Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Getting single-sign-on working using Winbind under RHEL 5

19 views
Skip to first unread message

Nico Kadel-Garcia

unread,
Dec 16, 2007, 7:23:02 AM12/16/07
to
Hi, folks!

It's been a while since I posted *here*. I'm trying to get single-sign-
on working in a new site, with RHEL 5. I can use the straifht Kerberos/
authentication technique, but for various reasons I'd really like to
use Winbind with a login shell set to a specific application.

I've used RHEL 5's "system-config-authentication" GUI to set the
Winbind up using the notes at:

http://spiralbound.net/2007/04/11/rhel-winbind-authentication-against-active-directory

And I've set up the default shell as /bin/bash on a temporary basis,
and gotten someone with AD administrative privileges to use the
interface's "Join Domain" option to actually try to join the domain.
But when I try to log in a user account with it, I get a kinit error,
which I'll post when I get back online with that system on Tuesday if
that helps.

So I have things to mention:

* Turning off SELinux does not help.
* Neither does turning off the firewall on the RHEL box, just in case
I've missed adding a port.
* The smb.conf looks good according to those notes. (I don't haver
permission to publish it from here!)
* NTP is *NOT* universally deployed, I'm in the midst of getting a new
NTP structure in place. (Kerberos is quite sensitive to timeskew
issues: I'm setting that up ASAP.)
* The "finger" command works, as does the "id" command for Winbind
accounts.

What is my next step for verifying the host is properly registered in
Active Directory, preferably something I can run on my Linux system
without having to run tools on the Windows server? For once, I've
actually got support from the AD administrator for this sort of thing,
and I don't want to waste their time poking around wildly.

Nico Kadel-Garcia

unread,
Dec 19, 2007, 3:32:49 PM12/19/07
to
Well, I found part of my issue. The users need to sign in as `'DOMAIN
\username", not just as "username", to get the Winbind login and
authentication. This is distinct from the Kerberos authentication I've
worked with before, where one merely used the username without having
to specify a domain for Active Directory authentication.

Nico Kadel-Garcia

unread,
Dec 20, 2007, 4:45:54 PM12/20/07
to

OK, next step is working. By using the "winbind use default domain =
Yes" option, I managed to avoid having to use the preceding domain
name. I can now use sudo with the simpler names, and if forced not to
use this I can fall back on the "winbind separator = _" to avoid the
backslash fun and games.

Next, getting single-sign-on working for SSH access!

0 new messages