topic Re: Authenticating SLES9 vs. Windows AD in Operating System - Linux

Authenticating SLES9 vs. Windows AD

Eric Meiring — Wed, 05 Apr 2006 08:16:03 GMT

Hello,
I've tried this in suseforums.net, so far with very little success in responses and searches there, so I'll try here too.

I have SUSE Linux Enterprise 9 on an HP DL360 G3. This is a lone linux server amongst many HP/Windows ones. What I'd like to do is have the ability to log onto this SLES9 box with local (linux) credentials I've created (done already), or with AD creds from a given domain.

I don't want the SLES sever to be an authenticating source, I don't want it to run AD, etc. I already have a test environment with AD/Win2003. I simply want to use an account there to log onto this server. (I stress this point, because almost all of my searches thus far for this have yielded results for running SLES 9 as the AD type server, or doing much much more than my humble goal).

So far I have installed though YaST:
pam_krb5
samba
samba-doc
samba-pdb
samba-winbind

I have also configured through YaST:
LDAP Client
Samba Client
Samba Server (however, I cannot seem to add my AD domain in the Trusted Domains section!)

As it stands now, I think it's partially working. When I try to login as DOMAIN\testuser, I get a "critical error" however. (As opposed to a login failed, if I attempt a bogus login).

In looking at /var/log/messages, I see:
"pam_winbind: user DOMAIN\testuser granted access
kdm: getpwnam(DOMAIN\testuser failed".

That last piece seems to be the key, but I'm stuck in my troubleshooting so far.

Any help? Thanks!

Re: Authenticating SLES9 vs. Windows AD

Steven E. Protter — Wed, 05 Apr 2006 09:13:34 GMT

Shalom eric,

Suggestion:

Has the machine done a samba command called:

net join

This needs to be done to get integration.

The machine may also need a "machine account" on the ADS system so that its allowed to talk and play well with other machines.

SEP

Re: Authenticating SLES9 vs. Windows AD

Eric Meiring — Wed, 05 Apr 2006 09:19:45 GMT

Hmm, the SLES9 machine itself appears in AD, and I can get to it from my windows desktop with \\machinename.

Do you think that is sufficient? I have not run any net join command manually, although perhaps something I configured through YaST did this for me...?

Re: Authenticating SLES9 vs. Windows AD

Eric Meiring — Wed, 05 Apr 2006 09:21:41 GMT

I should clarify that I can "see" the SLES machine via Windows Explorer, but I get challenged for credentials when I try to access one of the folders shown.

(Not sure what to use as creds, I'm goofing with that now).

Re: Authenticating SLES9 vs. Windows AD

Eric Meiring — Wed, 05 Apr 2006 10:01:55 GMT

I see through YaST in the Samba Client config tool, that I had set the "Samba Workgroup or Domain" to my AD domain, and checked the "also use SMB Information for Linux Authentication" box.

The "help" on the side of this GUI says that if this is an NT domain, YaST will allow this host to join the domain.

So I THINK I'm on the domain already, but something sure isn't correct.