Dear Pam community,
I'll write up the operational hijinx I'm up to with this; for now, here's a
progress (or regress) report for your delectation.
I'm in the process of integrating pam_krb5 with services for unix 2.0 to
enable windows 2k users to authenticate into a linux box that is a member
of the w2k domain (which happens by default to be the kerberos realm), so
that
1. the users under linux are UID/GID mapped to a w2k sid via NIS+ SFU 2.0
user/group name mapping. It's necessary to define a GID not lower than 1000
(or 500 - the exact lower bound doesn't matter for conceptual purposes, so
bear with me, all you insufferable fuss budgets out there ;)
2. the home directory of the user is the nfs automounted windows user share.
3. users are defined in one and only one place: active directory. Period.
The need for ANY user specific system administration under linux is ZERO.
That means, no more useradd commands, or their equivalent under linuxconf.
Requirements 1 and 2 work without kerberos authentication without any
trouble, but it's only half of what you and I want. Microsoft has step by
step instructions to add a LINUX box to a w2k kerberos realm, but I can't
locate these from where I'm writing. The PAM community is too exquisitely
cool to spell out the details, but I'm not, and I will in a subsequent post.
There are a couple things I need to verify, and the answers aren't
forthcoming (they will be from me, but I'll wager the gross national product
that Microsoft won't volunteer to tell you what I'm about to ask).
First, at the moment, in my configuration, the NIS master isn't the W2k
domain controller; why should anyone care, you wonder?
Well, there's a serious operational issue here. Adding SFU 2.0 extends
active directory, so that user properties will have UNIX attributes, such as
a UID/GID pair, and so that you can specify how the user's share should be
NFS exported. However, if the passwd database resides on a LINUX box
functioning as the NIS master, you'll still have to define the user in two
places: in active directory and in the NIS passwd database.
This violates requirement 3.
SFU 2.0 has a server for NIS called "server for NIS" along with a wizard
that is supposed to facilitate moving the NIS master from your UNIX box to
your domain controller. The question is whether once your domain controller
is the NIS master, whether adding new users in active directory and setting
their UNIX attributes is automatically reflected in Server for NIS's NIS
maps. If so, then there's no need to add the user twice under LINUX, which
goes a long way towards requirement 3. If not, then the rational response is
to sulk, unless you have what the French call la belle indifference.
Also, SFU 2.0 hasn't addressed the issue of copying /etc/skel files to the
user's account once it's created under active directory - there isn't
anything like /etc/skel in SFU 2.0. You have to create any initial dot
configuration files and directories yourself in the user's w2k share.
Ad interim, I've been sidetracked by several other high performance
computing projects, but as soon as my W2K domain controller is up and
running, I'll resume with my report to the pam community on this.
FL
-----Original Message-----
From: BOUR Daniel
To: 'pam-list@redhat.com'
Sent: 10/19/2001 11:30 AM
Subject: Re:Re: pam_krb5 + SFU 2.0+ Windows 2000
Can someone give me a methos to implement unified user authentification
with Linux and Windows ?
I want to register Linux accounts to Windows2000 KDC.
Daniel BOUR.
