We help IT Professionals succeed at work.

SFU

katie_miguel
katie_miguel asked
on
Medium Priority
255 Views
Last Modified: 2010-04-18
I installed microsoft windows services for unix on my 2k3 domain controller try to achieve single logon for our unix and linux clients. i also installed the certificate services on the machine. On linux side i did a ldapsearch, it could not connet to the ldap. Do I need to create the realm trust first? are there anything missing on the window side of the config? how do I config it on the linux side?

thanks

katie
Comment
Watch Question

Commented:
LDAP works out-of-the-box on a Windows 2000/2003 domain controller, but you will need to authenticate to the Windows box (minimum Domain User) before you can query LDAP.

I'm not really comfortable with Linux, but is it true that there's an ldap.conf file like described on this page:

http://yolinux.com/TUTORIALS/LDAP_Authentication.html

; LDAP server specifications

server XXX.XXX.XXX.XXX     - IP address of LDAP server
version 2                         - Open LDAP is considered V2 while Sun One considers themselves to be V3
base    "dc=sub-Domain,dc=domain,dc=com"
scope   subtree                   - Options are subtree, onelevel or sbase
password-hash {CRYPT}
binddn  "cn=AdminManager,dc=sub-Domain,dc=domain,dc=com"
bindpwd secret-password

---

binddn would be the user account you created for authentication, but the password is unfortunately clear-text. Windows 2000 supports LDAP v3 by the way, just left the above text as-is.

Hope this helps.

Author

Commented:
thanks, i'll try it out monday morning. but did I miss anything on the window side? does realm trust need to be created? how do I export the certificate to unix box, so the password will be encrypted?

katie

Commented:
A realm trust is not needed for pure LDAP. A realm trust is created to allow Kerberos V5 authentication between a Windows 2003 domain and a non-Windows Kerberos realm, but I guess that is mutually exclusive with LDAP - you either use Kerberos authentication, or LDAP pass-through authentication.

You can export digital certificates (with private key) to a variety of formats, using the Certificates snap-in from the Microsoft Management Console (mmc.exe).

Trust types
http://technet2.microsoft.com/WindowsServer/en/Library/116d34e5-5615-4fb8-a8ef-47b94c294b581033.mspx

When to create a realm trust
http://technet2.microsoft.com/WindowsServer/en/Library/f6c267b0-31b2-461a-bdfb-54740622f4141033.mspx

As I said, no experience on Unix/Linux boxes with this stuff, I'm afraid I can't help you there.

Author

Commented:
so after it's all working, the user acct on linux do not need to be created, they only need to be created on windows side, user can still logon to linux, right?

Commented:
Well, speaking from my experience from the Windows-side: logging on to a computer is a right you must have.

A trust relationship (like a realm trust, but Windows has all kinds of trusts) usually means that you grant user accounts from an Account domain rights to resources in a resource domain. The resource domain TRUSTS the user accounts in the foreign realm without user administration in the resource domain. The files on the Unix fileserver you may have are a resource. The right to log on, itself, is also called a resource.

If, by using a Kerberos trust relationship, you can grant users from the Windows domain the rights to perform functions on a Linux host, then by all means, yes. But I wouldn't even know how to set security for a Linux user on a Linux filesystem.

How about the Config Manager from your previous question? That didn't work out?

It might prove worthwile asking this in the *nix forums, because I think the Windows part is not what's holding you back. Anybody 'd like to comment on that?

Author

Commented:
i don't care about the unix side, cause i'm the windows admin, just want to make sure my side are covered. the goal we are trying to achieve is to only create user acct on AD, not in linux, linux users can use their windows logon to log on the machine. so what else do i need to configure on window side? i just want to get the step by step ready. haven't tried anything yet. the linux side the linux admin will do it.

thanks
Commented:
Getting this stuff to work might some coordination and cooperation, though.

Have found some articles on this:

Microsoft Solution Guide for Windows Security and Directory Services for UNIX
(Deploying a Windows-based Security and Directory Solution)
http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/10wsdsu.mspx

This one only talks about the Linux side and it's like no configuration on Windows is necessary:
http://www.windowsnetworking.com/articles_tutorials/Authenticating-Linux-Active-Directory.html

This one looks very good (afaik it's about LDAP):
http://www.securityfocus.com/infocus/1563

Well, it looks like Linux needs Samba version 3 or newer to use Kerberos authentication, and that would basically make it a SMB workstation you can authenticate with. It needs a computer account in AD.

Another true cross-platform authentication service is provided by Vintela Authentication Service, read more on that on
http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/11wsdsu.mspx

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
cool, the thing worked. on window side install windows services for unix, then start all service. install the certificate service, create a user for unix sync,then enable anonymous logon.

katie

Commented:
All right, great! Were the articles of any use or did you figure it out with the Unix admin? No headaches?

Thanks for the solution.

Author

Commented:
the article helped, cause i didn't enable anonymous logon at first, once that set, it's all working.

thanks
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.