Win2k does not use AD/kerberos unless you tell it to do so. Stock, out-of-the-box, it will use NTLM authentication. When you enable AD, it'll use kerberos tickets to authenticate with those clients that are capable. so, if you wish to authenticate from linux using NTLM, you need to use a protocol like CIFS from the linux box with the user's creds (or, you can use the netlogon protocol, which ever you like). if you wish to authenticate from linux using kerberos, you will need to do a kerberos preauthentication, i.e., check out kinit to see how it does its job. /jc > -----Original Message----- > From: nicc-lists email addy [mailto:nicc-lists@xxxxxxxxxxxxxxxxxxx] > Sent: Wednesday, April 09, 2003 1:19 > To: pam-list@xxxxxxxxxx > Subject: thoughts on AD authentication? > > > > Hi there all. I have looked into this in the past, and have been > trying to figure out what the best method of authenticating > linux stuff > against an Active Directory server is? I have tried doing the ldap > method (pam_ldap) but that didn't really strike me as the best way to > do it (as M$ taint LDAP so as to make it interesting, plus I never > managed to get it to work properly). Then I was thinking > that perhaps > using samba would work, but have yet to explore that > avenue... plus AD > is meant to also use kerberos... ? not quite sure, but > there is some > kerberos stuff in win2k server... > > Basically my problem is that we're moving from an NT4 Domain > (with all > the users stored in it) and having some apps on a couple of linux > boxes, of which one uses pam and samba to authenticate... > And someone > has decided to move to a 2000 Domain, and so I have to rebuild the > linux stuff to work on the new domain... unfortunately, taking down > one of the linux servers, and then bringing it back up was enough to > kill it (has lost /bin/login for instance!), but that's not the main > issue... > > so any help as to what I should think of using, and how to go > about it, > would be so greatly appreciated! :) I'm anticipating using PAM, but > don't know which module I should throw my bit in with, and > also how to > configure it properly and nicely for AD (just really require auth and > account stuff, but session wouldn't be bad either)... > > thanks heaps... :) > > > nic... :) > > <<--------------- > "I can't believe that!" said Alice. > "Can't you?" the Queen said in pitying tone. "Try again: > draw a long breath, and shut your eyes." Alice laughed. > "There's no use trying," she said. "One can't believe > impossible things." "I daresay you haven't had much > practice," said the Queen. -----"Through the Looking-Glass" > by Lewis Carroll------------->> > > > > _______________________________________________ > > Pam-list@xxxxxxxxxx > https://listman.redhat.com/mailman/listinfo/pa> m-list > _____ DISCLAIMER: The information contained in this e-mail is confidential and is intended solely for the review of the named addressee, and in conjunction with specific Acopia Networks business. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you are unable to treat this information accordingly, or are not the intended recipient, please notify us immediately by returning the e-mail to the originator. _______________________________________________ Pam-list@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/pam-list
