howto authenticate Windows login from linux

Posted on 2011-04-19
Last Modified: 2012-05-11
I have a linux webserver in a SBS 2008 domain. When users connect to the server, I want to verify their identity by having them log in.

Is there some "function" rcp, ... whatever I can call/run on the Linux side, passing the user's Windows ID and password, that will return a simple YES/NO?

The idea here is that I want to verify the user without having to use a separate ID and password for the user to remember.
Question by:jmarkfoley
    LVL 38

    Accepted Solution

    LVL 56

    Expert Comment

    by:Cliff Galiher
    You mentioned that this is a web server so I am unclear whether you want single sign on for shell access (telnet/ssh) or authenticated web access.

    For the former, you can configure a PAM module to perform LDAP authentication against active directory.

    The latter will be specific to the web server you are using, but again will rely on configuring LDAP and/or Kerberos authentication. Apache, for example, has a module that can do this; the specifics of configuring that price is in tge module documentation.

    One final consideration is if the server is going to be Internet accessible. If so, you'll want to configure some intrusion prevention methods (IP blocking on x number of failed logins, etc) to mitigate brute-force harvesting...and setting up a DMZ is also a good idea.


    LVL 1

    Author Comment

    Sorry for the delay in response -- lots of fires to put out.

    wesly_chen - I've been looking at the links you sent. Lots of good info and things to try. Experimenting could take some time, so I might close this question and play around on a virgin machine, then come back.

    cgaliher - The idea is to authenticate only users who have accounts on the in-office Windows domain. These users will be able to access special pages. Once authenticated, I don't need to worry about access to the domain hosts using their authenticated accounts, so no ssh or anything like just. It is simply for verifying their domain id and PW. Given that, do you concur with wesly_chen about use of Kerberos. What do you mean "Apache ... has a moduel that can do this"? It that module the tge module? Your sentence is not clear on this point.
    LVL 1

    Author Closing Comment

    Haven't finished researching the solution yet. Will investigate and experiment, then possibly return with questions.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
    You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
    Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
    Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now