SFU

I installed microsoft windows services for unix on my 2k3 domain controller try to achieve single logon for our unix and linux clients. i also installed the certificate services on the machine. On linux side i did a ldapsearch, it could not connet to the ldap. Do I need to create the realm trust first? are there anything missing on the window side of the config? how do I config it on the linux side?

thanks

katie
katie_miguelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rant32Commented:
LDAP works out-of-the-box on a Windows 2000/2003 domain controller, but you will need to authenticate to the Windows box (minimum Domain User) before you can query LDAP.

I'm not really comfortable with Linux, but is it true that there's an ldap.conf file like described on this page:

http://yolinux.com/TUTORIALS/LDAP_Authentication.html

; LDAP server specifications

server XXX.XXX.XXX.XXX     - IP address of LDAP server
version 2                         - Open LDAP is considered V2 while Sun One considers themselves to be V3
base    "dc=sub-Domain,dc=domain,dc=com"
scope   subtree                   - Options are subtree, onelevel or sbase
password-hash {CRYPT}
binddn  "cn=AdminManager,dc=sub-Domain,dc=domain,dc=com"
bindpwd secret-password

---

binddn would be the user account you created for authentication, but the password is unfortunately clear-text. Windows 2000 supports LDAP v3 by the way, just left the above text as-is.

Hope this helps.
0
katie_miguelAuthor Commented:
thanks, i'll try it out monday morning. but did I miss anything on the window side? does realm trust need to be created? how do I export the certificate to unix box, so the password will be encrypted?

katie
0
Rant32Commented:
A realm trust is not needed for pure LDAP. A realm trust is created to allow Kerberos V5 authentication between a Windows 2003 domain and a non-Windows Kerberos realm, but I guess that is mutually exclusive with LDAP - you either use Kerberos authentication, or LDAP pass-through authentication.

You can export digital certificates (with private key) to a variety of formats, using the Certificates snap-in from the Microsoft Management Console (mmc.exe).

Trust types
http://technet2.microsoft.com/WindowsServer/en/Library/116d34e5-5615-4fb8-a8ef-47b94c294b581033.mspx

When to create a realm trust
http://technet2.microsoft.com/WindowsServer/en/Library/f6c267b0-31b2-461a-bdfb-54740622f4141033.mspx

As I said, no experience on Unix/Linux boxes with this stuff, I'm afraid I can't help you there.
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

katie_miguelAuthor Commented:
so after it's all working, the user acct on linux do not need to be created, they only need to be created on windows side, user can still logon to linux, right?
0
Rant32Commented:
Well, speaking from my experience from the Windows-side: logging on to a computer is a right you must have.

A trust relationship (like a realm trust, but Windows has all kinds of trusts) usually means that you grant user accounts from an Account domain rights to resources in a resource domain. The resource domain TRUSTS the user accounts in the foreign realm without user administration in the resource domain. The files on the Unix fileserver you may have are a resource. The right to log on, itself, is also called a resource.

If, by using a Kerberos trust relationship, you can grant users from the Windows domain the rights to perform functions on a Linux host, then by all means, yes. But I wouldn't even know how to set security for a Linux user on a Linux filesystem.

How about the Config Manager from your previous question? That didn't work out?

It might prove worthwile asking this in the *nix forums, because I think the Windows part is not what's holding you back. Anybody 'd like to comment on that?
0
katie_miguelAuthor Commented:
i don't care about the unix side, cause i'm the windows admin, just want to make sure my side are covered. the goal we are trying to achieve is to only create user acct on AD, not in linux, linux users can use their windows logon to log on the machine. so what else do i need to configure on window side? i just want to get the step by step ready. haven't tried anything yet. the linux side the linux admin will do it.

thanks
0
Rant32Commented:
Getting this stuff to work might some coordination and cooperation, though.

Have found some articles on this:

Microsoft Solution Guide for Windows Security and Directory Services for UNIX
(Deploying a Windows-based Security and Directory Solution)
http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/10wsdsu.mspx

This one only talks about the Linux side and it's like no configuration on Windows is necessary:
http://www.windowsnetworking.com/articles_tutorials/Authenticating-Linux-Active-Directory.html

This one looks very good (afaik it's about LDAP):
http://www.securityfocus.com/infocus/1563

Well, it looks like Linux needs Samba version 3 or newer to use Kerberos authentication, and that would basically make it a SMB workstation you can authenticate with. It needs a computer account in AD.

Another true cross-platform authentication service is provided by Vintela Authentication Service, read more on that on
http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/11wsdsu.mspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
katie_miguelAuthor Commented:
cool, the thing worked. on window side install windows services for unix, then start all service. install the certificate service, create a user for unix sync,then enable anonymous logon.

katie
0
Rant32Commented:
All right, great! Were the articles of any use or did you figure it out with the Unix admin? No headaches?

Thanks for the solution.
0
katie_miguelAuthor Commented:
the article helped, cause i didn't enable anonymous logon at first, once that set, it's all working.

thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.