Wednesday, October 18, 2006

Must Have for Integrating Linux in a Windows World

Ubuntu's AD Samba Guide ActiveDirectoryHowto - Community Ubuntu Documentation

Novell's Ubuntu AD Samba Guide HOWTO: Configure Ubuntu for Active Directory Authentication
Note: Samba is hosted on Novell's servers because Novell is starting to seem pretty agnostic on what distribution people are running. Good for them

I was able allow my machine to authenticate on a Windows AD domain without joining it to the domain. The second step of setting up libpam-ldap and ncsd would require changes to the domain controllers, but I am only able to log on if the user account in /usr/passwd is identical to a domain account. If I had libpam-ldap installed and joined this computer to the domain, I would be able to accept anyone's domain account as a login on this machine.

I am now able to cruise network shares through Gnome (nautilus) with smb://servername without having to supply a password for each connection. Previously, my credentials would be encrypted to the nautilus keyring, so it may have seemed like authentication only happened once but it was really happening each time you connected. With a kerberos ticket, I am authenticated as myself until the ticket is closed or if the ticket is revoked by a domain controller.  This truely becomes a single sign on Microsoft environment.

Now I have to work out how single sign ons for our intranet is handled (NTLM?) which was developed on .Net.  When I go to the site with Firefox (Windows and Linux) I get asked for continuous passwords, it seems.  I had heard from a Novell Open Audio Podcast that Suse had figured out a way to use Firefox with single sign on.  I just can't remember if it was with a Firefox kerberos plugin, or if there was a special setting in the about:config.

1 comment:

  1. To enable Kerberos authentication over HTTP with SPNEGO, you have to set "network.negotiate-auth.trusted-uris" with your domain name (for instance .yourdomain.com) as value. When authentication is required on a server from this domain, Firefox will use your current Kerberos ticket to negotiate your identity.

    ReplyDelete