Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

SFU

Posted on 2006-03-24
10
Medium Priority
?
242 Views
Last Modified: 2010-04-18
I installed microsoft windows services for unix on my 2k3 domain controller try to achieve single logon for our unix and linux clients. i also installed the certificate services on the machine. On linux side i did a ldapsearch, it could not connet to the ldap. Do I need to create the realm trust first? are there anything missing on the window side of the config? how do I config it on the linux side?

thanks

katie
0
Comment
Question by:katie_miguel
  • 5
  • 5
10 Comments
 
LVL 12

Expert Comment

by:Rant32
ID: 16288037
LDAP works out-of-the-box on a Windows 2000/2003 domain controller, but you will need to authenticate to the Windows box (minimum Domain User) before you can query LDAP.

I'm not really comfortable with Linux, but is it true that there's an ldap.conf file like described on this page:

http://yolinux.com/TUTORIALS/LDAP_Authentication.html

; LDAP server specifications

server XXX.XXX.XXX.XXX     - IP address of LDAP server
version 2                         - Open LDAP is considered V2 while Sun One considers themselves to be V3
base    "dc=sub-Domain,dc=domain,dc=com"
scope   subtree                   - Options are subtree, onelevel or sbase
password-hash {CRYPT}
binddn  "cn=AdminManager,dc=sub-Domain,dc=domain,dc=com"
bindpwd secret-password

---

binddn would be the user account you created for authentication, but the password is unfortunately clear-text. Windows 2000 supports LDAP v3 by the way, just left the above text as-is.

Hope this helps.
0
 

Author Comment

by:katie_miguel
ID: 16289610
thanks, i'll try it out monday morning. but did I miss anything on the window side? does realm trust need to be created? how do I export the certificate to unix box, so the password will be encrypted?

katie
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16289771
A realm trust is not needed for pure LDAP. A realm trust is created to allow Kerberos V5 authentication between a Windows 2003 domain and a non-Windows Kerberos realm, but I guess that is mutually exclusive with LDAP - you either use Kerberos authentication, or LDAP pass-through authentication.

You can export digital certificates (with private key) to a variety of formats, using the Certificates snap-in from the Microsoft Management Console (mmc.exe).

Trust types
http://technet2.microsoft.com/WindowsServer/en/Library/116d34e5-5615-4fb8-a8ef-47b94c294b581033.mspx

When to create a realm trust
http://technet2.microsoft.com/WindowsServer/en/Library/f6c267b0-31b2-461a-bdfb-54740622f4141033.mspx

As I said, no experience on Unix/Linux boxes with this stuff, I'm afraid I can't help you there.
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 

Author Comment

by:katie_miguel
ID: 16291008
so after it's all working, the user acct on linux do not need to be created, they only need to be created on windows side, user can still logon to linux, right?
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16291082
Well, speaking from my experience from the Windows-side: logging on to a computer is a right you must have.

A trust relationship (like a realm trust, but Windows has all kinds of trusts) usually means that you grant user accounts from an Account domain rights to resources in a resource domain. The resource domain TRUSTS the user accounts in the foreign realm without user administration in the resource domain. The files on the Unix fileserver you may have are a resource. The right to log on, itself, is also called a resource.

If, by using a Kerberos trust relationship, you can grant users from the Windows domain the rights to perform functions on a Linux host, then by all means, yes. But I wouldn't even know how to set security for a Linux user on a Linux filesystem.

How about the Config Manager from your previous question? That didn't work out?

It might prove worthwile asking this in the *nix forums, because I think the Windows part is not what's holding you back. Anybody 'd like to comment on that?
0
 

Author Comment

by:katie_miguel
ID: 16291682
i don't care about the unix side, cause i'm the windows admin, just want to make sure my side are covered. the goal we are trying to achieve is to only create user acct on AD, not in linux, linux users can use their windows logon to log on the machine. so what else do i need to configure on window side? i just want to get the step by step ready. haven't tried anything yet. the linux side the linux admin will do it.

thanks
0
 
LVL 12

Accepted Solution

by:
Rant32 earned 1500 total points
ID: 16291743
Getting this stuff to work might some coordination and cooperation, though.

Have found some articles on this:

Microsoft Solution Guide for Windows Security and Directory Services for UNIX
(Deploying a Windows-based Security and Directory Solution)
http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/10wsdsu.mspx

This one only talks about the Linux side and it's like no configuration on Windows is necessary:
http://www.windowsnetworking.com/articles_tutorials/Authenticating-Linux-Active-Directory.html

This one looks very good (afaik it's about LDAP):
http://www.securityfocus.com/infocus/1563

Well, it looks like Linux needs Samba version 3 or newer to use Kerberos authentication, and that would basically make it a SMB workstation you can authenticate with. It needs a computer account in AD.

Another true cross-platform authentication service is provided by Vintela Authentication Service, read more on that on
http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/11wsdsu.mspx
0
 

Author Comment

by:katie_miguel
ID: 16306795
cool, the thing worked. on window side install windows services for unix, then start all service. install the certificate service, create a user for unix sync,then enable anonymous logon.

katie
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16308535
All right, great! Were the articles of any use or did you figure it out with the Unix admin? No headaches?

Thanks for the solution.
0
 

Author Comment

by:katie_miguel
ID: 16313466
the article helped, cause i didn't enable anonymous logon at first, once that set, it's all working.

thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Loops Section Overview

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question