On Thu, Jul 05, 2001 at 06:01:31PM -0400, Lengyel, Florian wrote: > I have an NT domain with several thousand users, to which I'm going > to add two LINUX clusters. I would like the users to be authenticated > by the PDC or BDCs of the NT domain, or else I would like the NT and > LINUX password databases to be synchronized so that they could be > administered entirely from NT if one wanted. I understand that I could use > pam_smb or pam_ntdom for this purpose. What would I use when the > NT domain controllers are replaced with Windows 2000 servers? You should be able to use any of the many pam_krb5 implementations to authenticate users by using your server as a KDC in the krb5.conf file. > Is it possible to use an authentication module for Kerberos > under Red Hat Linux 7.1 that would work with Windows 2000? Yes. There's one included on the CD, and there are others on the net: Frank Cusack's: http://www.fcusack.com/ Naomaru Itoi's, with support for Solaris by Curtis King: ftp://ftp.dementia.org/pub/pam/ Wyman Miles's: http://is.rice.edu/~wymanm/projects/ I'm pretty certain that this is not a comprehensive list. > If there is such a kerberos authentication module, does it authenticate > users through kerberos under windows 2000, bypassing the usual > LINUX authentication mechanism, or does this kerberos PAM > only provide authenticated user access to kerberized services? > I could be missing the point of Kerberos under windows 2000. At the basic level, pam_krb5 should use the Win2k box as a KDC for authenticating users, so you can use it in place of pam_unix is you wish. I'd recommend keeping root local, though, and mixing the two so that users with Kerberos principals authenticate using pam_krb5, and everyone else uses regular /etc/shadow authentication. Generally, users who authenticate using Kerberos should get a TGT which they can use to authenticate to other servers in your realm, but depending on whether or not those servers are expecting additional authorization data to be present, Kerberized services may or may not be accessible to those users. Don't forget that authentication via PAM (or Kerberos) doesn't give you access to other information about users, such as the location of their home directories, or their UIDs. For that, you still need something like an NIS server, a hesiod database, or an LDAP server (usually using nss_ldap as a client) or Microsoft's Services For Unix, which I believe includes an NIS server which runs on top of Active Directory. Hope this helps, Nalin
