 50 new machines that an organization is getting
into Fedora Linux workstations.
This is the current setup:
The organization currently has one Primary Windows 2000 ADS and 2
numbers of Windows 2000 servers acting as Backup domain servers.
There are currently some 50 workstations already in the network and
these are all Windows 2000 professional machines. There are HP laser
network printers in the network.
Now the organization wants to add about 50 more workstations in the
network. I am trying to convince them to use Fedora Linux on these
machines instead of Windows 2000 professionnal. My ultimate goal is to
convert more machines to Linux.
From these Fedora machines, users should be able to login to the
Windows servers using their Windows username and passwords. They will be
using a lot of files from the Windows 2000 servers which currently also
act as the file servers. They are currently reluctant on converting the
Windows servers and converting to Linux as some critical applications
that they use are available only on windows. In addition to this they
would need to print to the Network printers in the network.
I googled and found a LOT of information on modifying the SAMBA and
modifying the krb5 for the above purpose. I am using a couple of
machines to do a test setup. I have installed FC1 on these machines and
have configured SAMBA on both these machines.
Some of the settings done are as follows:
SAMBA "smb.conf" file is at the very bottom of this email
KRB5 "krb5.conf" file is also at the bottom of the email
"nsswitch.conf" file was modified also at the bottom of this email
"login" file (in /etc/pam.d directory was also modified)
The authentication that I am using is SMB and KRB5
My FC1 machines are registered into the ADS using "net ads join -U
user1". This went well and showed me as joined to the domain.
I have set up test users "user1" and "user2" in both the windows domain
as well as on the FC1 machines. The passwords of the above users on the
local FC1 machines and the Windows 2000 ADS machines are differrent.
(The reason I have kept these differrent is to test that the login using
the Windows 2000 username and password works.)
The problem that I face is this:
1. I cannot log in at the FC1 GUI login prompt (I'm using gnome) using
the windows username (user1 or user2) and password. I can only login
using my FC1 local username and password. This is the first thing that I
want to be able to do. I should be able to login as any user (even if
the user is not added in the local FC1 machine).
2. After logging into gnome as the local FC1 user, when I browse the
network and click on any machine on the network it asks me for a
username and password again for that machine. After entering the correct
windows username and password I get access to the shared resources in
the network.
I want to maintain one central username and password into the Windows
2000 ADS. So if a username is added or is a password of an existing user
is changed it is maintained at one location only and not in multiple
locations.
Can someone point out what I could be doing wrong here. At this point
I'm quite zonked actually. Some sites mentinoed that all I need to do
was enable kerbrose authintication on the local machine (no need to
setup samba). In other places there is nothing mentioned about krb5 but
a lot of settings about samba.
I'd appretiate your help a lot. I'm sorry for the long email, but I just
wanted to make sure I've given all the details.
+++++++++++++++++++++ smb.conf +++++++++++++
# Global parameters
[global]
workgroup = dec
server string = M02 Samba Server
netbios name = M02
security = ADS
realm = M06.DEC.DOM
password server = M06
printcap name = cups
disable spoolss = Yes
show add printer wizard = No
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind use default domain = Yes
use sendfile = Yes
printing = cups
[homes]
comment = Home Directories
valid users = %S
writeable = yes
browseable = Yes
[printers]
comment = All Printers
path = /var/spool/samba
printer admin = root, administrator
create mask = 0600
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = No
[common]
comment = Common folders for all
path = /home/common
writeable = yes
guest ok = yes
++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++ nsswitch.conf +++++++++++++
passwd: files winbind
shadow: files
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++ krb5.conf +++++++++++++
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DEC.DOM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DEC.DOM = {
kdc = M06.DEC.DOM:88
admin_server = M06.DEC.DOM:749
default_domain = DEC.DOM
}
[domain_realm]
.example.com = DEC.DOM
example.com = DEC.DOM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++ login (file in /etc/pam.d) +++++++++++++
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
++++++++++++++++++++++++++++++++++++++++++
Thanks,
PAG
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: Jeff Vian: "Re: My Linux partitions are lost."
- In reply to: Paul Alexander: "Re:Alcatel Speedtouch"
- Next in thread: Bob Marcan: "Re: Logging in from Fedora Linux clients to Windows 2000 server with ADS"
- Reply: Bob Marcan: "Re: Logging in from Fedora Linux clients to Windows 2000 server with ADS"
- Reply: Nigel Wade: "Re: Logging in from Fedora Linux clients to Windows 2000 server with ADS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
