Re: Windows or LDAP authentication

rojanmic wrote:
Hi,

If Windows authentication is used as the primary mode of
authentication for a network, and Linux servers (SUSE) are being
introduced - is there a way to integrate Windows authentication?

That's been there for awhile now.


The idea is that openSUSE will be used to run VMware guests, and I'm
concerned that if a non-admin user needs to log onto the guests (eg.
on the weekend when the support staff might not have network access at
the time), then we will need to provide the user with the root
password.

??? Why would a user need root?
(but... see below)


My other concern is that if we use the same root password for all the
Linux boxes then security might be compromised, if it is difficult to
change the root passwords en masse. When using more than 1 Linux
server is it possible to use some type of LDAP pass-through
authentication to AD? So that the root password is stored in AD? I
guess this must sound like heresy to some people, but it would make
user & security management much easier!

What you want is role based security. The idea is for you to
create an initial account with sudo (use visudo) access to become
root and do things as root. Then change the root password to
something random and lock it away somewhere. While it is possible
that you may need the actual root password at some point, at least
you'll know when that password has been compromised by the "breaking
of the seal" on however you choose to store it.

The rest of the time, root access is maintained strictly through
granted use via sudo. You can restrict what commands are allowed
using sudo as well. So certain users can execute (for example)
init scripts as root.


I'd be interested to here stories or experiences of integrating
Windows & Linux authentication.

YaST makes things pretty easy if you're talking about integrating
to a AD domain. Have you looked at it? I've used this several
times. Using PAM you can even have it fall back to /etc/passwd and
shadow files or even something like NIS...or your own LDAP even.
That way if the AD domain is down for some reason, somebody could
still log into the Linux boxes. Of course, most would probably
declare their network to be dead if the AD servers were down.



Thanks,
Michael

.

Relevant Pages

  • Re: Linux hardware support...
    ... but there isn't supposed to be a ROOT password (at ... all passwords in knoppix except for the default knoppix ... If Linux wants to compete with Microsoft it's going to have to catch ...
    (comp.os.linux.hardware)
  • Re: RESet the SUSE LINUX PASSWD
    ... I am new to LINUX .please help. ... I am not able to reset the root passwd of the SUSE. ... It will ask for your root password. ...
    (alt.os.linux.suse)
  • Re: A few admin questions.
    ... > answers in my books. ... > hand out the root password to someone. ... If you don't have it already, I suggest you buy the book RUNNING LINUX, ...
    (alt.os.linux)
  • Re: HELP! - Ive screwed up and now cant access root
    ... > I consider myself an intermediate user on Linux. ... > I was walking through the guide, and started working on root access. ... I then tried to implement my commands with sudo. ... I know that my root password still works ...
    (comp.os.linux.security)
  • Windows or LDAP authentication
    ... authentication for a network, and Linux servers are being ... introduced - is there a way to integrate Windows authentication? ... Linux boxes then security might be compromised, ... So that the root password is stored in AD? ...
    (alt.os.linux.suse)