>-----Original Message-----
>From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
Behalf
>Of Christopher Chan
>Sent: Monday, February 16, 2009 8:53 AM
>To: CentOS mailing list
>Subject: Re: [CentOS] Practical experience with NTLM/Windows Integrated
>Authentication [Apache]
>
>
>>> No, NTLM auth works in Firefox (at least on Firefox on Windows, I
>>> don't think it will work in other platforms though).
>>
>> It doesn't. NTLM auth to eg Sharepoint sites works fine with Firefox in
>> Windows. Setting the same things in Firefox under linux and having it
login
>> to sharepoint doesn't.
>
>I don't think any other OS other than Windows has NTLM bindings.

Probably not, but I was thinking there may be some obscure package somewhere
on the 'net to do this.
--
/Sorin
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

>> I don't think any other OS other than Windows has NTLM bindings.
>>
>
> Probably not, but I was thinking there may be some obscure package somewhere
> on the 'net to do this.
>
Hahaha, and I was hoping to flush it/them out.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Feb 16, 2009, at 3:13 AM, "Sorin Srbu" <sorin.srbu@orgfarm.uu.se>
wrote:

>> -----Original Message-----
>> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
> Behalf
>> Of Christopher Chan
>> Sent: Monday, February 16, 2009 8:53 AM
>> To: CentOS mailing list
>> Subject: Re: [CentOS] Practical experience with NTLM/Windows
>> Integrated
>> Authentication [Apache]
>>
>>
>>>> No, NTLM auth works in Firefox (at least on Firefox on Windows, I
>>>> don't think it will work in other platforms though).
>>>
>>> It doesn't. NTLM auth to eg Sharepoint sites works fine with
>>> Firefox in
>>> Windows. Setting the same things in Firefox under linux and having
>>> it
> login
>>> to sharepoint doesn't.
>>
>> I don't think any other OS other than Windows has NTLM bindings.
>
> Probably not, but I was thinking there may be some obscure package
> somewhere
> on the 'net to do this.

Avoid NTLM all together and use Kerberos between apache/squid, Active
Directory and the Windows and Linux clients.

Firefox and IE both support Kerberos authentication. I believe apache/
squid do too, but you need a manually create the service principal
names in AD for those.

Use pam_krb5 on the Linux clients to get a ticket on login.

Use samba client on Linux hosts to join to domain and manage the
Kerberos keytab file for the machine passwords.

Use winbind to get passwd/group files via nsswitch.

-Ross

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Sat, 2009-02-14 at 09:14 -0600, Jeff wrote:

> OK, so you say it's possible, but how about some hints? You're leaving
> us completely in the dark here.

The problem is I don't have a step-by-step procedure to give you because
I didn't document as I went along. Working in smaller company usually
means documentation gets delayed or not done at all, unfortunately (not
enough time to do it!).

I'll see if I saved the links I found the most useful when I did the
integration (on my work PC, so has to wait until Feb 17th, at least).
The websites I used will hopefully be useful to you, too.

Regards,

Ranbir

--
Kanwar Ranbir Sandhu
Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux
17:50:59 up 5 days, 19:38, 3 users, load average: 2.08, 1.78, 0.98


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Mon, 2009-02-16 at 09:13 +0100, Sorin Srbu wrote:
> Probably not, but I was thinking there may be some obscure package somewhere
> on the 'net to do this.

There is - I found it last year, and it works. I have everything on my
work PC, so I'll let the list know tomorrow or later this week.

Regards,

Ranbir

--
Kanwar Ranbir Sandhu
Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux
17:54:53 up 5 days, 19:41, 3 users, load average: 1.20, 1.70, 1.14


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Mon, 2009-02-16 at 15:21 -0500, Ross Walker wrote:

> Avoid NTLM all together and use Kerberos between apache/squid, Active
> Directory and the Windows and Linux clients.
>
> Firefox and IE both support Kerberos authentication. I believe apache/
> squid do too, but you need a manually create the service principal
> names in AD for those.

I was using NTLM at first, but then switched to Kerberos (on the CentOS
server side). The Windows users didn't see a difference. For them, SSO
works just as well as before, but I still get prompted to enter
user/password when I use my Fedora 10 desktop to browse to CentOS hosted
web sites.

My Fedora desktop is joined to the domain. I can login with my AD
user/password. I even have caching working, which lets me sign on to my
laptop when it's not connected to the network.

I suppose I've missed something, though I don't know what.

Regards,

Ranbir

--
Kanwar Ranbir Sandhu
Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux
17:57:09 up 5 days, 19:44, 3 users, load average: 0.21, 1.13, 1.00


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

> -----Original Message-----
> From: centos-bounces@centos.org
> [mailto:centos-bounces@centos.org] On Behalf Of Kanwar Ranbir Sandhu
> Sent: Monday, February 16, 2009 5:56 PM
> To: centos@centos.org
> Subject: Re: [CentOS] Practical experience with NTLM/Windows
> Integrated Authentication [Apache]
>
> On Mon, 2009-02-16 at 09:13 +0100, Sorin Srbu wrote:
> > Probably not, but I was thinking there may be some obscure
> package somewhere
> > on the 'net to do this.
>
> There is - I found it last year, and it works. I have
> everything on my
> work PC, so I'll let the list know tomorrow or later this week.

If you can, provide a link to it please or if the link is no longer valid
can you some how send me a mail personally so I could receive it from you to
provide it to interested people? That is if you still have the src or
binary.

JohnStanley

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Kanwar Ranbir Sandhu wrote:
> On Mon, 2009-02-16 at 15:21 -0500, Ross Walker wrote:
>
>
>> Avoid NTLM all together and use Kerberos between apache/squid, Active
>> Directory and the Windows and Linux clients.
>>
>> Firefox and IE both support Kerberos authentication. I believe apache/
>> squid do too, but you need a manually create the service principal
>> names in AD for those.
>>
>
> I was using NTLM at first, but then switched to Kerberos (on the CentOS
> server side). The Windows users didn't see a difference. For them, SSO
> works just as well as before, but I still get prompted to enter
> user/password when I use my Fedora 10 desktop to browse to CentOS hosted
> web sites.
>
> My Fedora desktop is joined to the domain. I can login with my AD
> user/password. I even have caching working, which lets me sign on to my
> laptop when it's not connected to the network.
>
> I suppose I've missed something, though I don't know what.
Maybe kerberos authentication?

I have winbind authentication working here but I have yet to get
kerberos working to get SSO on Linux desktops.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Ross Walker wrote:
> On Feb 16, 2009, at 3:13 AM, "Sorin Srbu" <sorin.srbu@orgfarm.uu.se>
> wrote:
>
>
>>> -----Original Message-----
>>> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
>>>
>> Behalf
>>
>>> Of Christopher Chan
>>> Sent: Monday, February 16, 2009 8:53 AM
>>> To: CentOS mailing list
>>> Subject: Re: [CentOS] Practical experience with NTLM/Windows
>>> Integrated
>>> Authentication [Apache]
>>>
>>>
>>>
>>>>> No, NTLM auth works in Firefox (at least on Firefox on Windows, I
>>>>> don't think it will work in other platforms though).
>>>>>
>>>> It doesn't. NTLM auth to eg Sharepoint sites works fine with
>>>> Firefox in
>>>> Windows. Setting the same things in Firefox under linux and having
>>>> it
>>>>
>> login
>>
>>>> to sharepoint doesn't.
>>>>
>>> I don't think any other OS other than Windows has NTLM bindings.
>>>
>> Probably not, but I was thinking there may be some obscure package
>> somewhere
>> on the 'net to do this.
>>
>
> Avoid NTLM all together and use Kerberos between apache/squid, Active
> Directory and the Windows and Linux clients.
>
> Firefox and IE both support Kerberos authentication. I believe apache/
> squid do too, but you need a manually create the service principal
> names in AD for those.
>
> Use pam_krb5 on the Linux clients to get a ticket on login.
>
Mind sharing the pam config for that? I have something setup but things
don't seem to work.
> Use samba client on Linux hosts to join to domain and manage the
> Kerberos keytab file for the machine passwords.
>
Hmm...maybe I should not have manually created the credentials.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Tue, 2009-02-17 at 08:05 +0800, Christopher Chan wrote:
> Maybe kerberos authentication?
>
> I have winbind authentication working here but I have yet to get
> kerberos working to get SSO on Linux desktops.

Isn't winbind enough? Afterall, winbind gets the kerberos ticket when
the user logs in.

What's the difference between kerberos auth and winbind auth?

Regards,

Ranbir

--
Kanwar Ranbir Sandhu
Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux
19:32:30 up 5 days, 21:19, 3 users, load average: 0.30, 0.24, 0.21


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos