Single Password - Linux & Windows

I have 5 servers; 3 RedHat and 2 Windows 2003 Server. I would like to use a
single password for all of these. When thinking about this, I had 2
thoughts that came to mind. 1) Setup the 2 Windows servers as domain
controllers and find a mechanism to connect the linux machines to that. 2)
Setup 2 of the linux machines with Samba to act as domain controllers.
Unfortunately, I don't know which is the best option, or if either of these
is the best.

What is the best way for me to do this? In the end, I would like to have
the system administrators be able to login to any of the servers with a
single login. As well, I would like to use the password for specific access
for employees, such as pop3/imap/smtp and a few other integrated services.

Any suggestions or information would be appreciated.

Thank You,
Jason Williard

"Jason Williard" <jwilliard@pcsafe.net> writes:
> I have 5 servers; 3 RedHat and 2 Windows 2003 Server. I would like
> to use a single password for all of these. When thinking about
> this, I had 2 thoughts that came to mind. 1) Setup the 2 Windows
> servers as domain controllers and find a mechanism to connect the
> linux machines to that. 2) Setup 2 of the linux machines with Samba
> to act as domain controllers. Unfortunately, I don't know which is
> the best option, or if either of these is the best.
>
> What is the best way for me to do this? In the end, I would like to
> have the system administrators be able to login to any of the
> servers with a single login. As well, I would like to use the
> password for specific access for employees, such as pop3/imap/smtp
> and a few other integrated services.
>
> Any suggestions or information would be appreciated.

in theory, an underlying m'soft mechanism is kerberos ... so it should
be possible to deploy a kerberos configuration (across both windows
and many other operating systems).

(windows) kerberos interoperability
http://www.microsoft.com/resources/d...p_log_tjil.asp

windows kerberos security tutorial
http://www.mcmcse.com/win2k/guides/kerberos.shtml

from my rfc index
http://www.garlic.com/~lynn/rfcietff.htm

select "Term (term->RFC#)" in the "RFCs listed by" section
and scroll down to kerberos:

kerberos
see also authentication , security
3962 3961 3244 3129 2942 2712 2623 1964 1510 1411

....

selecting any of the RFC numbers then brings up the summary for that
RFC. in the summery field, selecting the ".txt=nnnn" field retrieves
the actual RFC.

some past kerberos related postings:
http://www.garlic.com/~lynn/subpubkey.html#kerberos

--
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/

On Tue, 31 May 2005 13:02:23 -0700, Jason Williard wrote:

> I have 5 servers; 3 RedHat and 2 Windows 2003 Server. I would like to
> use a single password for all of these. When thinking about this, I
> had 2 thoughts that came to mind. 1) Setup the 2 Windows servers as
> domain controllers and find a mechanism to connect the linux machines to
> that.

That shuldn't be too hard, provided you have the MS-Windows boxen setup to
be KDCs for some Kerberos realm (AD.) Just setup /etc/krb5.conf and
/etc/samba/smb.conf on Linux, "net join" (or some such (Google Groups for
my name and AD ... maybe) And name your Unix accounts like the ones in M$
then either pam_krb5 or pam_winbind (run "winbindd" on the 'clients'.)

Fedora Core 3 (so probably RedHat) has some kind of menu under "setup"
that should do this, but it failed on me.

> 2) Setup 2 of the linux machines with Samba to act as domain
> controllers.

Well, in that case you can only use NTLM. As Samba 3.x can only act as a
member (not a controller) in MS-LDAP/MS-Kerberos due the PAC screw.

> Unfortunately, I don't know which is the best option, or if either of
> these is the best.

I would go (and have gone) for M$ being the Kerberos KDCs and Linux
clients to them, for now. Otherwise you'd have run some Unix/Linux as KDCs
as well, and setup cross-realm trust between them and MS-AD (or fallback
to NTLM instead.)

> What is the best way for me to do this? In the end, I would like to
> have the system administrators be able to login to any of the servers
> with a single login.

Kerberos.

> As well, I would like to use the password for specific access for
> employees, such as pop3/imap/smtp and a few other integrated services.

That is an authorization not an authentication issue. Probably: edit
/etc/passwd with the shell set to /bin/false (nologin) and configure the
daemons to allow/disallow some account (maybe based an the groups thier a
member of) or some such. And have fun reading up on PAM, LDAP and your
services / daemons setup in thier respective docs.

> Any suggestions or information would be appreciated.
>
> Thank You,

Sure thing, have fun.

--
-Menno.

Take a look at these products. They provide true single sign-on across all
platforms.

http://www.centrify.com

http://www.vintela.com

"Anne & Lynn Wheeler" <lynn@garlic.com> wrote in message
news:m38y1vi1ot.fsf@lhwlinux.garlic.com...
> "Jason Williard" <jwilliard@pcsafe.net> writes:
> > I have 5 servers; 3 RedHat and 2 Windows 2003 Server. I would like
> > to use a single password for all of these. When thinking about
> > this, I had 2 thoughts that came to mind. 1) Setup the 2 Windows
> > servers as domain controllers and find a mechanism to connect the
> > linux machines to that. 2) Setup 2 of the linux machines with Samba
> > to act as domain controllers. Unfortunately, I don't know which is
> > the best option, or if either of these is the best.
> >
> > What is the best way for me to do this? In the end, I would like to
> > have the system administrators be able to login to any of the
> > servers with a single login. As well, I would like to use the
> > password for specific access for employees, such as pop3/imap/smtp
> > and a few other integrated services.
> >
> > Any suggestions or information would be appreciated.
>
> in theory, an underlying m'soft mechanism is kerberos ... so it should
> be possible to deploy a kerberos configuration (across both windows
> and many other operating systems).
>
> (windows) kerberos interoperability
>
http://www.microsoft.com/resources/d...p_log_tjil.asp
>
> windows kerberos security tutorial
> http://www.mcmcse.com/win2k/guides/kerberos.shtml
>
> from my rfc index
> http://www.garlic.com/~lynn/rfcietff.htm
>
> select "Term (term->RFC#)" in the "RFCs listed by" section
> and scroll down to kerberos:
>
> kerberos
> see also authentication , security
> 3962 3961 3244 3129 2942 2712 2623 1964 1510 1411
>
> ...
>
> selecting any of the RFC numbers then brings up the summary for that
> RFC. in the summery field, selecting the ".txt=nnnn" field retrieves
> the actual RFC.
>
> some past kerberos related postings:
> http://www.garlic.com/~lynn/subpubkey.html#kerberos
>
> --
> Anne & Lynn Wheeler | http://www.garlic.com/~lynn/

disclaimer .... kerberos was a project athena activity at MIT. DEC
and IBM equally funded athena for $50m total (unrelated drift, ibm
funded cmu for mach/andrew stuff alone for $50m). in any case, in
previous life, my wife and I got to periodically visit project athena
for reviews ... including kerberos.

not too long ago ... i was at a SAML-based product description and they
were describing cross-domain support. in looked to me like the same
exact flows that had been presented for cross-domain kerberos (we
happened to be visiting athena right in the middle of the cross-domain
invention) ... except with saml messages instead of kerberos tickets.

--
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/

Jason Williard wrote:

> I have 5 servers; 3 RedHat and 2 Windows 2003 Server. I would like to use
> a
> single password for all of these. When thinking about this, I had 2
> thoughts that came to mind. 1) Setup the 2 Windows servers as domain
> controllers and find a mechanism to connect the linux machines to that.
> 2) Setup 2 of the linux machines with Samba to act as domain controllers.
> Unfortunately, I don't know which is the best option, or if either of
> these is the best.
>
> What is the best way for me to do this? In the end, I would like to have
> the system administrators be able to login to any of the servers with a
> single login. As well, I would like to use the password for specific
> access for employees, such as pop3/imap/smtp and a few other integrated
> services.
>
> Any suggestions or information would be appreciated.
>
> Thank You,
> Jason Williard


It has been a while since I set it up, but Linux uses PAM (plugable
authentication module). What this means is you can change how your Linux
system authenticates your user.

In short you can use a module that will let make it so your Linux system and
your Samba network authenticate against the same password DB. I had it set
up once and it worked great. There is a discusion of this in the Samba
documentation. I don't think it will work with Active Directory, but it
will work as an NT Domain Controller. This is done on the Linux Server.

http://us4.samba.org/samba/docs/man/...ction/pam.html

Jason Williard wrote:
> I have 5 servers; 3 RedHat and 2 Windows 2003 Server. I would like to use a
> single password for all of these. When thinking about this, I had 2
> thoughts that came to mind. 1) Setup the 2 Windows servers as domain
> controllers and find a mechanism to connect the linux machines to that. 2)
> Setup 2 of the linux machines with Samba to act as domain controllers.
> Unfortunately, I don't know which is the best option, or if either of these
> is the best.
>
> What is the best way for me to do this? In the end, I would like to have
> the system administrators be able to login to any of the servers with a
> single login. As well, I would like to use the password for specific access
> for employees, such as pop3/imap/smtp and a few other integrated services.
>
> Any suggestions or information would be appreciated.
>
> Thank You,
> Jason Williard
>
>

LDAP, LDAP, LDAP!!! Use Windows 2K3 domain controllers for
authentication. Then set up linux to use LDAP (via PAM i think it is
called) to authenticate you to log onto any computer. In SuSe you can
do it vi YaST, I do not know about RedHat though.

--

Daniel
MCSE, MCP+I, MCP in Windows 2000/NT

--------------------------------------
remove the 2nd madrid from my mail address to contact me.

Take a look at services for unix. It can provide login support and user
handeling for Unix clients against your AD. It's also a free download from
MS

"Jason Williard" <jwilliard@pcsafe.net> wrote in message
news:762dnQTt8MMoXwHfRVn-iw@comcast.com...
> I have 5 servers; 3 RedHat and 2 Windows 2003 Server. I would like to use
a
> single password for all of these. When thinking about this, I had 2
> thoughts that came to mind. 1) Setup the 2 Windows servers as domain
> controllers and find a mechanism to connect the linux machines to that.
2)
> Setup 2 of the linux machines with Samba to act as domain controllers.
> Unfortunately, I don't know which is the best option, or if either of
these
> is the best.
>
> What is the best way for me to do this? In the end, I would like to have
> the system administrators be able to login to any of the servers with a
> single login. As well, I would like to use the password for specific
access
> for employees, such as pop3/imap/smtp and a few other integrated services.
>
> Any suggestions or information would be appreciated.
>
> Thank You,
> Jason Williard
>
>

Daniel wrote:

> Jason Williard wrote:
>> I have 5 servers; 3 RedHat and 2 Windows 2003 Server. I would like to
>> use a
>> single password for all of these. When thinking about this, I had 2
>>
>
> LDAP, LDAP, LDAP!!! Use Windows 2K3 domain controllers for
> authentication. Then set up linux to use LDAP (via PAM i think it is
> called) to authenticate you to log onto any computer. In SuSe you can
> do it vi YaST, I do not know about RedHat though.
>

(please don't cross-post)

Certainly the MS Domain model is probably not a good starting point. As for
MAD....bear in mind that you can't do an anonymous bind - apart from
that....yes it will work. I'm not sure where Samba is with MAD.

An alternative approack might be to use a native LDAP gina for the Windows
machines (on the clients).

HTH

C.

On Wed, 01 Jun 2005 11:13:28 +0100, Colin McKinnon wrote:
> Daniel wrote:
>> Jason Williard wrote:
>>> I have 5 servers; 3 RedHat and 2 Windows 2003 Server. I would like to
>>> use a
>>> single password for all of these. When thinking about this, I had 2
>>>
>>
>> LDAP, LDAP, LDAP!!!

Kerberos.

>> Use Windows 2K3 domain controllers for authentication.

Well, either that or install MIT, Heimdal or Shishi Kerberos someplace,
and have both the RedHat Linux and MS-Windows boxen autenticate to that:
http://www.pdc.kth.se/heimdal/heimda...0compatability

Problem ofcource is: you'll have to configure MS' stuff to workgroup
rather then domain - and loose all the pretty/clicky menus in so doing.

>> Then set up linux to use LDAP (via PAM i think it is called) to
>> authenticate you to log onto any computer. In SuSe you can do it vi
>> YaST, I do not know about RedHat though.
>>
> (please don't cross-post)
>
> Certainly the MS Domain model is probably not a good starting point.

That probably depends greatly on the experience and knowledge day-to-day
admins have, and whether or not there are any MS-Windows client boxen. For
when it's only (internet) servers, and CLI access needed, one might as
well use OpenSSH keys with a "single" passphrase:
http://sshwindows.sourceforge.net/

> As for MAD....bear in mind that you can't do an anonymous bind - apart
> from that....yes it will work. I'm not sure where Samba is with MAD.

Samba v3.x can be a client/member, but not a domain controller as off yet.
This does seem to be (one of) the main feature(s) aimed for in Samba v4.x ...

--
-Menno.