[TCLUG] RADIUS server authentication against Samba PDC

Tue Mar 13 11:56:05 CST 2001

Hrm.  Ok...  I think I convinced the remote sysadmin to find a RADIUS server
for NT and just install that (it's NT, not 2000).  2000 comes with IAS which
handles all the RADIUS stuff, NT doesn't.  

Jay

> -----Original Message-----
> From: Andy Zbikowski [mailto:andyzb at ltiflex.com]
> Sent: Tuesday, March 13, 2001 10:54 AM
> To: tclug-list at mn-linux.org
> Subject: Re: [TCLUG] RADIUS server authentication against Samba PDC
> 
> 
> Carl Wilhelm Soderstrom wrote:
> > 
> > > set up the Samba box as a backup domain controller (I can 
> get the NT admin
> > > there to make it a backup DC for me), is it possible to 
> run a RADIUS server
> > > on it that will authenticate against the domain?
> > >
> > > How would I go about this?
> > 
> 
> From memory, SAMBA cannot act as a BDC for an NT domain. The 
> only way to get
> a UNIX box serving in this fashion is on Solaris as Sun 
> somehow managed to
> license and port the NT Domain controller ports to Solaris. 
> The package is
> still available from Sun's website, but it is unsupported and 
> unmaintained.
> I've heard it's pretty slick though.
> 
> > cistron-radius will authenticate against PAM; so if you can 
> get PAM to work
> > against Samba (no clue about this myself), it should work.
> 
> That's no biggie. See pam-smb-auth and/or pam-ntdom. The 
> former is stable,
> last time I checked the latter was rather developmental. With 
> pam-smb-auth
> you will need to create users on your linux box. You might be 
> able to get
> around this with pam-ntdom.
> 
> Someone might have hacked together an Active Directory PAM 
> module now (or
> maybe updated kerberos/ldap clients/modules to handle AD...)
> 
> Configuring the above modules isn't a big issue either. Just 
> create a config
> file with the name of the domain controller.
> 
> The last option I can think of (and a sad one at that...) is 
> that Windows
> 2000 supports RADIUS. Sometimes the only way to deal with NT 
> is NT. (Well, I
> guess there's always a rocket launcher, so there are always 
> two ways to deal
> with NT.)
> 
> --
> Andy Zbikowski, Sys Admin   | (WEB) http://www.ltiflex.com
> LTI Flexible Products, Inc. | (PH)  763-428-9119 (EX) 132
> 21801 Industrial Blvd       | (FX)  763-428-9126
> Rogers, MN  55374           | (PCS) 612-306-6055
> 