Authenticating users against AD *without* joining the domain?
Rudolph, Frank
rudolph at beaconpower.com
Wed Feb 13 11:03:20 EST 2013
I have struggled with this problem for years.
We came to a solution a long time ago that works 100% of the time but keeps the Linux servers somewhat on the sidelines.
The solution is very simple, really.
We have all our Linux boxes (we have about 50 of them connected together under the umbrella of a MS Exchange Server) using a really stripped down Samba (excUUUse me, I mean CIFS) configuration.
I have attached the smb.conf file. It provides a completely open share. We rely on the firewall of the Exchange Server and have the Linux firewall turned completely off. Put the smb.conf file in /etc/samba and do this:
'service smb restart' or whatever your distro requires equivalent to that.
Here was the most important piece: We DO NOT REFER TO THE LINUX SERVERS BY THEIR NETWORK NAMES.
For some reason, using the workgroup name and the Linux netbios name causes Active Directory to get really constipated.
It works but sometime it just doesn't and other times it takes minutes or hours to resolve the Linux netbios names.
Instead, we simply refer to the Linux CIFS server by its Ethernet address and it always works and works very efficiently with no complaints from the Windows domain server.
It works in both directions. We can access file shares through Windows explorers and we can mount Windows shares on our Linux boxes.
Let's say I want to get at /var/log/messages on Linux Server XYZ1 at IP address 192.168.101.195
I simply refer to it as \\192.168.101.195\sysroot\var\log\messages from Windows and all is well
(sysroot is the name of the Linux share that gives me access to "/")
We use the "porta putty" SSH client and simply use the IP address to login to Linux and the whole package is rather seamless.
On the rare occasions we need to get at the Xwindows desktop, we use VNC and it simply works and we have no issues as long as we do not make the mistake of trying to access a Linux box as , e.g., \\XYZ1\sysroot\var\<whatever> instead of \\192.168.101.195\sysroot\var\<whatever>
Later - Frank
-----Original Message-----
From: gnhlug-discuss-bounces at mail.gnhlug.org [mailto:gnhlug-discuss-bounces at mail.gnhlug.org] On Behalf Of Ken D'Ambrosio
Sent: Tuesday, February 12, 2013 8:55 PM
To: GNHLUG
Subject: Authenticating users against AD *without* joining the domain?
Hey, all. At my new employer, it basically takes an act of God to get a Linux box to join the domain. I'd be just plain happy if I could use an AD server to let users authenticate against LDAP, and then log in.
Any idea how to make that happen? Worst-case, I'm thinking of doing some sort of Apache/LDAP thing, but if anyone's got any bright ideas, I'm all ears.
Thanks,
-Ken
--
This mail was scanned by BitDefender
For more information please visit http://www.bitdefender.com/links/en/frams.html
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss at mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smb.conf
Type: application/octet-stream
Size: 639 bytes
Desc: smb.conf
Url : http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20130213/58b965aa/attachment.obj
More information about the gnhlug-discuss
mailing list