• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 225
  • Last Modified:

Windows Identity Manager for Unix Issue

We have a Redhat enterprise 5.8 system and windows 2008r2
we have the Microsoft Identity Manager for Unix installed and configured.
We have a test redhat system with users already populated.
We are using MD5 and shadow passwords.
The Identity Manager for Windows under the NIS is set for MD5 also
We have verified the Enryption keys and have configured the sso.conf to match as:
  Use Shadows=1 with the proper folder for the /etc/shadow file
NIS is off
I restart the ssod and verify it is running
We change a password on the Windows side, the Windows application log says it was changed and passed to the Unix side
The logs on the unix side say it was successfully changed but we still cannot log in.
I manually change the password on the unix side and I can log in fine.

Any idea what I could be doing wrong?
0
brian_appliedcpu
Asked:
brian_appliedcpu
  • 4
  • 3
2 Solutions
 
gheistCommented:
I do use samba-winbind for authentication and authorisation. No need to modify AD for example...
0
 
brian_appliedcpuAuthor Commented:
I used Kerberos, works like a champ.  The only caveat was to use all capital letters in the realm and domain names.
Thanks for the suggestion to use something other than Microsoft Identity Manager for Unix.  It proved not to work because in v5.8 the MD5 encryption was not compatible with MS.
0
 
gheistCommented:
MD5 is too weak in face of GPU computing. You will need to get rid of it fairly soon...
Upgrade redhat to 5U11 to fix imminint security issues.
You need to put together ubuntu winbindd guide with redhat authconfig guide, and i think you will be all set quickly.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
brian_appliedcpuAuthor Commented:
Would def do that but the owner of the company wont spring for the Redhat subscription so we are stuck with what is already on the system.
0
 
gheistCommented:
You can convert to centos or oracle linux (with their agreement) as there is dead black hole in samba and you need to patch it before trying winbind
0
 
brian_appliedcpuAuthor Commented:
Gheist suggested an alternative method which would work.
0
 
gheistCommented:
make config files from ubuntu guide
join domain as domain admin
once wbinfo -t works you can use authonfig to add all AD users as system users, or e.g. use winbind for squid or apache authentication. SSo takes more effort, but it works too once you get protocol versions/types right
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now