[sllug-members]: Auth to AD for IPSec

Shaun Kruger shaun.kruger at gmail.com
Tue Jun 20 10:15:28 MDT 2006 

I've spent many hours trying to figure out how to make use of AD
logins using pam.  The best place to start is here:
http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html
When it comes time to join make sure you do a 'net ads join' instead
of a 'net rpc join'.  You want to setup winbind so that you are
getting account info through pam_unix.so.  You can test this by doing
'getent passwd'  If domain accounts show up you have it right.  If you
are using AD and it is working as far as getting account information
you can then use kerberos authentication (AD = LDAP + DNS + Kerberos).

I have found the following pam entries work.

auth       required     pam_krb5.so [debug] ; debug optional /var/log/debug...

account         sufficient      pam_winbind.so ; may be superfluous
(needs testing)
account         requried        pam_unix.so

This is my config from ssh.  My login config allows me to use unix
logins or AD logins.  I can't get it to work for ssh.  Though, that
really helps lock down the root account from direct remote login.

I hope this helps. I've done it on 3 of my machines now.  Email me if
you need any clarification.

Shaun Kruger

On 6/20/06, weales at xmission.com <weales at xmission.com> wrote:
> I want to monitor a W2K3 Server that is running as FE Exchange 2003 OWA in
> the
> DMZ via SNMP.
>
> I'm using Cacti 0.8.6h running on FC4.
>
> I understand that I need to create IPSec policies on the W2K3 Server to sec
> ure
> communications on TCP and UDP ports 161 and 162 to secure SNMP transactions
> from the DMZ to the SNMP management console (Cacti).  I also understand tha
> t
> I need to "join" my FC4 Cacti box to AD so it can be authenticated via
> the
> IPSec policy.
>
> What is the best way to join/authenticate my FC4 box to AD so it can receiv
> e
> the encrypted SNMP traffic?  I have winbindd installed, and I can run wbinf
> o
> -u and -g to see the users and groups in AD, but it appears my authenticati
> on
> is still coming from the local machine, not AD.
>
>
> Thanks
> Ron
> ______________________________________________________________________
> See http://www.sllug.org/ for latest SLLUG news, information, links.
> Join SLLUG and other UT LUG members on irc.FreeNode.net channel #Utah
> sllug-members at sllug.org
> http://www.sllug.org/cgi-bin/mailman/listinfo/sllug-members
>


-- 
Visit my blog at http://hackerlog.blogspot.com
=====================================================
If more of us valued food and cheer and song above hoarded gold, it would
be a merrier world.
                -- J.R.R. Tolkien

More information about the sllug-members mailing list