Sharing my experience with SSO of Linux clients to Active Directory.
Over the last 2 years or so, i had a great deal of trouble getting and _keeping_ authentication to our Win2000/Win2003 Active Directory system working from OpenSUSE and CentOS clients. ADS authentication would work until reboot, a few days, a month max. We'll see how long this lasts.
Another problem was dealing with the fact that i setup dns in AD using aMixedCaseDomain.com name. Had to add all variants to the [realms] and [domain_realm] names to /etc/krb5.conf. snslatc.hp.com, snslatc.HP.com, SNSLATC.HP.COM ...
Over the weekend i gave up on CentOS and tried Fedora because Fedora repositories have SaMBa 3.2, but CentOS only has 3.0. SaMBa 3.2 supports sasl sign and seal (hashing and encryption) and supports NTLMv2 better and using winbind with ADS.
Still had problems with Fedora. Since i had to change the hostname in the middle of the process and update krb5.conf as mentioned above and i noticed that somehow dNSHostName in Active Directory was set to "HOST/localhost:localdomain" which clearly cannot be correct. So i used SysInternals LDAP Explorer (ADExplorer.exe) to change the entry in ActiveDirectory to remove any reference to localhost. Unless i changed /etc/hosts to not have rmonster in
"127.0.0.1 localhost.localdomain localhost rmonster", deleted from WinAD and rejoined.
dNSHostName: rmonster.snslatc.hp.com
servicePrincipalName: CIFS/rmonster.snslatc.hp.com
servicePrincipalName: CIFS/rmonster
servicePrincipalName: HOST/rmonster.snslatc.hp.com
servicePrincipalName: HOST/rmonster
Is the line "servicePrincipalName: CIFS/rmonster.snslatc.hp.com" only required when you want your Linux box shares to show to other clients (Windows)?
Successfully joined and authenticating using Fedora, but really want to use CentOS and have group policy support from likewise.
Over the last 2 years or so, i had a great deal of trouble getting and _keeping_ authentication to our Win2000/Win2003 Active Directory system working from OpenSUSE and CentOS clients. ADS authentication would work until reboot, a few days, a month max. We'll see how long this lasts.
Another problem was dealing with the fact that i setup dns in AD using aMixedCaseDomain.com name. Had to add all variants to the [realms] and [domain_realm] names to /etc/krb5.conf. snslatc.hp.com, snslatc.HP.com, SNSLATC.HP.COM ...
Over the weekend i gave up on CentOS and tried Fedora because Fedora repositories have SaMBa 3.2, but CentOS only has 3.0. SaMBa 3.2 supports sasl sign and seal (hashing and encryption) and supports NTLMv2 better and using winbind with ADS.
Still had problems with Fedora. Since i had to change the hostname in the middle of the process and update krb5.conf as mentioned above and i noticed that somehow dNSHostName in Active Directory was set to "HOST/localhost:localdomain" which clearly cannot be correct. So i used SysInternals LDAP Explorer (ADExplorer.exe) to change the entry in ActiveDirectory to remove any reference to localhost. Unless i changed /etc/hosts to not have rmonster in
"127.0.0.1 localhost.localdomain localhost rmonster", deleted from WinAD and rejoined.
dNSHostName: rmonster.snslatc.hp.com
servicePrincipalName: CIFS/rmonster.snslatc.hp.com
servicePrincipalName: CIFS/rmonster
servicePrincipalName: HOST/rmonster.snslatc.hp.com
servicePrincipalName: HOST/rmonster
Is the line "servicePrincipalName: CIFS/rmonster.snslatc.hp.com" only required when you want your Linux box shares to show to other clients (Windows)?
Successfully joined and authenticating using Fedora, but really want to use CentOS and have group policy support from likewise.
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos