RE: SSO on linux

From: Niall J. Porter (
Date: 07/26/04

  • Next message: ET: "Re: SSO on linux"
    Date: Mon, 26 Jul 2004 09:05:13 +0100
    To: <>, <>


    We were about to start looking at MS Services for Unix when I was informed by a contact of mine that it is possible to do what you suggest without it. Facing the same challenge I asked for his help and here's what he suggested:


    On recent version of Redhat there is the option at install time to
    enable LDAP authtication, I think authconfig should work as well.

    I messed with all of these files manualy.

    You will probably need pam_smb.

    Here is a list of RPMS that I have installed that might be important
    (and several that probably aren't)

    [root@tron etc]# rpm -qa | grep "ldap\|pam\|samba"

    (I think samba can use it's own authentication to AD - independent of

    /etc/pam.d/system-auth (used in turn by all the other services (sshd,
    login etc)

    # This file is auto-generated.
    # User changes will be destroyed the next time q is run.
    auth required /lib/security/$ISA/
    auth sufficient /lib/security/$ISA/ likeauth nullok
    auth sufficient /lib/security/$ISA/ use_first_pass
    auth required /lib/security/$ISA/
    account required /lib/security/$ISA/
    account [default=bad success=ok user_unknown=ignore
    service_err=ignore system_err=ignore] /lib/security/$ISA/
    password required /lib/security/$ISA/ retry=3
    password sufficient /lib/security/$ISA/ nullok
    use_authtok md5 shadow
    password sufficient /lib/security/$ISA/ use_authtok
    password required /lib/security/$ISA/
    session required /lib/security/$ISA/
    session required /lib/security/$ISA/
    session optional /lib/security/$ISA/

    # This is the configuration file for the LDAP nameservice
    # switch library and the LDAP PAM module.
    # PADL Software

    You should research these blocks, although I think everything else I
    have is default.

    host 10.0.0.blah
    base (base DC=domain,DC=com)
    binddn CN=,usernameCN=Users,DC=domain,DC=com (This can't be anonymous as AD needs a valid user to
    bindpw xxxxxxxx (password)
    pam_login_attribute sAMAccountName (this is a tricky one to find, it's
    the AD atribute that holds the username)
    ssl no
    pam_password md5

    It keeps root as a locally authenticated account.
    All other users are authenticated against AD, although they will still
    need a 'local' account/home directory.

    IT DOES WORK - it might just take a while to get all the bits right.

    Hope this helps



    I haven't had time to try this but it comes to me from a well-respected source (thanks Bob) so I have no doubt of it's validity. Hope it helps.


    -----Original Message-----
    From: Spurge []
    Sent: 24 July 2004 06:34
    Subject: SSO on linux


    Could some one gimme some inputs / references about any existing howtos or
    guides on implementing 'Single Sign On' on a linux server using Kerberos,
    which is connected to a Win2K KDC.

    Basically, I wish to enable seamless SSO on this heterogenous network
    consisting of both W2K as well as linux (FC1) servers, where some services
    would be provided by W2K machines, while others from linux machines.

    I had googled quite a bit and stumbled upon Microsoft Services For Unix (SFU)
    framework, but am a bit wary of it and think there should be some other way
    to implement this.

    Samba that ships with FC1 (samba-3.0.0-15) seems to be kerberised out of box
    and could be setup with a few entries like 'security = ADS' and so on...

    I am looking for ways to kerberise Apache, VSFTPD, Postfix, MySQL and OpenLDAP
    to start with.

    Any help is appreciated.


    This email has been scanned for all viruses by the MessageLabs Email
    Security System.

    This email has been scanned for all viruses by the MessageLabs Email
    Security System.

  • Next message: ET: "Re: SSO on linux"