Authenticate a public IP Linux box against a private IP ActiveDirectory - Kerberos

This is a discussion on Authenticate a public IP Linux box against a private IP ActiveDirectory - Kerberos ; Trying to figure out how to get Kerberos on Ubuntu to authenticate against an Active Directory (Windows 2003) server. All machines are behind a SonicWall firewall, the Linux box is in the DMZ with public IP addresses using our ISP's ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Authenticate a public IP Linux box against a private IP ActiveDirectory

  1. Authenticate a public IP Linux box against a private IP ActiveDirectory


    Trying to figure out how to get Kerberos on Ubuntu to authenticate against an
    Active Directory (Windows 2003) server.

    All machines are behind a SonicWall firewall, the Linux box is in the DMZ
    with public IP addresses using our ISP's DNS server. The AD server is
    behind the LAN with a private IP.

    Nowhere I see has an explanation on how to configure this situation besides
    placing the linux box into the LAN with the AD and using AD as the DNS
    server (which would be simple, but the Linux box needs multiple public IPs
    assigned to it).

    The only reason I need the linux box to authenticate against AD is I have an
    instance of Kerio Mail Server running, which is pulling it's user account
    information from the AD, but has no way to authenticate against it.

    Anyone have any hints on configuring this type of situation?
    --
    View this message in context: http://www.nabble.com/Authenticate-a...html#a11589028
    Sent from the Kerberos - General mailing list archive at Nabble.com.


  2. Re: Authenticate a public IP Linux box against a private IP ActiveDirectory

    In article <mailman.84.1184447375.4121.kerberos@mit.edu>
    siigna<techie@siigna.net> wrote:

    > Trying to figure out how to get Kerberos on Ubuntu to authenticate
    > against anActive Directory (Windows 2003) server.
    >
    > All machines are behind a SonicWall firewall, the Linux box is in
    > the DMZ with public IP addresses using our ISP's DNS server. The AD
    > server isbehind the LAN with a private IP.
    >
    > Nowhere I see has an explanation on how to configure this situation
    > besides placing the linux box into the LAN with the AD and using AD
    > as the DNS server (which would be simple, but the Linux box needs
    > multiple public IPsassigned to it).
    >
    > The only reason I need the linux box to authenticate against AD is I
    > have an instance of Kerio Mail Server running, which is pulling it's
    > user accountinformation from the AD, but has no way to authenticate
    > against it.
    >
    > Anyone have any hints on configuring this type of situation?
    >

    First, you'd need to make sure that NAT is not occurring on traffic
    between the trusted LAN and the DMZ. Second, you'd need to allow the
    appropriate traffic from the Linux host in the DMZ to the AD servers
    in the LAN--I believe that would be TCP/UDP 88 (Kerberos), TCP/UDP 464
    (KPasswd), TCP/UDP 389 (LDAP). If you are going to use Winbind,
    you'll need to allow the SMB/CIFS stuff as well (I personally don't
    recommend it).

    With those items in place, it should work. You may not be able to do
    TGT validation, and you may have to take particular care in making
    sure that reverse DNS lookups work properly, but it should work.

    Hope this helps,
    Scott Lowe
    ePlus Technology, Inc.

    --
    I'm trying a new usenet client for Mac, Nemo OS X.
    You can download it at http://www.malcom-mac.com/nemo


+ Reply to Thread