209 lines
8.2 KiB
HTML
209 lines
8.2 KiB
HTML
<!--startcut ======================================================= -->
|
||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
||
<html>
|
||
<head>
|
||
<META NAME="generator" CONTENT="lgazmail v1.1pre8">
|
||
<TITLE>The Answer Guy 30: Linux as a "Domain Controller" for
|
||
a WinNT Domain? Not Yet!</TITLE>
|
||
</head>
|
||
|
||
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#A000A0"
|
||
ALINK="#FF0000">
|
||
<!--endcut ========================================================= -->
|
||
<H4>"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
||
</H4>
|
||
<P> <hr> <P>
|
||
|
||
<!-- =============================================================== -->
|
||
<H1 align="center"><A NAME="answer">
|
||
<img src="../gx/dennis/qbubble.gif" alt="" border="0" align="middle">
|
||
<a href="./index.html">The Answer Guy</a>
|
||
<img src="../gx/dennis/bbubble.gif" alt="" border="0" align="middle">
|
||
</A></H1> <BR>
|
||
<H4 align="center">By James T. Dennis,
|
||
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
|
||
Starshine Technical Services,
|
||
<A HREF="http://www.starshine.org/">http://www.starshine.org/</A> </H4>
|
||
<p><hr><p>
|
||
<H3><img src="../gx/dennis/qbub.gif" alt="(?)" width="50" height="28"
|
||
align="left" border="0">Linux as a "Domain Controller" for
|
||
a WinNT Domain? Not Yet!</H3>
|
||
<H4 ALIGN="center">or: Linux use of an NT PDC/BDC for authentication?</H4>
|
||
|
||
<p><strong>From Cesar Augusto Kant Grossmann on 25 Jun 1998
|
||
|
||
<!-- begin body -->
|
||
<br><br>
|
||
|
||
Hi James!
|
||
|
||
<br><br>
|
||
Again a problem to me, and a exercise to you.
|
||
|
||
<br><br>
|
||
Is it possible to make the Linux Box do login authentication
|
||
requests from a NT Domain Server?
|
||
</strong></p>
|
||
|
||
<blockquote><img src="../gx/dennis/bbub.gif" height="28" width="50"
|
||
alt="(!)" border="0"
|
||
>Not yet. The <a href="http://samba.anu.edu.au/">Samba team</a>
|
||
is working on this and hopes to have something ready within a couple of
|
||
months. Lest you think this is all wasted effort
|
||
(on the thought that Microsoft will ship NT 5.x
|
||
in a year or so) --- the indications seem to be that
|
||
the MS NT implementation of Kerberos will still rely
|
||
heavily on the data structures that they currently use
|
||
in their PDC/BDC protocol. So, the work being done
|
||
now is an investment to the future as well as a hope
|
||
for the near-present.
|
||
</blockquote>
|
||
|
||
<p><strong><img src="../gx/dennis/qbub.gif" height="28" width="50"
|
||
alt="(?)" border="0"
|
||
>I have a Linux box in a TCP/IP network, part of a large NT Domain,
|
||
and want to allow NT domain-users to log in the Linux Box and access
|
||
Internet in it. The idea is provide access to the Linux Box without
|
||
having to register every user. The users don<6F>t need a regular
|
||
account, with home directory, because Internet access is not
|
||
frequent (thanks to a low connection) and they only use it to
|
||
surfing (not email, not FTP).
|
||
</p></strong>
|
||
|
||
<blockquote><img src="../gx/dennis/bbub.gif" height="28" width="50"
|
||
alt="(!)" border="0"
|
||
>Hmm. It looks like I read too much into your first
|
||
paragraph. This sounds like you want Linux to be a
|
||
client to an NT domain controller. I think there is
|
||
a PAM (pluggable authentication module) for doing this.
|
||
|
||
<br><br>
|
||
Since the whole PAM project is still in beta (and not
|
||
moving nearly fast enough for my tastes --- not that I've
|
||
contributed to it nor that the programmers would want me
|
||
to) I can't make any promises on how well it will work.
|
||
|
||
<br><br>
|
||
However the state of PAM can speak for itself at:
|
||
|
||
<blockquote><code><A HREF="http://www.kernel.org/pub/linux/libs/pam/"
|
||
>http://www.kernel.org/pub/linux/libs/pam/</A>
|
||
</code></blockquote>
|
||
|
||
(Andrew Morgan's pages on the Transmeta sponsored Linux site).
|
||
|
||
<br><br>
|
||
The module you might want to play with is by David Airlie
|
||
and is at:
|
||
|
||
<blockquote><code><A HREF="http://www.csn.ul.ie/~airlied/pam_smb/"
|
||
>http://www.csn.ul.ie/~airlied/pam_smb/</A>
|
||
</code></blockquote>
|
||
|
||
Other modules (for things like one-time passwords, authentication
|
||
on a Netware server, a couple of different "SecureCard" and
|
||
"DESGold" cards, RADIUS, and support Kerberos realms, etc) can
|
||
be found by browsing around at:
|
||
|
||
<blockquote><code><A HREF="http://www.kernel.org/pub/linux/libs/pam/modules.html"
|
||
>http://www.kernel.org/pub/linux/libs/pam/modules.html</A>
|
||
</code></blockquote>
|
||
</blockquote>
|
||
|
||
<p><strong><img src="../gx/dennis/qbub.gif" height="28" width="50"
|
||
alt="(?)" border="0"
|
||
>No, I don't want to make the Linux Box act as a firewall (I don't
|
||
have authorization to do that). And, again, sorry my bad english...
|
||
<br><br>
|
||
TIA
|
||
|
||
<br><br>
|
||
Cesar Augusto Kant Grossmann
|
||
<br>Uruguaiana - RS - Brasil
|
||
</p></strong>
|
||
|
||
<blockquote><img src="../gx/dennis/bbub.gif" height="28" width="50"
|
||
alt="(!)" border="0"
|
||
>Given the muddy murky nature of the term "firewall" the
|
||
difference between what you're doing and "acting as a firewall"
|
||
may be purely a matter of semantics. However, if it'll keep
|
||
your management happy I'll go into a Brazilian court of law
|
||
as an "expert witness" to state my opinion that this is <EM>not</EM>
|
||
a "firewall."
|
||
|
||
<br><br>
|
||
If by "surfing" you mean that your users will only be
|
||
using the Linux system as a web proxy --- why are you
|
||
fussing with authenticating them at all? Why not just
|
||
install Apache and configure it purely for caching/proxy
|
||
use --- or use Squid (there are RPM's avaiable --- they
|
||
were included with my copies of
|
||
<A HREF="http://www.suse.de/">S.u.S.E.</A>
|
||
|
||
<br><br>
|
||
<a href="http://www.apache.org/">Apache</a>, CERN, and Squid can
|
||
all be configured as caching
|
||
web proxy/servers and can all be configured with a variety
|
||
of limitations on which systems are allowed through in which
|
||
directions. Do you really care <EM>which</EM> user is logged into
|
||
the workstation that is using these proxies? That seems like
|
||
an odd requirement unless you're also trying to enforce
|
||
some other policies (like certain classes of employees are
|
||
only allowed to "surf" during their lunch hour, etc).
|
||
|
||
<br><br>
|
||
I suggest you actually review your requirements a bit further.
|
||
It sounds like you are complicating matters more than the
|
||
situation requires.
|
||
</blockquote>
|
||
<!-- end body -->
|
||
<!--================================================================-->
|
||
<P> <hr> <P>
|
||
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
||
>Copyright ©</a> 1998, James T. Dennis <BR>
|
||
Published in <I>Linux Gazette</I> Issue 30 July 1998</H5>
|
||
<P> <hr> <P>
|
||
<!--================================================================-->
|
||
<table width="98%"><tr valign="center" align="center">
|
||
<td rowspan="3"><A HREF="./lg_answer30.html"><IMG
|
||
SRC="../gx/dennis/answernew.gif"
|
||
ALT="[ Answer Guy Index ]"></A></td>
|
||
<td><A HREF="tag_SCOkeys.html">SCOkeys</A></td>
|
||
<td><A HREF="tag_chroot.html">chroot</A></td>
|
||
<td><A HREF="tag_dosemu-db.html">dosemu-db</A></td>
|
||
<td><A HREF="tag_NTauth.html">NTauth</A></td>
|
||
<td><A HREF="tag_cdr.html">cdr</A></td>
|
||
<td><A HREF="tag_3270.html">3270</A></td>
|
||
<td><A HREF="linux-questions-only@ssc.comport.html">comport</A></td>
|
||
</tr><tr valign="center" align="center">
|
||
<td><A HREF="tag_lilostop.html">lilostop</A></td>
|
||
<td><A HREF="tag_emulate.html">emulate</A></td>
|
||
<td><A HREF="tag_ppadrivers.html">ppadrivers</A></td>
|
||
<td><A HREF="tag_database.html">database</A></td>
|
||
<td><A HREF="tag_vacation.html">vacation</A></td>
|
||
<td><A HREF="tag_nullmodem.html">nullmodem</A></td>
|
||
<td><A HREF="tag_lockups.html">lockups</A></td>
|
||
</tr><tr valign="center" align="center">
|
||
<td><A HREF="tag_gzipC.html">gzipC</A></td>
|
||
<td><A HREF="tag_newlook.html">newlook</A></td>
|
||
<td><A HREF="tag_c500.html">c500</A></td>
|
||
<td><A HREF="tag_solprint.html">solprint</A></td>
|
||
<td><A HREF="tag_vc1shell.html">vc1shell</A></td>
|
||
<td><A HREF="tag_memleak.html">memleak</A></td>
|
||
<td><A HREF="tag_tvcard.html">tvcard</A></td>
|
||
</tr></table>
|
||
<P> <hr> <P>
|
||
<!--================================================================-->
|
||
<A HREF="./index.html"><IMG SRC="../gx/indexnew.gif"
|
||
ALT="[ Table Of Contents ]"></A>
|
||
<A HREF="../index.html"><IMG SRC="../gx/homenew.gif"
|
||
ALT="[ Front Page ]"></A>
|
||
<A HREF="lg_bytes30.html"><IMG SRC="../gx/back2.gif"
|
||
ALT="[ Previous Section ]"></A>
|
||
<A HREF="./vrenios.html"><IMG SRC="../gx/fwd.gif"
|
||
ALT="[ Next Section ]"></A>
|
||
<!--startcut ======================================================= -->
|
||
</body>
|
||
</html>
|
||
<!--endcut ========================================================= -->
|