OK, I'm the original poster of this message and here's what I discovered that ultimately made it work.
Using the PAM_SMB module, users that had complicated passwords with special characters failed SMB authentication. I changed mine to something less complicated (temporarily) and everything went through without any problem. I suspect that it's not "escaping" the password characters correctly. Bug??
Thanks Andy and Javier for your comments.
-----Original Message-----
From: Javier Gostling [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 23, 2002 3:10 PM
To: [EMAIL PROTECTED]
Subject: Re: Active Directory Authentication via Linux
On Mon, Sep 23, 2002 at 03:43:59PM -0500, Furnish, Trever G wrote:
> I'm under the impression that you are using the "old" nt method of
> authentication here rather than kerberos. I would expect that as most
> sites move to active directory they will eventually disable support
> for their old authentication mechanisms in order to benefit from win2k
> and later's native kerberos authentication.
>
> If I'm reading this wrong and you are actually using kerberos with
> this setup, please correct me...
You are right. I'm using SMB authentication. Not kerberos authentication. Let me explain how I got to where I am:
My first attempt at unified authentication was from a samba document which explained how to use winbind. This required winbindd, pam_winbind and hand tweaking of /etc/pam.d/*. I got it to work, but all usernames were in a format like "DOMAIN+username", which looked horrible when you tried ls or anything, not to mention typing it to log in to the system. So I sent it to /dev/null.
Next, I got hold of a document called "Authenticating Redhat 7.3 against the Active Directory". This document explained how to configure your RH box to authenticate with the kerberos component of an Active Directory Server. After following it step by step, things didn't quite work. So I sent it to /dev/null.
After some more googling, I came across a web page mentioned earlier on this thread (the pam_smb home page). this page mentioned /etc/pam.d/system-auth, which wasn't mentioned in the other docs I had read. I checked this file, and found the mention of authconfig. So I run it and everything worked so smoothly that I kept it there to show to my boss.
So to sum it up:
1. Samba's winbind method was a hassle.
2. Kerberos just plain did not work.
3. Pam_smb configured with authconfig worked like a charm.
Since my objective was not to (implement a technology) use kerberos to authenticate, but to solve a problem (use the Windows Active Directory to authenticate), pam_smb stayed because it solved my problem in an easy way.
Note to Redhat: This process should be better documented in the manuals, either the Reference Guide or the Customization Guide.
Cheers,
--
Javier Gostling
Ingeniero de Sistemas
Virtualia S.A.
[EMAIL PROTECTED]
Fono: +56 (2) 202-6264 x 130
Fax: +56 (2) 342-8763
Av. Kennedy 5757, of 1502
Las Condes
Santiago
Chile
