DOMAIN\username@machine:~> id
uid=10000(DOMAIN\username) gid=10000(DOMAIN\domain users) groups=10000(DOMAIN\domain users)
This creates issues with YP/NIS.
I order for me to log on to various network machines i need to perform su, then su-username.
[username@machine ~]$ su
[username@machine ~]$ su - username
[username@machine ~]$ pwd
/users/username
[username@machine ~]$ whoami
username
[username@machine ~]$ id
uid=620(username) gid=100(users) groups=100(users)
Is there anything I could do to remedy this issue? Only solution I see is to reinstall OpenSUSE and authenticate with my YP/NIS user instead of my DOMAIN user.
The reason why you must specify different credentials is because AD and NIS are both different network security services, each stores and authenticates Users differently.
If you’re not responsible for Active Directory in your network, you need to raise this issue with whomever manages and configures AD. Point that person in the direction of “Server for NIS” and the idea of extending AD like any other LDAP to map AD User accounts to NIS credentials so you can enjoy Single Signon.
On 12/20/2012 11:36 AM, tsu2 wrote:
>
> The reason why you must specify different credentials is because AD and
> NIS are both different network security services, each stores and
> authenticates Users differently.
>
> If you’re not responsible for Active Directory in your network, you
> need to raise this issue with whomever manages and configures AD. Point
> that person in the direction of “Server for NIS” and the idea of
> extending AD like any other LDAP to map AD User accounts to NIS
> credentials so you can enjoy Single Signon.
>
> HTH,
> TSU
>
>
But you CAN smash them together. That is you can use defaultdomain and smash to
at least one domain (it get a bit too confused if you try to do with multiple
domain trusts from my own experience).
So… what is possible is you can configure samba to smash ids using default
domain, you can use your own NIS home dir, even via automount… all of this is
possible.
Through Yast? Well… no… not saying you can’t use YaST to get started, but
usually I end up making my own smb.conf mods.
so… I’d look at the following options…
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template homedir = …
Then you can also make sure ghat pam is setup with modules for winbind,
common-auth-pc
auth required pam_winbind.so use_first_pass
You can make it so it will use either password. Using the winbind mechanism
will allow you to nuke your NIS clear text DES hashes with invalid base64
though… and thus you eliminate one of NIS’s glaring security issues (if that’s
interesting to you).
Took me awhile to understand what you meant by “smash,” whenever someone uses non-standard terminology I have to work harder at figuring out what is meant. I believe you’re referring to configuring SAMBA on the Server-side to enable multiple authentication options, not how this thread began which was to try to attempt multiple client-side authentication.
That’s an interesting idea. Have always been aware of the standard capability configuring network and local security but haven’t considered network, network and local security.
I don’t see any reason for it not to work, but I would consider this type of configuration only for a very small network or a self-maintained Personal Server. In a larger Enterprise, I wouldn’t want to have all sorts of custom configurations on individual Servers, I’d want to be able to manage and configure Servers from a centralized location.