Google Answers Logo
View Question
 
Q: Authenticating against multiple ADs (Kerberos PAM Samba) ( No Answer,   1 Comment )
Question  
Subject: Authenticating against multiple ADs (Kerberos PAM Samba)
Category: Computers > Operating Systems
Asked by: hodrige-ga
List Price: $35.00		 Posted: 01 May 2004 04:47 PDT
Expires: 11 May 2004 15:38 PDT
Question ID: 339324 
I would like to know if there is a way that I can setup a UNIX box
between two different domains / ADs
Basically we have organization A and organization B.
Each organization has its own infrastructure. We would like to put a
server between the two organizations with a share on it, that both
organizations can share files on. I would like full rights to only to
users that need to have access to that share, the ability to fully
login.
So I am thinking that it will be done in such way that users try to
connect to the share (drive S:) and they will be authenticated against
KDC "A" if that fails, they will be authenticated against KDC "B". if 
that fails they will get a message saying that it failed. I don't mind
creating accounts on the local machine, but I don't want to have to
synchronize passwords, and I can't have a user with an account on both
systems, and I can't have trusts between the two domains.
I think it could be done using PAM and Kerberos. Any help will be
greatly appreciated. I prefer to have that on a Solaris 9 system, but
I don't mind installing it on a Linux system. Sample config files
would be apreciated. I might consider other solutions/operating
sistems if I think they might result the same functionality.
Thanks
/Hodrige
Clarification of Question by hodrige-ga on 03 May 2004 04:41 PDT 
Maybe a solution with Radius?
Answer  
There is no answer at this time.

Comments  
Subject: Re: Authenticating against multiple ADs (Kerberos PAM Samba)
From: orezzero-ga on 04 May 2004 13:06 PDT		  
This might help:

http://samba.linuxbe.org/en/samba/config/domain-1.html

Basically you need:

linux server with latest samba installed (i suggest gentoo if you can swing it)
add the linux server to each domain
join the domains with the linux server (smbpasswd command)
set up the add user and del user script variables below
set bind interfaces device and wins server ip
adjust passwords servers, users, access, etc.

Simplified but free advice to get you started.




# To have this server joing the PDC, execute:
# smbpasswd -j <NT_domain> -r <PDC>
#
# ie: smbpasswd -j DPDCONWAY -r DPDDOM01
#======================= Global Settings =====================================

[global]
debug level = 3
debug timestamp = yes
server string = Samba Server
max log size = 50
security = domain
password server = dpddom01, dpddom06
encrypt passwords = yes
socket options = TCP_NODELAY
local master = no
wins server = 10.85.226.225
dns proxy = no
interfaces = tu0
bind interfaces only = True
add user script = /usr/sbin/useradd %u -g smbusers 
delete user script = /usr/sbin/userdel %u

[test]
   comment = pub
   path = /u01/pub
   max connections = 20
   guest ok = no
   browseable = yes
   writable = yes
   valid users = jboard jsmith mblack
   invalid users = mbilge
   read list = jboard jsmith
   write list = jsmith
   admin users = mblack
   create mask = 755
Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  

Google Home - Answers FAQ - Terms of Service - Privacy Policy