[NTLUG:Discuss] Re: Need a presenter for Feb 18th meeting

Fri Feb 10 11:47:26 CST 2006

Rick Cook wrote:
> On Thursday 09 February 2006 16:20, you wrote:
>>At the fair I will be showing a VMware scenario showing off
>>single sign on, etc in a mixed Windows/Unix/Linux situation.
>>(at least... I'm planning on doing this)
>>
> 
> Chris,
> 
> I set up a SuSE 8.x box to authenticate users to a Windows Domain several 
> years ago and have forgotten how to do it. I vaguely remember that it 
> involved pam-smb and that I had to have the user defined locally.

That is one way to do it, but probably deprecated nowadays.  You can
use winbind now... but you'd have to have some kind of one-to-one mapping
unless you want samba to auto-create (ick) the users.  The advantages
of the auto-create on the fly is that you get "more" of the permissions
and group information off the domain... the bad part is that it's
not 100% complete/reliable.... so IMHO, you're better off with something
under your control rather than the (always) less than stellar
samba winbind creates (who wants undecipherable ids on their platforms
anyhow?).  The pure winbind solution is pretty much ONLY for
making Linux into a file server (which is pretty much as far
as Windows admin go anyhow).

I prefer to mount a samba drive on login and key off that to
add users to NIS.  You'll have to write a script of course.
The user add can also take care of mapping information if
needed.  It's not bad if we're talking about one Windows domain.

Then, at your option, either allow the users to keep a NIS
password (deemed insecure... but security is somewhat of
a panacea thing anyhow) or always authenticate the password
using winbind.

For that I want to get the password off the Windows server and
map the id to the existing account in Linux (could be a NIS
account).  You will need the Linux client to be joined to
the domain (if you can enumerate users off of the domain, you're
probably ok) and then you will use 'winbind trusted domains only = yes'
in your smb.conf.  Then in your pam config files (e.g. for login),
you can specify:
auth     sufficient     pam_winbind.so

You'd get rid of the linux/unix auth stuff if you don't want them
using their Linux files/NIS password (otherwise, they'll be
able to use either to login).

I guess I need to do a more comprehensive write up.... sigh...

> 
> I am interested in pursuing something similar with my work laptop - want to 
> avoid all of the intranet authentication requests. A twist on the previous 
> thing I did is the desire for the laptop to be able to "self-authenticate" 
> when detached from the work network. Any pointers?

Not sure what you mean exactly.  Is this Windows... or Linux?
If I'm not on NIS (Linux), I use a local account via files.  If you just
have to have them merge, set up a matching local files account
with a local password.  Since it's the same uid, it will merge
when on NIS, but authenticates will always go to the local
files (so the passwords may not match up... but who cares!).

On a Windows client, you'd just log in using the local (no Domain)
credential.  Windows tends to be a bit more Network dependent,
so what you're able to do could be very limited without doing
a lot of upfront work (more to replicate).