amp4000
asked on
authenticating linux to a windows 2000 domain
I would like to know how do I authenticate linux users against a windows 2000 server domain. Do I need to have a wins server on my 2k domain. Because right now since we only have xp pro and 2k pro clients we do all our resoving via dns thus we do not have wins installed. I read this former post to get me started I was able to add the box to the domain without a problem. I'm new to linux so this is a totally new area for me. Also has anyone ever intergrated linux into active directory. I'm using redhat 8.0 for our setup. Here is the link to the article that I read. By the way my active directory runs in mixed moded. I plain on converting to native mode soon will it be a problem getting this setup when ad is in native mode.
https://www.experts-exchange.com/questions/20765134/Join-a-Windows-2000-Domain.html
https://www.experts-exchange.com/questions/20765134/Join-a-Windows-2000-Domain.html
ASKER
Thanks for the article I had already checked it out earilier today, but that will not help me much that program does not exist anymore. I found it on a few mirror sites but I could not find the developers website. I really don't like to use things that are not well supported.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
td_miles it worked just than. Can I map a drive thats on a 2000 server or is that not possible. Also I've notice that with this type of user authentication one is actually having to create 2 different accounts. One for linux and one for windows I want to know how does everything completley go through the windows box what I mean by that is one maintains a ad user account there's no account created to match on a linux box and they can still log in. Check this article out I'm looking for some books on linux and windows integration also.
http://insight.zdnet.co.uk/software/developer/0,39020469,2122363,00.htm
http://insight.zdnet.co.uk/software/developer/0,39020469,2122363,00.htm
you can map a windows share to a linux mount point using the mount command and specify that the type is smbfs. EG.
mount -t smbfs -o username=tridge,password=f
would mount the windows share "test" on server "fjall" to the Linux directory "/data/test"
Unfortunately I don't know of a way of only having one account (the windows one). I've only been able to make it work by creating a local linux account and haven't had a requirement to pursue it any furtherthan that :(
As the article that you linked to suggests, they are working on LDAP and kerberos (ie win2k) authentication integration in Samba v3. This is still fairly experimental. It works and it has been released, but I am yet to try it. Have you tried this ?
mount -t smbfs -o username=tridge,password=f
would mount the windows share "test" on server "fjall" to the Linux directory "/data/test"
Unfortunately I don't know of a way of only having one account (the windows one). I've only been able to make it work by creating a local linux account and haven't had a requirement to pursue it any furtherthan that :(
As the article that you linked to suggests, they are working on LDAP and kerberos (ie win2k) authentication integration in Samba v3. This is still fairly experimental. It works and it has been released, but I am yet to try it. Have you tried this ?
ASKER
I have not tried it yet I'm new to linux so I will need a little more info before I put this up. I'm thinking about buying this book though it had good reviews on amazon.com. Someone was tell me that you can use a smbclient utility to browse the domain . By the way how are you guys using linux servers at work. I'm just trying to get a feell for the entire linux thing.
book link
http://www.informit.com/isapi/product_id~{55CA62E1-E3E8-4DE2-8A12-C
book link
http://www.informit.com/isapi/product_id~{55CA62E1-E3E8-4DE2-8A12-C
You can use the smbclient command to retrieve lots of things:
$ smbclient -L <pdc> -W <domain> -N
will return a list of machines in your domain.
$ smbclient -L <machine>
will give you a list of shares on that machine.
That book should be a good read and is the one recommended by the Samba team.
The linux servers that we have are running WebSphere and being used as J2EE (ie Java) application servers. The development guys all use windows based IDE application, so they need to be able to use windows explorer to copy files to/from the linux boxes. Hence why we are running Samba, purely for access via windows shares. The authentication to win2k was setup after the intial install, to save having seperate passwords. Our win2k passwords are sync'ed from an iSeries (as/400) machine, so we have the same username/password across all three platforms.
$ smbclient -L <pdc> -W <domain> -N
will return a list of machines in your domain.
$ smbclient -L <machine>
will give you a list of shares on that machine.
That book should be a good read and is the one recommended by the Samba team.
The linux servers that we have are running WebSphere and being used as J2EE (ie Java) application servers. The development guys all use windows based IDE application, so they need to be able to use windows explorer to copy files to/from the linux boxes. Hence why we are running Samba, purely for access via windows shares. The authentication to win2k was setup after the intial install, to save having seperate passwords. Our win2k passwords are sync'ed from an iSeries (as/400) machine, so we have the same username/password across all three platforms.
ASKER
I did not know it was recommended by the samba team. I plain on ordering it tonight I have a demo copy of websphere for linux and windows but I have not installed it yet. What do you mean your passwords are sync'ed from a iseris as/400? Sorry for the stupid question but I'm just starting to work in a mixed environment. By the way when you say appliction server are they actually writing programs than running that program on the websphere box?
do you know what an iSeries is ? (they used to be called AS/400's) If not, here's a pointer:
http://www.ibm.com/iseries
In short, they are big IBM beasts ;)
(up to 32 processors, TB of storage space, huge memory, etc)
Ours has an intel windows server integrated into the iSeries machine (it runs an entire PC as a expansion slot card !) and it syncronises passwords from the iSeries to the windows domain controller running on this PC card. Our linux machines then authenticate their logins (using Samba) back to the win2k machine. This means that all 3 operating systems use the same username/passwords.
Yes the developers use a local copy of webspehere IDE on their PC's, then publish to the websphere servers running on Linux. So yes, the applications that we develop run on WebSpehere (on Linux). We also run websphere on the iSeries, but we had an application that we need to throw a lot of memory at, and memory for Intel boxes is a lot cheaper than memory for iSeries.
http://www.ibm.com/iseries
In short, they are big IBM beasts ;)
(up to 32 processors, TB of storage space, huge memory, etc)
Ours has an intel windows server integrated into the iSeries machine (it runs an entire PC as a expansion slot card !) and it syncronises passwords from the iSeries to the windows domain controller running on this PC card. Our linux machines then authenticate their logins (using Samba) back to the win2k machine. This means that all 3 operating systems use the same username/passwords.
Yes the developers use a local copy of webspehere IDE on their PC's, then publish to the websphere servers running on Linux. So yes, the applications that we develop run on WebSpehere (on Linux). We also run websphere on the iSeries, but we had an application that we need to throw a lot of memory at, and memory for Intel boxes is a lot cheaper than memory for iSeries.
after read all the comment td_miles gave you very good hints I'm just add on something that using the NT as a password server and you no need to maintain the users and password info in samba server, read this from the book you are going to buy or try it as below
in your smb.conf
**** Global setting ****
security = server
password server = <NT-Server-Name>
by doing this the NT server will become the server to verify all the login from you samba/linux box with samba.
for mount a share from win2K smbclient is one of the way, 'mount' will be the other option you can thinking of like this
mount -t smbfs -o username=administrator,pas
hope this give you more idea :)
in your smb.conf
**** Global setting ****
security = server
password server = <NT-Server-Name>
by doing this the NT server will become the server to verify all the login from you samba/linux box with samba.
for mount a share from win2K smbclient is one of the way, 'mount' will be the other option you can thinking of like this
mount -t smbfs -o username=administrator,pas
hope this give you more idea :)
ASKER
td_miles I forgot to ask you what mode are you running active directory in. I'm assuming your using mixed mode since the samba server reflects a nt box.
We're running in Native Mode. You're correct that Samba appears as an NT4 machine, but you only need mixed mode if you're going to use NT4 machines (or Samba) as a Domain Controller. We are not doing this, the Samba machines are only normal domain members, so native mode works for this situation (same as you can add an NT4 workstation to an AD native mode domain).
ASKER
I'm having a problem with accessing my samba share. I can see the server and shares through my network places byt when I get ready to access it I can't get into the share. I would like to ask you about creating accounts do I need to create a system username and password for a user and than after that create a samba username and password for the user? I saw somewhere on the web where you have to add a samba account. Here is the file I was trying to create don't laught its my first one.
[apps]
comment = User Software
path = /apps
public = no
writable = no
valid user = mstephens mbrown
[apps]
comment = User Software
path = /apps
public = no
writable = no
valid user = mstephens mbrown
You shouldn't have to create a samba account, just create a linux account. As long as Samba is setup properly, then it should authenticate the user against the windows AD. The linux username and the windows username have to be exactly the same for this to work. What error do you get when you try to connect to the share ?
I would suggest you start by copying the examples included in the smb.conf files and modifying them to suit you needs. An example of a share that I have is:
[www]
comment = WWW Share
path = /var/www
public = yes
writable = no
printable = no
write list = user1,user2,user3
force user = root
force group = root
create mask = 0664
This will allow only the listed users write access to the share and force all files created to be created with owner/group root.
I would suggest you start by copying the examples included in the smb.conf files and modifying them to suit you needs. An example of a share that I have is:
[www]
comment = WWW Share
path = /var/www
public = yes
writable = no
printable = no
write list = user1,user2,user3
force user = root
force group = root
create mask = 0664
This will allow only the listed users write access to the share and force all files created to be created with owner/group root.
ASKER
The message is \\linuxbox\apps is not accessible. You might not have permission to access this resource.
Start Regedit, navigate to:
HKEY_LOCAL_MACHINE\System\
and change
"RequireSignOrSeal"=dword:
to
"RequireSignOrSeal"=dword:
HKEY_LOCAL_MACHINE\System\
and change
"RequireSignOrSeal"=dword:
to
"RequireSignOrSeal"=dword:
http://www.securityfocus.com/infocus/1563