DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 19th March 2011
ComputerErik ComputerErik is offline
New User
 
Join Date: Mar 2011
Location: NYC
Posts: 3
Default Active Directory Authentication

I am just getting started with OpenBSD and have been doing a lot of reading, I have been through all of the FAQs and man pages. At this point I have a system which I did a base install on about a year ago (4.7 release), which I have updated to 4.7 stable. I am now looking at the process to upgrade this to 4.8, but that is for another day.

My immediate interest is being able to manage users on all platforms (Windows, Linux, BSD) from a central location. Now since Windows doesn't really offer much flexibility if I want some of the features I need I am forced into maintaining a Windows Active Directory domain. A few years back I did some extensive work in testing various methods of accomplishing the goal of authenticating Linux users to an Active Directory domain. My conclusion was that while possible to do this with only native packages (Kerberos, Samba, Winbind) the result was unreliable, more management overhead than needed, and I couldn't restrict logins by group. I did find some free third party solutions that allow me to do all of this easily and reliably (Centrify and Likewise if you are interested). Now fast forward and I am looking to add OpenBSD to the mix. None of the tools I normally use support OpenBSD.

So I did my research and found that OpenBSD supports all of the required protocols to do this natively as in Windows, but in a few postings on blogs etc. found that others reported issues with this method. I know that any information outside of the FAQ or man pages is not to be trusted, but since it seemed to fit with my prior experiences it seems reasonable. Among the articles I read was one which took a slightly different approach, using Kerberos for authentication and the passwd file for user management locally. As my previous Linux tests the problems all seemed to revolve around Samba/Winbind pulling user information from AD this seemed like a reasonable approach to the problem. So I proceeded to follow the man pages and setup a krb5.conf file, and added required SRV records to my zone file. I am now able to easily and reliably use a password stored in a Windows domain to login to my OpenBSD system. While this is not an ideal solution (I need to create local accounts for all users) it is better than using only a passwd file.

Has anyone come across any third party or native method which allows an OpenBSD system to pull user account and password information from a Windows domain, and also restrict logins based on Windows group membership? The group membership restriction is especially important as I am looking to use OpenBSD only for secured systems where only a select few will have login permission.

Thanks in advance for any insight.
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
NTLM Authentication plexter FreeBSD Security 1 7th January 2011 08:43 PM
strange "~" directory in home directory gosha OpenBSD General 5 23rd February 2009 06:12 PM
Copy w/ active verification Weaseal FreeBSD General 4 5th February 2009 12:23 AM
USB keyboard/mouse not active after boot teig FreeBSD General 9 27th October 2008 04:20 PM
openldap for authentication rajendra_nagi FreeBSD General 9 17th July 2008 06:43 PM


All times are GMT. The time now is 08:23 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick