Authenticate Linux (Fedora C3) against AD

R

Relli

Weaksauce
Joined
Jan 16, 2001
Messages
98
I want to authenticate Fedora user accounts against active directory accounts, and eventually Samba accounts as well, but first things first. I've done a lot of reading and think I could do it if I was an administrator of the domain controller, but alas, I'm not. The DC's do not have Services for Unix installed, which is the problem I'm running into. The admin's will not install it either. I do have sufficient rights to create machine accounts and join machines to the domain though. I have a Windows Server 2003 machine that is not a DC, but is a member of the domain, that I could install Services for Unix on if that would help.

Basically, is there anyway to authenticate linux user accounts to AD without having Services for Unix installed?

or

authenticate linux user accounts to a Win2003 (non-DC) that authenticates to AD:
FedoraC3-->Win2003-->AD-->Win2003-->FedoraC3?

I hope that is clear enough. Any help you could provide would be appreciated.?.?
 
Don't think there is anyway you can do with without modifying the AD servers.
 
I don't know much about this I have just started looking into things, but I would check out using pam_winbind / samba to work as a go between for authentication between your FC boxes and the AD servers...
 
Kerberos 5 realms can be interoperable with AD's Kerbros 5 implementation. Its akin to having two domains that trust each other, albeit a bit more complicated.
 
Winbind is what you are looking for. It's been a while, so I may have some of this goofed up, but the general principles are the same:

Join the sambe server to the AD DC. Unfortunately, this is just like joining any other computer to the domain, in that you will need to have that privledge.

Tell linux to look to winbind for user/group records ( nsswitch? I think )

....

profit!

From this point on, you need to modify your base pam files to auth against winbind, and unfortunately, that differs from distro to distro ( and I don't remember how in fc3 ).
 
I read the Winbind section of TOSHRG. I think I'm pretty close, but not quite there. I joined the domain successfully. Then I executed
Code: 
wbinfo -u
wbinfo -g
to make sure I could see the user and group information. That worked fine. Then I tried
Code: 
getent passwd
getent group
These both listed the local passwd and group file, but never anything about the domain users and groups. When I checked /var/log/samba/winbind.log, I got a ton of errors saying "idmap Fatal Error: GID range full!!! (max: 1000000)". In the smb.conf file, I have the range set from 10000-1000000 and that should be plenty. To be sure I sent the output of wbinfo -g to a file and the number of lines were something like 7000, so I don't think I could be exhausting the range.?.?

Anyone have any ideas what to look for or how to fix it? I googled a little and found a post on samba groups that had the same issue, but never saw an answer for it.
 
Drop that range down to less than 32000. I don't think linux can handle it above that.
 
I changed the range to 10000-31000 and I get the same error.

Anything else?
 
Can anyone confirm that 32000 range limit?

I just "counted" the domain users and there are about 99000 now. That will change, probably grow, about daily. I'm going to need a lot more than 32000. There are only 7000 groups though, so it would be possible to allow logins and share access by groups. I'm not sure Winbind can map groups and not users though.

Any thoughts on what I could do, or do you need any more information before you can help?
 
I've had a lot of fun doing AD - LDAP cross platform with Mac OSX and Windows/Novell. May have to make changes in the AD schema in order for it to work porperly. You shouldn't futz with it if the admins do not want to install it. There may be specific reasons why they do not...
 
bump...

I'm doing this at work right now - I'm building a samba storage server in the neighborhood of 1.5TB to handle all of our company's data storage.

I've successfully joined two linux distros to the domain (one FC3, the other Suse 9.1) and even gotten domain authentication to work. Its very, very badass to let any user come to my linux box, login with their domain account, watch their home directory created locally and mapped to their network home dir.

ACL even works. I haven't gotten ACL working 100% but I think that is because I haven't properly told Samba who the network admin is (me).

Any user logged in to the domain has auto-magic permission to access the samba shares, and everything is controlled through the filesystem ACL - the user has no way of knowing it isn't a Win200x server.

Samba also owns Windows for SMB performance.

What I haven't gotten working yet 100% is Kerberos authentication. As a windows admin beginning to dabble more and more in linux, I can truly appreciate how easy and magical microsoft makes life for us. AD is nothing more than LDAP and MIT Kerberos 5, and Windows file sharing is SMB (an open IBM developed protocal) and a couple of other standards, modified of course to MS's purposes.

Anyway, since there seems to be some interest, I'll post a link to my "Definitive Linux login to AD and ACL w/ samba howto" when I get it up. Complete with google ad links :)
 
If you're trying to do this and you're not getting cooperation from the domain admins, there may be a reason. This sounds like a work or other "commercial" endeavor, and for you to proceed without having a manager or policy behind you, may get you into trouble. It might amount to "unauthorized network devices" which can sometimes include termination as a punishment.

Just something I wanted to mention quick. If it is a necessary business case to get them on the domain, then you should be able to convince the admins to help you out and assist.
 
You must log in or register to reply here.
Back
Top