[BBLISA] Single sign-on help requested

[Sean OMeara]

Scott:

If you want TRUE single sign on capabilities and you intend to involve
Windows in any way, you absolutely have to use an Active Directory as
your kerberos KDC. There is ABSOLUTELY NO WAY around it. (unless of
course you're adventurous enough to use samba4)

By TRUE sigle sign on I mean:
passwordless authentication to network resources (ssh, samba shares/
NFSv4 servers, (homedirs!) apache/mod_spnego, jabber/sasl, ssh/gssapi,
ldap/sasl, AFS, the works) from both the XP clients and the linux/unix
clients.

The only way to do it is:
authentication
*Active Directory KDC + LDAP + RPC for windows authentication/authorization
*Active Directory KDC for unixland kerberos authentication

authorization
* Active Directory ldap server schema extensions (ms SFUv3.5) to house
the unix posix data (uid, gid, homedir, shell, supplemental gids
((/etc/group))

or
* seperate ldap resource (openldap, fedoraDS) dedicated to housing the
unix posix data
* scripting fun to keep your groups in order

The reason for this lies in the way Windows handles the authorization
part of the sign on process. ( unix clients dig their authorization
data out of ldap, windows clients have it returned in the PAC field
within their kerberos ticket)

It's actually not that bad really.... AD can be manipulated from the
linux command line via samba tools (net ads user add, net ads group
delete, etc)

......

now barring all that... if what you meant by "single sign on" is
actually "unified passwords", then you can do it without AD using
samba and ldap no problem. (well, only small problems anyway)


No matter what you'll have to maintain TWO password databases, one for
windows, and one for everyone else.

The standard configuration for this is one of the two of these:

a)
authentication
* Windows NT4 style NTLMv2 Samba v3 authentication
* Samba looks at an ldap backend for:
sambaLMPassword:
sambaNTPassword:

* unixland clients attempt a bind to the ldap server, testing against the field:
userPassword

authorization:
Samba looks at an ldap backend for, and then returns to the windows
machine via rpc:
sambaAcctFlags
sambaPrimaryGroupSID:
sambaLogonTime:
sambaPasswordHistory
sambaSID
sambaPwdCanChange:
sambaAcctFlags:
sambaPwdLastSet:
sambaPwdMustChange

b)
authentication:
samba stuff for windows
unixland looks to an MIT or Heimdal KDC for authentication

authorization:
same stuff for windows
unixland looks in the ldap directory for:
uidNumber
gidNumber
homeDirectory
groups information

The consequences of the dual password sources will boil down to this:

When a user changes his password via the unix passwd utility, it will
only change:
the userPassword field in the ldap record or the password on the
kerberos principal.

Windows users change it via samba, which can call a script to change
both the sambaNTPassword fields and the userPassword fields in the
ldap record.

I'm not sure if its possible to have samba call a script to set the
sambaNTPassword and change the kerberos princ.

PS if you're going to get kerberos involved in any way, every machine
needs to be able to resolve their FQDN, both forward and reverse. This
means you either need to maintain lots of /etc/hosts entries in the
form:

127.0.0.1        localhost        localhost.localdomain
127.0.0.1        somebox.mit.edu sombox

or proper 1 to 1 mapped forward and reverse DNS.

If your machine can't correctly do
hostname and hostname -f, kerberos will NOT WORK.

.....

To answer your questions about the homedirs:

You want a fileserver running both samba and NFS.
Windows clients will use roaming profiles to mount their homedirs via
SMB, linux will use NFS.

Your error messages look like your ldap server isnt running.

-s



PS I live around the corner from MIT and I'm much better at explaining
things when people buy me ronnie burgers ;)

-s


On 8/23/07, Scott Ehrlich <scott at mit.edu> wrote:
> I have a RHEL5 Server and some dual-boot XP/CentOS 5 systems (Linux systems all
> 64-bit).   All Linux is out-of-box, with all packages, minus international
> languages, installed.  No patching has been done.
>
> On the server, I selected system-config-authentication and enabled LDAP for
> User Information, Kerberos, LDAP, and SMB for Authentication, and Shadow and
> MD5 Passwords, along with Authenticate system accounts by network services for
> Options.
>
> All machines are on an isolated LAN, with no DNS server (I could always enable
> and configure DNS on the server if it helps the cause).
>
> I also don't know if it matters, but the server is running the virtualization
> kernel (xen), but the clients are not.
>
> I only have LDAP service enabled on the server.   Kerberos services are enabled
> on both client and server.
>
> I tweaked the LDAP and Kerberos settings using the CentOS/RH GUIs, and have the
> clients looking to the RH box for authentication.
>
> I also have the firewall enabled, but am letting kerberos and ldap ports
> through as tcp.
>
> During a login test, /var/log/messages on the client showed:
>
> lin1 gdm[pid]: nss_ldap: failed to bind to LDAP server ldap://192.168.1.100:
> Can't contact LDAP server
>
> lin1 gdm[pid]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
>
> lin1 dbus-daemon: nss_ldap: failed to bind to LDAP server ldap://192.168.1.100:
> Can't contact LDAP server
>
> lin1 dbus-daemon: dss_ldap: failed to bind to LDAP server...
>
> lin1 xfs: ...
>
>
> During boot time, Starting system message bus: [long pause] then error messages
> about DB_CONFIG and /var/lib/ldap, the usual cannot find DB_CONFIG in
> /var/lib/ldap, showing the example.com instead of my customized ldap settings,
> etc.
>
> I've checked openldap.org, but I figured if the configuration appears to be
> simplified via an included GUI, I shouldn't have much trouble gettigns things
> going.
>
> Anyway, what am I missing?   Anything special RH 5 is doing compared to the
> openldap docs?
>
> Both servers have been rebooted since adding the respective ports in the
> firewall.
>
> The goal is a to permit my test user, created on the server, to sit at a
> workstation, boot into either Linux or XP, and get their home directory.
>
> Ideally, the server only needs to consist of one account for them, which they
> get upon login on the workstation.
>
> I want to highly restrict _any_ third-party tools/apps/etc.   I will be happy
> to take suggestions and leads, but I want to try and rely on what RH has
> provided.
>
> Thanks for any insight/help.
>
> Scott
>
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
>