"Linux Gazette...making Linux just a little more fun!"

The Answer Guy

By James T. Dennis, tag@lists.linuxgazette.net
Starshine Technical Services, http://www.starshine.org/

(?)Linux as a "Domain Controller" for a WinNT Domain? Not Yet!

or: Linux use of an NT PDC/BDC for authentication?

From Cesar Augusto Kant Grossmann on 25 Jun 1998

Hi James!

Again a problem to me, and a exercise to you.

Is it possible to make the Linux Box do login authentication requests from a NT Domain Server?

(!)Not yet. The Samba team is working on this and hopes to have something ready within a couple of months. Lest you think this is all wasted effort (on the thought that Microsoft will ship NT 5.x in a year or so) --- the indications seem to be that the MS NT implementation of Kerberos will still rely heavily on the data structures that they currently use in their PDC/BDC protocol. So, the work being done now is an investment to the future as well as a hope for the near-present.

(?)I have a Linux box in a TCP/IP network, part of a large NT Domain, and want to allow NT domain-users to log in the Linux Box and access Internet in it. The idea is provide access to the Linux Box without having to register every user. The users donīt need a regular account, with home directory, because Internet access is not frequent (thanks to a low connection) and they only use it to surfing (not email, not FTP).

(!)Hmm. It looks like I read too much into your first paragraph. This sounds like you want Linux to be a client to an NT domain controller. I think there is a PAM (pluggable authentication module) for doing this.

Since the whole PAM project is still in beta (and not moving nearly fast enough for my tastes --- not that I've contributed to it nor that the programmers would want me to) I can't make any promises on how well it will work.

However the state of PAM can speak for itself at:
(Andrew Morgan's pages on the Transmeta sponsored Linux site).

The module you might want to play with is by David Airlie and is at:
Other modules (for things like one-time passwords, authentication on a Netware server, a couple of different "SecureCard" and "DESGold" cards, RADIUS, and support Kerberos realms, etc) can be found by browsing around at:

(?)No, I don't want to make the Linux Box act as a firewall (I don't have authorization to do that). And, again, sorry my bad english...


Cesar Augusto Kant Grossmann
Uruguaiana - RS - Brasil

(!)Given the muddy murky nature of the term "firewall" the difference between what you're doing and "acting as a firewall" may be purely a matter of semantics. However, if it'll keep your management happy I'll go into a Brazilian court of law as an "expert witness" to state my opinion that this is not a "firewall."

If by "surfing" you mean that your users will only be using the Linux system as a web proxy --- why are you fussing with authenticating them at all? Why not just install Apache and configure it purely for caching/proxy use --- or use Squid (there are RPM's avaiable --- they were included with my copies of S.u.S.E.

Apache, CERN, and Squid can all be configured as caching web proxy/servers and can all be configured with a variety of limitations on which systems are allowed through in which directions. Do you really care which user is logged into the workstation that is using these proxies? That seems like an odd requirement unless you're also trying to enforce some other policies (like certain classes of employees are only allowed to "surf" during their lunch hour, etc).

I suggest you actually review your requirements a bit further. It sounds like you are complicating matters more than the situation requires.

Copyright © 1998, James T. Dennis
Published in Linux Gazette Issue 30 July 1998

[ Answer Guy Index ] SCOkeys chroot dosemu-db NTauth cdr 3270 comport
lilostop emulate ppadrivers database vacation nullmodem lockups
gzipC newlook c500 solprint vc1shell memleak tvcard

[ Table Of Contents ] [ Front Page ] [ Previous Section ] [ Next Section ]