I have no expertise in this area. What you outline below does seem quite reasonable, though. You may also want to take a look at winbind that comes with Samba 2.2.2. It can make your Linux box become a member of an NT domain through the use of a daemon called winbindd and a PAM module. So long as you are running Win2k such that it is in NT Domain compatibility mode (or whatever it is called), I think that you should have a working solution. If you are concerned about security, NIS is probably not what you want. It exposes encrypted passwords and the NIS server can be rather easily spoofed. Mike On Mon, 2001-10-22 at 01:24, Lengyel, Florian wrote: > Dear Pam community, > > I'll write up the operational hijinx I'm up to with this; for now, here's a > progress (or regress) report for your delectation. > > I'm in the process of integrating pam_krb5 with services for unix 2.0 to > enable windows 2k users to authenticate into a linux box that is a member > of the w2k domain (which happens by default to be the kerberos realm), so > that > > 1. the users under linux are UID/GID mapped to a w2k sid via NIS+ SFU 2.0 > user/group name mapping. It's necessary to define a GID not lower than 1000 > (or 500 - the exact lower bound doesn't matter for conceptual purposes, so > bear with me, all you insufferable fuss budgets out there ;) > > 2. the home directory of the user is the nfs automounted windows user share. > > 3. users are defined in one and only one place: active directory. Period. > The need for ANY user specific system administration under linux is ZERO. > That means, no more useradd commands, or their equivalent under linuxconf. > > Requirements 1 and 2 work without kerberos authentication without any > trouble, but it's only half of what you and I want. Microsoft has step by > step instructions to add a LINUX box to a w2k kerberos realm, but I can't > locate these from where I'm writing. The PAM community is too exquisitely > cool to spell out the details, but I'm not, and I will in a subsequent post. > > > There are a couple things I need to verify, and the answers aren't > forthcoming (they will be from me, but I'll wager the gross national product > that Microsoft won't volunteer to tell you what I'm about to ask). > > First, at the moment, in my configuration, the NIS master isn't the W2k > domain controller; why should anyone care, you wonder? > > Well, there's a serious operational issue here. Adding SFU 2.0 extends > active directory, so that user properties will have UNIX attributes, such as > a UID/GID pair, and so that you can specify how the user's share should be > NFS exported. However, if the passwd database resides on a LINUX box > functioning as the NIS master, you'll still have to define the user in two > places: in active directory and in the NIS passwd database. > This violates requirement 3. > > SFU 2.0 has a server for NIS called "server for NIS" along with a wizard > that is supposed to facilitate moving the NIS master from your UNIX box to > your domain controller. The question is whether once your domain controller > is the NIS master, whether adding new users in active directory and setting > their UNIX attributes is automatically reflected in Server for NIS's NIS > maps. If so, then there's no need to add the user twice under LINUX, which > goes a long way towards requirement 3. If not, then the rational response is > to sulk, unless you have what the French call la belle indifference. > > Also, SFU 2.0 hasn't addressed the issue of copying /etc/skel files to the > user's account once it's created under active directory - there isn't > anything like /etc/skel in SFU 2.0. You have to create any initial dot > configuration files and directories yourself in the user's w2k share. > > Ad interim, I've been sidetracked by several other high performance > computing projects, but as soon as my W2K domain controller is up and > running, I'll resume with my report to the pam community on this. > > FL > > -----Original Message----- > From: BOUR Daniel > To: 'pam-list@redhat.com' > Sent: 10/19/2001 11:30 AM > Subject: Re:Re: pam_krb5 + SFU 2.0+ Windows 2000 > > Can someone give me a methos to implement unified user authentification > with Linux and Windows ? > I want to register Linux accounts to Windows2000 KDC. > > > Daniel BOUR. > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list
