Logging in from Fedora Linux clients to Windows 2000 server with ADS

Nigel Wade nmw at ion.le.ac.uk
Fri May 14 09:19:34 UTC 2004 

PAG wrote:
>  Hi everyone,
> 
> I want to convert some 50 new machines that an organization is getting 
> into Fedora Linux workstations.
> 
> This is the current setup:
> The organization currently has one Primary Windows 2000 ADS and 2 
> numbers of Windows 2000 servers acting as Backup domain servers.
> There are currently some 50 workstations already in the network and 
> these are all Windows 2000 professional machines. There are HP laser 
> network printers in the network.
> 
> Now the organization wants to add about 50 more workstations in the 
> network. I am trying to convince them to use Fedora Linux on these 
> machines instead of Windows 2000 professionnal. My ultimate goal is to 
> convert more machines to Linux.
> 
>  From these Fedora machines, users should be able to login to the 
> Windows servers using their Windows username and passwords. They will be 
> using a lot of files from the Windows 2000 servers which currently also 
> act as the file servers. They are currently reluctant on converting the 
> Windows servers and converting to Linux as some critical applications 
> that they use are available only on windows. In addition to this they 
> would need to print to the Network printers in the network.
> 
> I googled and found a LOT of information on modifying the SAMBA and 
> modifying the krb5 for the above purpose. I am using a couple of 
> machines to do a test setup. I have installed FC1 on these machines and 
> have configured SAMBA on both these machines.
> Some of the settings done are as follows:
> SAMBA "smb.conf" file is at the very bottom of this email
> KRB5 "krb5.conf" file is also at the bottom of the email
> "nsswitch.conf" file was modified also at the bottom of this email
> "login" file (in /etc/pam.d directory was also modified)
> The authentication that I am using is SMB and KRB5
> 
> My FC1 machines are registered into the ADS using "net ads join -U 
> user1". This went well and showed me as joined to the domain.
> 
> I have set up test users "user1" and "user2" in both the windows domain 
> as well as on the FC1 machines. The passwords of the above users on the 
> local FC1 machines and the Windows 2000 ADS machines are differrent. 
> (The reason I have kept these differrent is to test that the login using 
> the Windows 2000 username and password works.)
> 
> The problem that I face is this:
> 1. I cannot log in at the FC1 GUI login prompt (I'm using gnome) using 
> the windows username (user1 or user2) and password. I can only login 
> using my FC1 local username and password. This is the first thing that I 
> want to be able to do. I should be able to login as any user (even if 
> the user is not added in the local FC1 machine).

I think you will have a problem with having user1/user2 both in /etc/passwd 
and AD. When you login /etc/passwd will be checked and it finds user1 but 
the password doesn't match so it rejects the login. The login process only 
goes to LDAP (and I presume the same is true of AD) if the account doesn't 
exist in /etc/passwd.

Try removing one of the accounts from /etc/passwd and see if it goes to AD 
for authentication.

> 2. After logging into gnome as the local FC1 user, when I browse the 
> network and click on any machine on the network it asks me for a 
> username and password again for that machine. After entering the correct 
> windows username and password I get access to the shared resources in 
> the network.
> 

That's because you've authenticated against FC1 login, not against AD. 
Windows doesn't know who you are, so asks you to authenticate. If you can 
get the login to authenticate against AD this might work.



-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw at ion.le.ac.uk
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555

More information about the users mailing list