On Tue, 2009-02-17 at 14:07 -0500, Kanwar Ranbir Sandhu wrote:
> On Mon, 2009-02-16 at 20:36 -0500, Ross Walker wrote:
> > In Firefox go to your about:config page and scroll down to:
> >
> > network.negotiate-auth.delegation-uris
> >
> > and
> >
> > network.negotiate-auth.trusted-uris
> >
> > and for their string values enter your DNS domain to allow kerberos
> > negotiation and delegation to occur.
>
> HA! I had these set already, but I still get prompted. So, today I
> decided I should delete the saved passwords for the apache hosted site I
> was trying to access, and viola, SSO worked! I can't believe I didn't
> remove the saved passwords before.
I should have mentioned that I only set
"network.negotiate-auth.trusted-uris". I left the other one blank.
Setting it or not didn't seem to make a difference. But, based on this:
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
02-17-2009, 06:59 PM
Kanwar Ranbir Sandhu
On Tue, 2009-02-17 at 10:27 -0700, Joseph L. Casale wrote:
> I haven't tried this one, but make note it lacks NTLMv2 and group support
> which made it non usable in my environment. Like Filipe suggested
> mod_auth_ntlm_winbind addresses this but it appears it's not actively
> maintained and I got stuck configuring it and gave up...
I believe you can use kerberos auth and group lookups. For the group
support, you need to do direct LDAP lookups. Just run a google search
for 'kerberos apache group', or something along those lines, to find
some links discussing what I've mentioned here.
Regards,
Ranbir
--
Kanwar Ranbir Sandhu
Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux
14:58:02 up 6 days, 16:45, 4 users, load average: 1.32, 1.27, 1.21
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
02-17-2009, 08:19 PM
Ross Walker
On Tue, Feb 17, 2009 at 2:18 PM, Kanwar Ranbir Sandhu
<m3freak@thesandhufamily.ca> wrote:
> On Tue, 2009-02-17 at 14:07 -0500, Kanwar Ranbir Sandhu wrote:
>> On Mon, 2009-02-16 at 20:36 -0500, Ross Walker wrote:
>> > In Firefox go to your about:config page and scroll down to:
>> >
>> > network.negotiate-auth.delegation-uris
>> >
>> > and
>> >
>> > network.negotiate-auth.trusted-uris
>> >
>> > and for their string values enter your DNS domain to allow kerberos
>> > negotiation and delegation to occur.
>>
>> HA! I had these set already, but I still get prompted. So, today I
>> decided I should delete the saved passwords for the apache hosted site I
>> was trying to access, and viola, SSO worked! I can't believe I didn't
>> remove the saved passwords before.
>
> I should have mentioned that I only set
> "network.negotiate-auth.trusted-uris". I left the other one blank.
> Setting it or not didn't seem to make a difference. But, based on this:
>
> https://developer.mozilla.org/en/Integrated_Authentication
>
> The apache server should have been able to handle the authentication.
> Maybe I'm misunderstanding what "delegation" does.
Delegation will allow a system or service to authenticate you to
another system or service on your behalf.
For example, say your apache server has a mysql database backend for
an application that requires each user to authenticate individually,
well without delegation the users would need to use another form of
authentication such as HTTP basic authentication which would then pass
it off to the mysql. Even if done over SSL this can open your
application up to a man-in-the-middle attack. Kerberos delegation was
designed to defeat the man-in-the-middle scenario through signing of
the ticket request along the line and back.
-Ross
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
02-17-2009, 08:27 PM
Ross Walker
On Tue, Feb 17, 2009 at 12:24 PM, Joseph L. Casale
<JCasale@activenetwerx.com> wrote:
>>Ok, here are the default settings that my kickstart file creates to
>>allow me to join the domain and have samba manage the keytab.
>
> Ross,
> I was out of town and missed this thread which is of great interest to me
> as well. When you say "have samba manage the keytab" do you mean not use one
> as have a dedicated service account on the DC and have it generate the keytab
> and have it copied over? A lot of solution I have seen use that procedure which
> I have never wanted to do for obvious reasons.
If you don't have a keytab file when you use samba to join to the
domain and you have the 'use kerberos keytab = yes' set in your
smb.conf, then samba creates one and populates it with the AD
compatible host SPNs and machine password. From that point on it will
keep the keytab in sync. I don't know if it will add these if SPNs
already exist, I haven't tried it.
> Also, I see you also configure ldap to point towards what looks like your AD
> server as well. How come you use both Samba/Winbind and ldap?
LDAP wasn't necessary, I use it for querying AD attributes using the
OpenLDAP tools (I don't trust Microsoft and think they hide attributes
in ADSIEdit!).
Though I could have used NSS_LDAP instead of Winbind, I just would
need to set UID/GID for every user and group in AD which was just too
much of a PITA.
-Ross
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
02-17-2009, 08:46 PM
Ross Walker
On Tue, Feb 17, 2009 at 2:59 PM, Kanwar Ranbir Sandhu
<m3freak@thesandhufamily.ca> wrote:
> On Tue, 2009-02-17 at 10:27 -0700, Joseph L. Casale wrote:
>> I haven't tried this one, but make note it lacks NTLMv2 and group support
>> which made it non usable in my environment. Like Filipe suggested
>> mod_auth_ntlm_winbind addresses this but it appears it's not actively
>> maintained and I got stuck configuring it and gave up...
>
> I believe you can use kerberos auth and group lookups. For the group
> support, you need to do direct LDAP lookups. Just run a google search
> for 'kerberos apache group', or something along those lines, to find
> some links discussing what I've mentioned here.
If you have a lot of hosts that need access to winbind mapped
UIDs/GIDs instead of setting up winbind everywhere and having a
administrative headache if the RID mapping gets messed up on one host,
setup a winbind to NIS server that puts the mappings into NIS maps and
propagate the information that way. Only real difference on the other
hosts is to switch 'winbind' to 'nis' in nsswitch.conf.
-Ross
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
02-17-2009, 11:50 PM
Christopher Chan
> If you have a lot of hosts that need access to winbind mapped
> UIDs/GIDs instead of setting up winbind everywhere and having a
> administrative headache if the RID mapping gets messed up on one host,
> setup a winbind to NIS server that puts the mappings into NIS maps and
> propagate the information that way. Only real difference on the other
> hosts is to switch 'winbind' to 'nis' in nsswitch.conf.
>
What's wrong with winbind on a ldap backend? I have winbind installed
everywhere...all pointing to a single ldap instance.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
02-18-2009, 12:06 AM
Ross Walker
On Feb 17, 2009, at 7:50 PM, Christopher Chan <christopher.chan@bradbury.edu.hk
> wrote:
>
>> If you have a lot of hosts that need access to winbind mapped
>> UIDs/GIDs instead of setting up winbind everywhere and having a
>> administrative headache if the RID mapping gets messed up on one
>> host,
>> setup a winbind to NIS server that puts the mappings into NIS maps
>> and
>> propagate the information that way. Only real difference on the other
>> hosts is to switch 'winbind' to 'nis' in nsswitch.conf.
>>
> What's wrong with winbind on a ldap backend? I have winbind installed
> everywhere...all pointing to a single ldap instance.
Well yeah you can use ldap too to keep the rid mappings centralized. I
just think configuring ldap, putting schema together and configuring
samba everywhere is more work then nis, but to each their own.
-Ross
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
02-18-2009, 01:01 AM
James Turland
hi;hope I'm posting this question in the right place.I would like to get
the three jacks on the back of my computer to be used for 5.1 (6)speaker
sound.At an alsa site I found some info about changing editing on my
asounrdrc file.Being a newbie to ubuntu I don't know how .I have barely
used the terminal because you ubunters have filled the synapses with
everything I have needed so far.I would like a step by step guide to
the editing if that is what you suggest I should do.thanks to the ubuntu
community James
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
02-18-2009, 06:51 AM
Bas Jacobs
Hi James,
I don't know if this solves your problem but it may point you in the correct direction. Under system -> preferences (or administration, not sure) you'll find a menu entry called "sound". You should go through those options, make sure you've selected the correct channels. Look for options you may need.
Once done, open up a terminal and type "alsa-mixer". This opens up the alsa mixer. You can set it up with the arrow keys, the spacebar and the tab key.
Hope others have better advice to you,
Bas
On Wed, Feb 18, 2009 at 3:01 AM, James Turland <jturland@bmts.com> wrote:
hi;hope I'm posting this question in the right place.I would like to get
the three jacks on the back of my computer to be used for 5.1 (6)speaker
sound.At an alsa site I found some info about changing editing on my
asounrdrc file.Being a newbie to ubuntu I don't know how .I have barely
used the terminal because you ubunters have filled the synapses with
everything I have needed so far.I would like *a step by step guide to
the editing if that is what you suggest I should do.thanks to the ubuntu
community James
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
02-18-2009, 07:36 PM
Warren Togami
If anyone cares enough to follow up on this...
-------- Original Message --------
Subject: [PATCH] support to add a username consists of only digitals
Date: Wed, 18 Feb 2009 11:18:12 +0800
From: 潘卫平 <wppan@redflag-linux.com>
To: fedora-devel-list-owner@redhat.com
Hi all,
I found a BUG in libuser-0.56.9.
<https://fedorahosted.org/libuser/attachment/wiki/LibuserDownloads/libuser-0.56.9.tar.bz2>
When I add a username consists of only digitals, like "1234", error happens.
Reproduce steps:
1 luseradd 1234
2 Group 1234 does not exist
But when I use "useradd 1234" command, no error happens.
I find the reason that luseradd converts "1234" from string to a long
int, and uses it as gid.
But when luseradd uses lu_group_lookup_id(ctx, gidNumber, groupEnt,
&error) to find the group,
error happens, because there is not such a group.
Regards!
Pan Weiping
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
