Getting single-sign-on working using Winbind under RHEL 5 - SMB

This is a discussion on Getting single-sign-on working using Winbind under RHEL 5 - SMB ; Hi, folks! It's been a while since I posted *here*. I'm trying to get single-sign- on working in a new site, with RHEL 5. I can use the straifht Kerberos/ authentication technique, but for various reasons I'd really like to ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Getting single-sign-on working using Winbind under RHEL 5

  1. Getting single-sign-on working using Winbind under RHEL 5

    Hi, folks!

    It's been a while since I posted *here*. I'm trying to get single-sign-
    on working in a new site, with RHEL 5. I can use the straifht Kerberos/
    authentication technique, but for various reasons I'd really like to
    use Winbind with a login shell set to a specific application.

    I've used RHEL 5's "system-config-authentication" GUI to set the
    Winbind up using the notes at:

    http://spiralbound.net/2007/04/11/rh...tive-directory

    And I've set up the default shell as /bin/bash on a temporary basis,
    and gotten someone with AD administrative privileges to use the
    interface's "Join Domain" option to actually try to join the domain.
    But when I try to log in a user account with it, I get a kinit error,
    which I'll post when I get back online with that system on Tuesday if
    that helps.

    So I have things to mention:

    * Turning off SELinux does not help.
    * Neither does turning off the firewall on the RHEL box, just in case
    I've missed adding a port.
    * The smb.conf looks good according to those notes. (I don't haver
    permission to publish it from here!)
    * NTP is *NOT* universally deployed, I'm in the midst of getting a new
    NTP structure in place. (Kerberos is quite sensitive to timeskew
    issues: I'm setting that up ASAP.)
    * The "finger" command works, as does the "id" command for Winbind
    accounts.

    What is my next step for verifying the host is properly registered in
    Active Directory, preferably something I can run on my Linux system
    without having to run tools on the Windows server? For once, I've
    actually got support from the AD administrator for this sort of thing,
    and I don't want to waste their time poking around wildly.

  2. Re: Getting single-sign-on working using Winbind under RHEL 5

    Well, I found part of my issue. The users need to sign in as `'DOMAIN
    \username", not just as "username", to get the Winbind login and
    authentication. This is distinct from the Kerberos authentication I've
    worked with before, where one merely used the username without having
    to specify a domain for Active Directory authentication.

  3. Re: Getting single-sign-on working using Winbind under RHEL 5

    On 19 Dec, 20:32, Nico Kadel-Garcia wrote:
    > Well, I found part of my issue. The users need to sign in as `'DOMAIN
    > \username", not just as "username", to get the Winbind login and
    > authentication. This is distinct from the Kerberos authentication I've
    > worked with before, where one merely used the username without having
    > to specify a domain for Active Directory authentication.


    OK, next step is working. By using the "winbind use default domain =
    Yes" option, I managed to avoid having to use the preceding domain
    name. I can now use sudo with the simpler names, and if forced not to
    use this I can fall back on the "winbind separator = _" to avoid the
    backslash fun and games.

    Next, getting single-sign-on working for SSH access!

+ Reply to Thread