Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CentOS magic to Active Directory login?



On Thu, Feb 18, 2010 at 8:28 PM, Edward Ned Harvey <blu-Z8efaSeK1ezqlBn2x/YWAg at public.gmane.org> wrote:
>> I've been trying to follow samba, centos, ldap, and other
>> documentation to try and get a CentOS 5 box to permit a user to log
>> into an existing Windows 200x Active Directory domain without
>> necessarily having the box as part of the domain. ? ?If it has to be
>> part of the domain, that is fine. ? The user shall have no local
>> account on the box - I want their active directory account to
>> automatically produce their account on the CentOS 5 box, likely with a
>> shell of bash.
>
> I am confused by a couple of things: ?If I understand you correctly, you
> want the user account to be created locally on the machine, without the
> machine joining AD, but the user account is authenticated by AD credentials.
> The only place I've ever seen anything similar to that was in Apple OD. ?A
> "Mobility User" logs in, is authenticated against the OD, but it is in fact
> created as a local user on the machine.

I did not mean to confuse.   My goal is to NOT have to create a local
account on the Linux box - to instead allow a user to log into the
Linux box as though it was a Windows box that is part of the domain -
their login credentials authenticate against a genuine Windows Active
Directory controller, see the user exists, and they are able to log
in.   Samba does have an option to give the user a shell if login is
successful.

Now, I don't care if the Linux box has actually joined the domain - I
only want the ability of the user to successfully be able to
authenticate against it and log in.  Maybe the box will need to be a
member - something I'll learn along the way.

Thanks.

Scott

>
> I think as long as your requirements are inflexible, ... good luck, it may
> be difficult or impossible. ?But there are a lot of possibilities as long as
> you're willing to give up at least *one* of your requirements. ?The
> preferable choice would be if you have the ability to join the domain. ?Then
> there are tons of options, able to auto-create local accounts upon login,
> and so on. ... ?I'll try to say more if you express any interest.
>
> Oh, one more thing.
>
> I was very surprised to learn this a year or two ago. ?You don't need to be
> a domain administrator to join a machine onto the domain. ?I was very
> surprised when one of my unprivileged users joined his laptop to my domain,
> and I was unable to repeat that using my own unprivileged account. ?I
> investigated this *extremely* thoroughly, because I thought it represented
> some sort of security breach (like he somehow got the admin pass) but that
> was not the case. ?In the end, it was proven, without anybody getting in
> trouble, that unprivileged users can sometimes join computers to domains.
> There are some restrictions, but all the websites had conflicting
> information about what the restrictions are, so I am somewhat unclear in
> that area.
>
>







BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org