Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: AD Group Policy Management and Kerberos / LDAP
Top Forums UNIX for Advanced & Expert Users AD Group Policy Management and Kerberos / LDAP Post 302955787 by bakunin on Monday 21st of September 2015 02:26:08 PM
Old 09-21-2015
As you have already noticed what M$$ calls "AD" is in fact a LDAP domain with a Kerberos 5 authentication frontend.

This sounds like every system able to participate in an LDAP domain and with an available Kerberos client should be able to participate, but alas this is not true.

LDAP knows "entities", which are defined by the properties they possess (like a table definition in a database with the fields as properties). LDAP itself does not prescribe this structure (this in fact is part of the configuration of an LDAP domain and one of the reasons why this is best left to experts in the field - you can easily end up with a structure that is nearly impossible to handle in practice) but implementations such as M$$ AD does exactly that. So, in fact it is a prefabricated LDAP domain with every ounce of expandability and configuratbility carefully wrung out so that it will not work with anything else than the graphical computer virus sold in Redmond.

Especially the properties of "login shell" and "home directory", which are not necessary in Windows but in any UNIX(-like) OS are left out and you are no allowed to put them in - or lose any support there might be. Microsoft claims that you are using their (cough) product out of spec in this case. The company i work ATM for is actually in exacly this position.

Our solution (which is far from being commendable) is to manage user accounts manually on the AIX systems and just do the authentication part via Kerberos.

To use Kerberos 5 on an AIX client install the "krb5.client.*" and the "krb5.lic" packages available for AIX. Kerberos configuration is done either by hand (/etc/krb5/krb5.conf) or using the command mkkrb5clnt.

Then define users using the "Krb5Files" as "registry" and "system"-properties:

Code:
chuser registry=Krb5Files system=Krb5Files <username>

Similar for "mkuser", etc..

I hope this helps.

bakunin

/PS: if found this IBM link but have no experience with this. You will simply have to try it. I would love to hear from your experience, though.
This User Gave Thanks to bakunin For This Post:
Devyn
 

7 More Discussions You Might Find Interesting

1. HP-UX

LDAP/Kerberos Issue

I am getting the following error message when trying to login to the client: while verifying tgt If I move the /etc/krb5.keytab out of /etc, it works fine. This is HP-UX v23 Does anyone have any ideas? (1 Reply)
Discussion started by: dhernand
1 Replies

2. AIX

Kerberos and LDAP Auth

Good day I am trying to configure Kerberos and LDAP authentication on AIX 5.3 with Windows 2003 R2 but something is not quite right. When I ran kinit username I get a ticket and I can display it using klist. When the user login I can see the ticket request on Windows 2003, but the user... (1 Reply)
Discussion started by: mariusb
1 Replies

3. UNIX for Advanced & Expert Users

Compiling Samba from Source on AIX, Active Directory, LDAP, Kerberos

Hello, I asked this question in the AIX subforum but never received an answer, probably because the AIX forum is not that heavily trafficked. Anyway, here it is.. I have never had any issues like this when compiling applications from source. When I try to compile samba-3.5.0pre2, configure runs... (9 Replies)
Discussion started by: raidzero
9 Replies

4. Solaris

how to assign group policy to user in solaris

hi, how to assign group policy to user in solaris (1 Reply)
Discussion started by: meet2muneer
1 Replies

5. Windows & DOS: Issues & Discussions

QOS packet scheduler and group policy

hi, did anyone know how to configure a priority of dns ports (and other ports) on QOS on windows 2003? hard to understand the group policy "explain" tab on 'qos packet scheduler', no elaboration on how to use it. thanks for any comment you may add. ---------- Post updated at 05:03 PM... (0 Replies)
Discussion started by: itik
0 Replies

6. Solaris

LDAP Problem during Kerberos setting for Win server 03 Active Directory

Hi, FYI, I'm new in Solaris I'm trying to use Kerberos on authenticating LDAP Client with the Active Directory on Windows Server 2003 on both Solaris 10 5/08 and Solaris 10 9/10 by referring to the pdf file kerberos_s10.pdf available at sun official site. ... (0 Replies)
Discussion started by: chongzh
0 Replies

7. AIX

Trouble with Kerberos/LDAP and AIX 6.1

The KRB5ALDAP compound load module is giving me fits. Everything looks like it should be working, but no. Goal: Integrate AIX host with Active Directory using a KRB5ALDAP compound load module so that users can be created in AD and used in AIX, with unix attributes (registry values) being... (2 Replies)
Discussion started by: jgeiger
2 Replies

LEARN ABOUT SUSE

afp_ldap.conf

AFP_LDAP.CONF(5)						   Netatalk 2.2 						  AFP_LDAP.CONF(5)

NAME

       afp_ldap.conf - Configuration file used by afpd(8) to configure a LDAP connection to an LDAP server. That is needed for ACL support in
       order to be able to query LDAP for UUIDs.

DESCRIPTION

       /etc/netatalk/afp_ldap.conf is the configuration file used by afpd to set up an LDAP connection to an LDAP server.

       Any line not prefixed with # is interpreted.

	   Note
	   You can use afpldaptest(1) to syntactically check your config
       The required parameters and their meanings are:

PARAMETER

       ldap_server
	   Name or IP address of your LDAP Server

       ldap_auth_method
	   Authentication method: none | simple | sasl

	   none
	       anonymous LDAP bind

	   simple
	       simple LDAP bind

	   sasl
	       SASL. Not yet supported !

       ldap_auth_dn
	   Distinguished Name of the user for simple bind.

       ldap_auth_pw
	   Distinguished Name of the user for simple bind.

       ldap_userbase
	   DN of the user container in LDAP.

       ldap_userscope
	   Search scope for user search: base | one | sub

       ldap_groupbase
	   DN of the group container in LDAP.

       ldap_groupscope
	   Search scope for user search: base | one | sub

       ldap_uuuid_attr
	   Name of the LDAP attribute with the UUIDs.

	   Note: this is used both for users and groups.

       ldap_name_attr
	   Name of the LDAP attribute with the users short name.

       ldap_group_attr
	   Name of the LDAP attribute with the groups short name.

EXAMPLES

       Example. afp_ldap.conf setup with simple bind

	   ldap_server	    = localhost
	   ldap_auth_method = simple
	   ldap_auth_dn     = cn=admin,dc=domain,dc=org
	   ldap_auth_pw     = notthisone
	   ldap_userbase    = ou=users,dc=domain,dc=org
	   ldap_userscope   = one
	   ldap_groupbase   = ou=groups,dc=domain,dc=org
	   ldap_groupscope  = one
	   ldap_uuid_attr   = some_attribute
	   ldap_name_attr   = cn
	   ldap_group_attr  = cn

SEE ALSO

       afpd(8), AppleVolumes.default(5), afpldaptest(1)

Netatalk 2.2							    30 Mar 2011 						  AFP_LDAP.CONF(5)
All times are GMT -4. The time now is 04:33 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy