RE: SSO on linux

• Previous message: Douglas Kong: "RE: Hack attempt"
• Maybe in reply to: Spurge: "SSO on linux"
• Next in thread: ET: "Re: SSO on linux"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 26 Jul 2004 09:05:13 +0100
To: <spurgeonbj@softhome.net>, <focus-linux@securityfocus.com>

Spurgeon,

We were about to start looking at MS Services for Unix when I was informed by a contact of mine that it is possible to do what you suggest without it. Facing the same challenge I asked for his help and here's what he suggested:

------------------------------------------------------------------

On recent version of Redhat there is the option at install time to
enable LDAP authtication, I think authconfig should work as well.

I messed with all of these files manualy.

You will probably need pam_smb.

Here is a list of RPMS that I have installed that might be important
(and several that probably aren't)

[root@tron etc]# rpm -qa | grep "ldap\|pam\|samba"
php-ldap-4.2.2-17
samba-common-2.2.7a-7.9.0
openldap-2.0.27-8
pam_smb-1.1.6-7
samba-2.2.7a-7.9.0
redhat-config-samba-1.0.4-1
openldap-devel-2.0.27-8
pam-devel-0.75-48
pam-0.75-48
nss_ldap-202-5
pam_krb5-1.60-1
samba-client-2.2.7a-7.9.0

(I think samba can use it's own authentication to AD - independent of
PAM)

/etc/pam.d/system-auth (used in turn by all the other services (sshd,
login etc)

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time q is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
 
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
 
password required /lib/security/$ISA/pam_cracklib.so retry=3
type=
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
 
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so

/etc/ldap.conf
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

You should research these blocks, although I think everything else I
have is default.

host 10.0.0.blah
base (base DC=domain,DC=com)
binddn CN=,usernameCN=Users,DC=domain,DC=com (This can't be anonymous as AD needs a valid user to
bind)
bindpw xxxxxxxx (password)
pam_login_attribute sAMAccountName (this is a tricky one to find, it's
the AD atribute that holds the username)
ssl no
pam_password md5

It keeps root as a locally authenticated account.
All other users are authenticated against AD, although they will still
need a 'local' account/home directory.

IT DOES WORK - it might just take a while to get all the bits right.

Hope this helps

b

------------------------------------------------------------------

I haven't had time to try this but it comes to me from a well-respected source (thanks Bob) so I have no doubt of it's validity. Hope it helps.

Niall

-----Original Message-----
From: Spurge [mailto:spurgeonbj@softhome.net]
Sent: 24 July 2004 06:34
To: focus-linux@securityfocus.com
Subject: SSO on linux

Hi,

Could some one gimme some inputs / references about any existing howtos or
guides on implementing 'Single Sign On' on a linux server using Kerberos,
which is connected to a Win2K KDC.

Basically, I wish to enable seamless SSO on this heterogenous network
consisting of both W2K as well as linux (FC1) servers, where some services
would be provided by W2K machines, while others from linux machines.

I had googled quite a bit and stumbled upon Microsoft Services For Unix (SFU)
framework, but am a bit wary of it and think there should be some other way
to implement this.

Samba that ships with FC1 (samba-3.0.0-15) seems to be kerberised out of box
and could be setup with a few entries like 'security = ADS' and so on...

I am looking for ways to kerberise Apache, VSFTPD, Postfix, MySQL and OpenLDAP
to start with.

Any help is appreciated.
Regards.

Spurgen

________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System.
http://www.messagelabs.com
________________________________________________________________________

________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System.
http://www.messagelabs.com
________________________________________________________________________

• Previous message: Douglas Kong: "RE: Hack attempt"
• Maybe in reply to: Spurge: "SSO on linux"
• Next in thread: ET: "Re: SSO on linux"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]