Authenticating Windows Users to eDirectory
Novell Cool Solutions: Tip
By Andy Bialock
Digg This -
Posted: 8 Sep 2005
A reader recently asked about authenticating Windows users to eDirectory:
"We just installed eDirectory 8.7.3 on SLES 9 to replace our Windows NT domain. We have Linux, Mac, and Windows machines across our network. While I've found excellent information on how to get the Linux and Mac systems to authenticate against eDirectory, I have yet to find a definitive document that shows the best way to authenticate Windows users. I don't want to have to convert my NT domain to Active Directory, as that defeats the purpose of the migration. We're testing using the eDirectory server as a Samba PDC, but that also seems like a roundabout way. I could install the Novell Client on all the Windows boxes, but I was told at Novell that they are authenticating Windows users without the client. So, what's the best way to authenticate Windows users against eDirectory 8.7.3?"
And here's the response from Andy Bialock...
Generally, you must follow the Samba3 PDC howto found at:
with the following modifications:
1. Use SLES9 and the samba3 that comes with it.
2. Use the samba-nds.schema file and import it with ldapmodify. Make sure any long groups of spaces are replaced by a pair of tabs. Convert it to a proper ldif - use the files in /usr/lib/nds-schema as a guide for conversion.
3. Modify the smb.conf file to have these entries:
passdb backend = ldapsam:ldap://
ldap admin dn = cn=admin,o=myorg ldap suffix = o=myorg ldap machine suffix = ou=Workstations ldap idmap suffix = ou=IDMap,o=myorg ldap filter = (cn=%u) idmap backend = ldap:ldap:// / idmap gid = 10000-20000 security = user encrypt passwords = yes obey pam restrictions = Yes add machine script = /usr/local/sbin/smbldap-useradd.pl -w -d /dev/null -g machines -c 'Machine Account for %u' -s /bin/fals e %u logon path = \\%L\Profiles\%U logon drive = H: logon home = \\%L\%U domain logons = Yes os level = 128 preferred master = Yes domain master = Yes veto files = /.?*/ dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
Note that the most important line is "ldap filter". Do NOT use the "&" with the sambaSamAccount, as the software already does this internally and it will only error out. Openldap allows it, but eDirectory is more strict.
4. Make sure the box can authenticate your edir users in ldap. Check these entries in /etc/ldap.conf:
host <ip of edir server> base o=myorg ldap_version 3 binddn cn=admin,o=myorg bindpw secret rootbinddn cn=admin,o=myorg port 389 scope sub pam_filter objectclass=posixAccount pam_login_attribute cn pam_member_attribute member pam_password nds nss_base_passwd o=myorg?sub nss_base_shadow o=myorg?sub nss_base_group o=myorg?sub nss_map_attribute userPassword authPassword nss_map_attribute uniqueMember member
5. Go into yast and set up the LDAP Client under Network Services.6. Modify the smbldap-tools (from Idealx) package to properly add machine accounts to the domain. Test this from the command line to be sure you can add a machine successfully. Put them in their own container, such as ou=Workstations,o=myorg.
You don't need to use the NetWare Client. This is Samba, so it needs only the Windows client.
This works great for me. I have it working in a number of places, and the clients actually join the domain successfully. Note that "root" must be able to autheinticate this way from a Windows client in order to use that account to "join" workstations to the domain.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com