Linux+Windows Single Sign-on

← Back to Stories (view on slashdot.org)

Posted by timothy on Wednesday January 5, 2005 @02:11AM from the what-a-concept dept.

musichead writes "Bill Boswell (writing for redmondmag.com) has posted an interesting article on configuring Linux clients to utilize a single sign-on and play nicely in a Microsoft Active Directory network. The article focuses on Fedora Core 2 (and the Core 3 beta), but he has examples and instructions for SuSE Linux 9.1 Professional, Mandrake 10.1 and Xandros Desktop 2.5 on his website."

40 comments

Min score:

Reason:

Sort:

Won't work with XP Home by EnglishTim · 2005-01-05 02:17 · Score: 1

XP Home won't log onto domains. It's bloody annoying for geeks with several computers in the house...
1. Re:Won't work with XP Home by Anonymous Coward · 2005-01-05 02:22 · Score: 0
  
  You fail it (to claim First Post)
  
  Hang your head in shame.
  
  --Blade-Melbourne
2. Re:Won't work with XP Home by Squatchman · 2005-01-05 02:29 · Score: 1
  
  RTFA, XP Home doesn't come up.
3. Re:Won't work with XP Home by Squatchman · 2005-01-05 03:02 · Score: 3, Insightful
  
  That's what I love about /.
  
  That hip "underground" (read: mom's basement) crowd that doesn't see the benefit in something like this. The minute people like the parent see the word microsoft they go into a self-induced froth and start posting flames annonymously. Does your face get red too?
  
  A lot of existing businesses already have the Microsoft infrastructure in place(AD included). Something like this would open the door for Linux clients/servers as a gradual upgrade option for those businesses that can't just switch over to a new platform all at once.
4. Re:Won't work with XP Home by gl4ss · 2005-01-05 03:21 · Score: 1
  
  no, but the guy was just making a point that this is useless with most (legit)xp installs at home.
  
  --
  world was created 5 seconds before this post as it is.
5. Re:Won't work with XP Home by EnglishTim · 2005-01-05 03:23 · Score: 1
  
  I did read the article - it's obviously aimed at corporate use where they're unlikely to have XP Home, but at the same time my ears pricked up when I read the article summary, only to remember that my plans of doing something similar at home had been dashed by Microsoft removing the domain functionality from XP Home.
  
  I admit it, it's not that apropos to the discussion, but I did fancy having another gripe about it!
6. Re:Won't work with XP Home by Anonymous Coward · 2005-01-05 03:45 · Score: 0
  
  RTFA - The text is very specific on how to get Linux clients using a single sign-on capability in a Windows AD environment. If you want to do something similar at home you will need to install Windows 2000 server to host the AD, and then install at least one Linux client to configure to use your AD. Windows XP clients (whether professional or home versions) have nothing to do with this article.
7. Re:Won't work with XP Home by Anonymous Coward · 2005-01-05 04:48 · Score: 0
  
  XP Home won't log onto domains.
  
  Of course not, how else could MS get away with charging 2-3x more for XP professional? They are EXACTLY the same product except for that one ability.
8. Re:Won't work with XP Home by Squatchman · 2005-01-05 05:33 · Score: 1
  
  XP Professional has more than just the ability to join a domain.
  
  Multi-processor support
  Dynamic Disk Support
  RIS
  IIS built in
  
  The list goes on, but aside from IIS would the average joe really need Remote Installation or Multi-processor support? Home is a cheaper license, and you lose features that you probably don't use anyway.
9. Re:Won't work with XP Home by dn15 · 2005-01-05 06:14 · Score: 2, Funny
  
  XP Home won't log onto domains. It's bloody annoying for geeks with several computers in the house...
  It sure would be. Good thing real geeks don't use Windows. :P
10. Re:Won't work with XP Home by drsmithy · 2005-01-05 11:10 · Score: 2
  
  Then perhaps its worth pointing that most homes won't have an Active Directory infrastructure as well...
mit has single sign-on using kerberos by lysander · 2005-01-05 02:43 · Score: 3, Informative

Not that many sites use kerberos, but mit has had single sign-on with kerberos for quite some time.

--
GET YOUR WEAPONS READY! --DR.LIGHT
1. Re:mit has single sign-on using kerberos by (startx) · 2005-01-05 03:27 · Score: 2, Informative
  
  UMR has also had SSO with kerberos for a long time now.
2. Re:mit has single sign-on using kerberos by Short+Circuit · 2005-01-05 03:53 · Score: 2, Informative
  
  Grand Rapids Community College has nearly all of their services (including the Linux classes' box) use Novell for authentication.
  
  --
  tasks(723) drafts(105) languages(484) examples(29106)
3. Re:mit has single sign-on using kerberos by noselasd · 2005-01-05 06:18 · Score: 1
  
  Well, from win2k Kerberos is used in windows, so lots of sites actually
  use it...
4. Re:mit has single sign-on using kerberos by Anonymous Coward · 2005-01-05 21:59 · Score: 0
  
  Imperial College has single signon to RedHat Enterprise Linux using Windows 2003 as a KDC. We're working on OpenAFS, but it doesn't play nicely with the ticket types you get from a Windows2003 KDC.
Odd seeing this come from Redmond... by Stop+Error · 2005-01-05 02:43 · Score: 2, Insightful

However this will be useful information to have on had the next time I propose a Linux server to my M$ Centric managment.

I wonder why the various Linux Vendors have not had some kind of setting during install to allow authentication to an Active Directory. It would make the "Linux infiltration" simpler!

--
No keyboard detected. Press any key to continue.
1. Re:Odd seeing this come from Redmond... by Glamdrlng · 2005-01-05 05:19 · Score: 3, Informative
  
  I wonder why the various Linux Vendors have not had some kind of setting during install to allow authentication to an Active Directory.
  I haven't made use of it yet, but during install Suse9.2 gives you the option of pointing the authentication piece to active directory.
  
  --
  
  Yes, my only tool is a hammer. And you're starting to look like a nail.
2. Re:Odd seeing this come from Redmond... by 0racle · 2005-01-05 05:59 · Score: 1
  
  Actually its not. A big selling point with Windows 2000 and SFU was that between Kerberos, a LDAP based directory, and a NIS/LDAP gateway would allow interoperability between existing UNIX installations. They have had several white papers on this for some time.
  
  Last time I installed Red Hat, sometime around version 7.3 or 8, there was a choice to authenticate against SMB and LDAP, both would allow auth against the Active Directory. I would assume that it was dropped from Fedora since its target wasn't enterprises and setting it up in RHEL Server/Workstation would be quite trivial.
  
  --
  "I use a Mac because I'm just better than you are."
3. Re:Odd seeing this come from Redmond... by noselasd · 2005-01-05 06:20 · Score: 1
  
  Why "assume" that ?
  Joining AD with fedora is trivial, and is basically the same as in RHEL.
4. Re:Odd seeing this come from Redmond... by 0racle · 2005-01-05 06:38 · Score: 1
  
  But is it part of the installation? It was in Red Hat 8, but appears to have since been dropped. Manually joining the AD is trivial for almost every distro depending on how you want to auth against the AD, but it used to be in Red Hat's installer. I thought about it for a moment, came up with what I thought would be a possability as to why it was dropped and then when it seemed that it was a good option, I assumed that it or something similar could be the reason it is no longer included in the installation as an option. I suppose its also possible that Red Hat can't write software and it was horribly broken, but you would think that they would have worked to fix that if that were the case.
  
  --
  "I use a Mac because I'm just better than you are."
5. Re:Odd seeing this come from Redmond... by noselasd · 2005-01-05 07:34 · Score: 1
  
  In Fedora (and future RHEL), lots of things are moving from the installation to the firstboot(and some things are assumed to be configure by the user now).
  The system-config-authentication is the same as (will be) in RHEL, Fedora just just a step or two in front of the current RHEL.)
Easier the other way by gregmac · 2005-01-05 03:56 · Score: 2, Interesting

I've had "single sign-on" for a while now, using Samba as my PDC (originally replaced my NT server about 3 years ago). It wasn't overly difficult to set up, but basically it's running LDAP at the very bottom, and Samba users LDAP as it's database. I can also authenticate from other linux boxes directly against the LDAP server.

I also integrated a number of web applications into it so they authenticate against the LDAP server as well. This isn't always quite as nice - you usually have to type your user/pass in again - but at least it's synchronized with your main account.

As far as end-users are concerned, the result is the same. None of my end-users know any difference between running on this or a Windows server, I don't have any more work to do (things seem to break less than they did with NT .. but I never had stats on this so I can't say for sure) and it's a lot easier to get updates now. And above all, it saves us a lot of money in licencing fees.

--
Speak before you think
1. Re:Easier the other way by dpilot · 2005-01-05 04:35 · Score: 1
  
  Are you running Kerberos under/with the LDAP, as well? I'm trying to proceed in this direction, though I want to start with LDAP/SASL/Kerberos first, and add Samba after. There have been two readily available documents on how to do this, though I don't have URLs handy at the moment. I've also seen rumblings that the Samba team doesn't like OpenLDAP, and is planning to add their own LDAP service to a future release. So I'm not sure how that will play out against the solution I'm pursuing.
  
  --
  The living have better things to do than to continue hating the dead.
2. Re:Easier the other way by superpulpsicle · 2005-01-05 04:57 · Score: 1
  
  Problem with Samba and Windows NT. I never figured out how to get this thing working without sending the password credentials as "plain text" in the registry. Which absolutely defeats the purpose of even logging in if you have no security anyways.
3. Re:Easier the other way by 0racle · 2005-01-05 06:20 · Score: 1
  
  If your going to go all out that way, Pick up Kerberos: The Definitive Guide and LDAP System Administration from O'reilly. Both cover initial installations and interoperability with other Authentication stores and are very good references.
  
  I am setting up at home a UNIX kerberos realm and have a Windows 2000 AD using a cross-realm trust and LDAP referals. When I get around to finnishing it, including pamifying Slackware, I should have a complete SSO across all my systems.
  
  --
  "I use a Mac because I'm just better than you are."
4. Re:Easier the other way by Mastoid · 2005-01-05 09:46 · Score: 2, Interesting
  
  Those are good reasons to set things up that way. I've done the same thing in small offices. I stress "small" offices.
  
  There are good reasons to do things the other way around. That is, a network of Windows AD servers providing the SSO and Unix clients authenticating against them.
  
  I run a large distributed network where I rely on Windows capabilities to minimize maintenance on client desktops. Group Policy is at the top of the list here. When Linux can natively subsitute itself for an AD controller instead of an NT PDC, and can enforce policies on the domain, I'll give it another chance as a SSO provider.
  
  --
  I had an argument...with the person here at the university that teaches OS design. I wonder when I'll learn --Linus
Just tried this out. by Godeke · 2005-01-05 06:28 · Score: 2, Informative

Having for a long time intended to link my Linux box to my home LAN's AD, this was just the ticket to try it. Overall things went well, although the instructions completely skip over the actual configuration of the krb5.conf file.

In particular, this is a huge oversite because things don't work as expected. After some googling I discovered that you must specify the domain as MYDOMAIN.LOCAL, all caps. This must be done in several places, otherwise it throws cryptic errors.

With that one proviso in place, I would say the rest of the instructions were sufficient for me to figure it out in 30 minutes. Both directions authenticate properly.

--
Sig under construction since 1998.
1. Re:Just tried this out. by 0racle · 2005-01-05 09:05 · Score: 1
  
  In the event that there is no configured krb5.conf kerberos will use DNS lookups to find the appropriate _kerberos service records, unless for some reason your installation was configured not to. If your domain is named the same as your kerberos realm and there are no spcial requirements that have to be placed in the krb5.conf, it is often preferable to use DNS to locate KDC's.
  
  One exception is authenticating Windows clients against a non-Windows KDC's since Windows will only use DNS to locate Windows KDC's. Here you need a krb5.conf on your Windows machine. You don't need this for cross-realm trusts.
  
  --
  "I use a Mac because I'm just better than you are."
2. Re:Just tried this out. by Anonymous Coward · 2005-01-05 10:49 · Score: 0
  
  In my case, I'm using Fedora Core 3. It appears that the KRB5 package is distributed with EXAMPLE.COM in the krb5.conf, thus blocking the "no configured krb5.conf" scenario. So I modified the config file to suit, but used lower case for the realm. That gives you a cryptic error message that I had to google for.
  
  I could try to remove it, but I'm happy that it is functioning as well as it is as quickly as it did. It really was an experiment (heck, that's why I have a AD domain in my house) and it turned out more painless than expected.
3. Re:Just tried this out. by 0racle · 2005-01-05 11:28 · Score: 1
  
  That does seem silly, a default krb5.conf is a stupid idea. BTW, if you want to change your Windows password from Linux, you'll need to add two lines to your krb5.conf so they talk the encryption types.
  Under [libdefaults] you want to add 'supported_enctypes = des-cbc-crc' and 'supported_enctypes_des = des-cbc-crc'. After that kpasswd should talk the language that the Windows KDC speaks. New users in the AD, except admin untill you change their password, will already be using those encryption types.
  
  If you want cryptic errors, set up postresql to use kerberos. Ah, good times, good times.
  
  --
  "I use a Mac because I'm just better than you are."
Laptop Configuration by brainee28 · 2005-01-05 07:29 · Score: 1

Does this work with a laptop configuration? I was a beta tester for Xandros when they first started doing Domain Authentication and one of the big complaints I had was that I had 2 profiles to have to manage (1 logged into AD, 1 when not logged in) and it's a real pain. Does this setup work with "cached credentials so that I can log into my profile, even if it doesn't authenticate to my AD server?
Further Resources by olyar · 2005-01-05 08:16 · Score: 2, Informative

FWIW, here's some links to more info on getting this done...
One is the official HOWTO
http://us4.samba.org/samba/docs/man/Samba-HOWTO-Co llection/winbind.html
The other is from the Samba 3 by Example
http://us4.samba.org/samba/docs/man/Samba-Guide/ke rberos.html

--
Custom, hands-free Linux installs. Instalinux
1. Re:Further Resources by Anonymous Coward · 2005-01-07 00:32 · Score: 0
  
  Is there a HowTo for OpenLDAP/Fedora/Berkeley DB backend? All the info and howto's don't work.
  In particular there is no back_bdb.so.
University of Michigan single sign-on w/Kerberos by SgtChaireBourne · 2005-01-05 21:46 · Score: 1

The University of Michigan has had single sign-on w/Kerberos + LDAP since the early 1990's. I've seen a few other institutions which have a similar set up, but will let them speak for themselves.

--
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
AFAIK... by Ayanami+Rei · 2005-01-07 12:19 · Score: 1

Linux with Samba 3 can be a 2000 PDC/kerberos KDC/LDAP auth server. However, while it can enforce GP, you still need a windows-based box to create and manage the GPOs.

--
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
1. Re:AFAIK... by Mastoid · 2005-01-07 16:45 · Score: 1
  
  I know what you're talking about, having researched its capabilities recently. It's still beta and unpolished. I am not trusting a production environment to it.
  
  Thanks, though.
  
  --
  I had an argument...with the person here at the university that teaches OS design. I wonder when I'll learn --Linus
Mandrake ... by buchanmilne · 2005-01-13 00:58 · Score: 1

Mandrake has had Windows Domain (ie NT4) support during installation since Mandrake 9.1. It supported AD in some AD configurations (ie "Allow anonymous searches in AD" or something like that).

Full AD support is available in 10.1 and Corporate Desktop 3.