authenticating linux client with active directory

0

I am attempting to setup a linux client to authenticate with active directory. I tried following this article, but have had no luck authenticating:

https://wiki.archlinux.org/index.php/Arch_Server_and_Active_Directory

I am hoping to authenticate with active directory so that I don't need to re-authenticate when printing and can automatically mount all shares. Will setting this up provide those capabilities for me?

Walter

Posted 2011-10-14T13:28:34.297

Reputation: 907

Answers

2

If you set up Kerberos authentication using either pam_krb5 or pam_winbind, then yes, you will get password-less authentication to services.

But note that the article is out of date in some places, and plain incorrect in others.

  1. Arch has switched to MIT Kerberos (krb5) long ago. Heimdal is not used. (krb5.conf syntax remains the same.)
  2. Do not put kdc settings in krb5.conf's [realms]. It is better to use DNS SRV records to find this information, which is what Windows does. If the KDCs change, you shouldn't need to edit hundreds of krb5.conf's.
  3. Do not put the KDC addresses in /etc/hosts either. Let DNS handle that.
  4. pam_krb5 does not need to be built manually; it's in the official repositories.
  5. You do not need pam_krb5 if you are using Winbind (which is the recommended way).
  6. allow_weak_crypto should not be necessary; both Heimdal and MIT Kerberos support the RC4-HMAC enctype used by pre-2008 Windows versions.

user1686

Posted 2011-10-14T13:28:34.297

Reputation: 283 655

Is this what I'm looking for: http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm

– Walter – 2011-10-14T16:55:11.397

@WalterWhite: This Ubuntu doc page looks fairly good. Also, this Microsoft article... (Sigh. Why is it so that all tutorials only explain what to do, but not why? Even worse that they often suggest entirely opposite practices. Even minor ones, such as using "/lib/security" in PAM config, still bug me... which Linux distros actually do that?)

– user1686 – 2011-10-14T17:29:19.183

1

Have a look at the free Centrify Express product - hopefully there's a package for your flavour of Linux. It took me about 2 mins to setup an Ubuntu desktop machine with it.

http://www.centrify.com/express/free-active-directory-tools-for-linux-mac.asp?r=menu-nav

Centrify Express is a comprehensive suite of free Active Directory-based integration solutions for authentication, single sign-on, remote access, file-sharing, monitoring The #1 Choice for Active Directory Integration and cloud security for cross-platform systems. It is the quickest and most proven solution for integrating UNIX, Linux and Mac systems with Windows, and delivers more functionality and more to upgrade to when compared to other free offerings.

Linker3000

Posted 2011-10-14T13:28:34.297

Reputation: 25 670

Asked: 2011-10-14T13:28:34.297

Viewed: 1 994 times

Active: 2011-10-14T14:22:38.127