209 lines
8.2 KiB
HTML
209 lines
8.2 KiB
HTML
|
<!--startcut ======================================================= -->
|
|||
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|||
|
<html>
|
|||
|
<head>
|
|||
|
<META NAME="generator" CONTENT="lgazmail v1.1pre8">
|
|||
|
<TITLE>The Answer Guy 30: Linux as a "Domain Controller" for
|
|||
|
a WinNT Domain? Not Yet!</TITLE>
|
|||
|
</head>
|
|||
|
|
|||
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#A000A0"
|
|||
|
ALINK="#FF0000">
|
|||
|
<!--endcut ========================================================= -->
|
|||
|
<H4>"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|||
|
</H4>
|
|||
|
<P> <hr> <P>
|
|||
|
|
|||
|
<!-- =============================================================== -->
|
|||
|
<H1 align="center"><A NAME="answer">
|
|||
|
<img src="../gx/dennis/qbubble.gif" alt="" border="0" align="middle">
|
|||
|
<a href="./index.html">The Answer Guy</a>
|
|||
|
<img src="../gx/dennis/bbubble.gif" alt="" border="0" align="middle">
|
|||
|
</A></H1> <BR>
|
|||
|
<H4 align="center">By James T. Dennis,
|
|||
|
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
|
|||
|
Starshine Technical Services,
|
|||
|
<A HREF="http://www.starshine.org/">http://www.starshine.org/</A> </H4>
|
|||
|
<p><hr><p>
|
|||
|
<H3><img src="../gx/dennis/qbub.gif" alt="(?)" width="50" height="28"
|
|||
|
align="left" border="0">Linux as a "Domain Controller" for
|
|||
|
a WinNT Domain? Not Yet!</H3>
|
|||
|
<H4 ALIGN="center">or: Linux use of an NT PDC/BDC for authentication?</H4>
|
|||
|
|
|||
|
<p><strong>From Cesar Augusto Kant Grossmann on 25 Jun 1998
|
|||
|
|
|||
|
<!-- begin body -->
|
|||
|
<br><br>
|
|||
|
|
|||
|
Hi James!
|
|||
|
|
|||
|
<br><br>
|
|||
|
Again a problem to me, and a exercise to you.
|
|||
|
|
|||
|
<br><br>
|
|||
|
Is it possible to make the Linux Box do login authentication
|
|||
|
requests from a NT Domain Server?
|
|||
|
</strong></p>
|
|||
|
|
|||
|
<blockquote><img src="../gx/dennis/bbub.gif" height="28" width="50"
|
|||
|
alt="(!)" border="0"
|
|||
|
>Not yet. The <a href="http://samba.anu.edu.au/">Samba team</a>
|
|||
|
is working on this and hopes to have something ready within a couple of
|
|||
|
months. Lest you think this is all wasted effort
|
|||
|
(on the thought that Microsoft will ship NT 5.x
|
|||
|
in a year or so) --- the indications seem to be that
|
|||
|
the MS NT implementation of Kerberos will still rely
|
|||
|
heavily on the data structures that they currently use
|
|||
|
in their PDC/BDC protocol. So, the work being done
|
|||
|
now is an investment to the future as well as a hope
|
|||
|
for the near-present.
|
|||
|
</blockquote>
|
|||
|
|
|||
|
<p><strong><img src="../gx/dennis/qbub.gif" height="28" width="50"
|
|||
|
alt="(?)" border="0"
|
|||
|
>I have a Linux box in a TCP/IP network, part of a large NT Domain,
|
|||
|
and want to allow NT domain-users to log in the Linux Box and access
|
|||
|
Internet in it. The idea is provide access to the Linux Box without
|
|||
|
having to register every user. The users don<6F>t need a regular
|
|||
|
account, with home directory, because Internet access is not
|
|||
|
frequent (thanks to a low connection) and they only use it to
|
|||
|
surfing (not email, not FTP).
|
|||
|
</p></strong>
|
|||
|
|
|||
|
<blockquote><img src="../gx/dennis/bbub.gif" height="28" width="50"
|
|||
|
alt="(!)" border="0"
|
|||
|
>Hmm. It looks like I read too much into your first
|
|||
|
paragraph. This sounds like you want Linux to be a
|
|||
|
client to an NT domain controller. I think there is
|
|||
|
a PAM (pluggable authentication module) for doing this.
|
|||
|
|
|||
|
<br><br>
|
|||
|
Since the whole PAM project is still in beta (and not
|
|||
|
moving nearly fast enough for my tastes --- not that I've
|
|||
|
contributed to it nor that the programmers would want me
|
|||
|
to) I can't make any promises on how well it will work.
|
|||
|
|
|||
|
<br><br>
|
|||
|
However the state of PAM can speak for itself at:
|
|||
|
|
|||
|
<blockquote><code><A HREF="http://www.kernel.org/pub/linux/libs/pam/"
|
|||
|
>http://www.kernel.org/pub/linux/libs/pam/</A>
|
|||
|
</code></blockquote>
|
|||
|
|
|||
|
(Andrew Morgan's pages on the Transmeta sponsored Linux site).
|
|||
|
|
|||
|
<br><br>
|
|||
|
The module you might want to play with is by David Airlie
|
|||
|
and is at:
|
|||
|
|
|||
|
<blockquote><code><A HREF="http://www.csn.ul.ie/~airlied/pam_smb/"
|
|||
|
>http://www.csn.ul.ie/~airlied/pam_smb/</A>
|
|||
|
</code></blockquote>
|
|||
|
|
|||
|
Other modules (for things like one-time passwords, authentication
|
|||
|
on a Netware server, a couple of different "SecureCard" and
|
|||
|
"DESGold" cards, RADIUS, and support Kerberos realms, etc) can
|
|||
|
be found by browsing around at:
|
|||
|
|
|||
|
<blockquote><code><A HREF="http://www.kernel.org/pub/linux/libs/pam/modules.html"
|
|||
|
>http://www.kernel.org/pub/linux/libs/pam/modules.html</A>
|
|||
|
</code></blockquote>
|
|||
|
</blockquote>
|
|||
|
|
|||
|
<p><strong><img src="../gx/dennis/qbub.gif" height="28" width="50"
|
|||
|
alt="(?)" border="0"
|
|||
|
>No, I don't want to make the Linux Box act as a firewall (I don't
|
|||
|
have authorization to do that). And, again, sorry my bad english...
|
|||
|
<br><br>
|
|||
|
TIA
|
|||
|
|
|||
|
<br><br>
|
|||
|
Cesar Augusto Kant Grossmann
|
|||
|
<br>Uruguaiana - RS - Brasil
|
|||
|
</p></strong>
|
|||
|
|
|||
|
<blockquote><img src="../gx/dennis/bbub.gif" height="28" width="50"
|
|||
|
alt="(!)" border="0"
|
|||
|
>Given the muddy murky nature of the term "firewall" the
|
|||
|
difference between what you're doing and "acting as a firewall"
|
|||
|
may be purely a matter of semantics. However, if it'll keep
|
|||
|
your management happy I'll go into a Brazilian court of law
|
|||
|
as an "expert witness" to state my opinion that this is <EM>not</EM>
|
|||
|
a "firewall."
|
|||
|
|
|||
|
<br><br>
|
|||
|
If by "surfing" you mean that your users will only be
|
|||
|
using the Linux system as a web proxy --- why are you
|
|||
|
fussing with authenticating them at all? Why not just
|
|||
|
install Apache and configure it purely for caching/proxy
|
|||
|
use --- or use Squid (there are RPM's avaiable --- they
|
|||
|
were included with my copies of
|
|||
|
<A HREF="http://www.suse.de/">S.u.S.E.</A>
|
|||
|
|
|||
|
<br><br>
|
|||
|
<a href="http://www.apache.org/">Apache</a>, CERN, and Squid can
|
|||
|
all be configured as caching
|
|||
|
web proxy/servers and can all be configured with a variety
|
|||
|
of limitations on which systems are allowed through in which
|
|||
|
directions. Do you really care <EM>which</EM> user is logged into
|
|||
|
the workstation that is using these proxies? That seems like
|
|||
|
an odd requirement unless you're also trying to enforce
|
|||
|
some other policies (like certain classes of employees are
|
|||
|
only allowed to "surf" during their lunch hour, etc).
|
|||
|
|
|||
|
<br><br>
|
|||
|
I suggest you actually review your requirements a bit further.
|
|||
|
It sounds like you are complicating matters more than the
|
|||
|
situation requires.
|
|||
|
</blockquote>
|
|||
|
<!-- end body -->
|
|||
|
<!--================================================================-->
|
|||
|
<P> <hr> <P>
|
|||
|
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
|||
|
>Copyright ©</a> 1998, James T. Dennis <BR>
|
|||
|
Published in <I>Linux Gazette</I> Issue 30 July 1998</H5>
|
|||
|
<P> <hr> <P>
|
|||
|
<!--================================================================-->
|
|||
|
<table width="98%"><tr valign="center" align="center">
|
|||
|
<td rowspan="3"><A HREF="./lg_answer30.html"><IMG
|
|||
|
SRC="../gx/dennis/answernew.gif"
|
|||
|
ALT="[ Answer Guy Index ]"></A></td>
|
|||
|
<td><A HREF="tag_SCOkeys.html">SCOkeys</A></td>
|
|||
|
<td><A HREF="tag_chroot.html">chroot</A></td>
|
|||
|
<td><A HREF="tag_dosemu-db.html">dosemu-db</A></td>
|
|||
|
<td><A HREF="tag_NTauth.html">NTauth</A></td>
|
|||
|
<td><A HREF="tag_cdr.html">cdr</A></td>
|
|||
|
<td><A HREF="tag_3270.html">3270</A></td>
|
|||
|
<td><A HREF="linux-questions-only@ssc.comport.html">comport</A></td>
|
|||
|
</tr><tr valign="center" align="center">
|
|||
|
<td><A HREF="tag_lilostop.html">lilostop</A></td>
|
|||
|
<td><A HREF="tag_emulate.html">emulate</A></td>
|
|||
|
<td><A HREF="tag_ppadrivers.html">ppadrivers</A></td>
|
|||
|
<td><A HREF="tag_database.html">database</A></td>
|
|||
|
<td><A HREF="tag_vacation.html">vacation</A></td>
|
|||
|
<td><A HREF="tag_nullmodem.html">nullmodem</A></td>
|
|||
|
<td><A HREF="tag_lockups.html">lockups</A></td>
|
|||
|
</tr><tr valign="center" align="center">
|
|||
|
<td><A HREF="tag_gzipC.html">gzipC</A></td>
|
|||
|
<td><A HREF="tag_newlook.html">newlook</A></td>
|
|||
|
<td><A HREF="tag_c500.html">c500</A></td>
|
|||
|
<td><A HREF="tag_solprint.html">solprint</A></td>
|
|||
|
<td><A HREF="tag_vc1shell.html">vc1shell</A></td>
|
|||
|
<td><A HREF="tag_memleak.html">memleak</A></td>
|
|||
|
<td><A HREF="tag_tvcard.html">tvcard</A></td>
|
|||
|
</tr></table>
|
|||
|
<P> <hr> <P>
|
|||
|
<!--================================================================-->
|
|||
|
<A HREF="./index.html"><IMG SRC="../gx/indexnew.gif"
|
|||
|
ALT="[ Table Of Contents ]"></A>
|
|||
|
<A HREF="../index.html"><IMG SRC="../gx/homenew.gif"
|
|||
|
ALT="[ Front Page ]"></A>
|
|||
|
<A HREF="lg_bytes30.html"><IMG SRC="../gx/back2.gif"
|
|||
|
ALT="[ Previous Section ]"></A>
|
|||
|
<A HREF="./vrenios.html"><IMG SRC="../gx/fwd.gif"
|
|||
|
ALT="[ Next Section ]"></A>
|
|||
|
<!--startcut ======================================================= -->
|
|||
|
</body>
|
|||
|
</html>
|
|||
|
<!--endcut ========================================================= -->
|