[BBLISA] Single sign-on help requested

Scott Ehrlich scott at MIT.EDU
Thu Aug 23 10:03:10 EDT 2007 

Sorry to top-post, but it is my intention to use samba on the RH 5 box to 
act as my domain controller.  I thought I read somewhere that accounts 
(user/pass) can be easily synced ldap and samba, including home dirs?  Am 
I wrong?

Thanks.

Scott

On Thu, 23 Aug 2007, Sean OMeara wrote:

> Scott:
>
> If you want TRUE single sign on capabilities and you intend to involve
> Windows in any way, you absolutely have to use an Active Directory as
> your kerberos KDC. There is ABSOLUTELY NO WAY around it. (unless of
> course you're adventurous enough to use samba4)
>
> By TRUE sigle sign on I mean:
> passwordless authentication to network resources (ssh, samba shares/
> NFSv4 servers, (homedirs!) apache/mod_spnego, jabber/sasl, ssh/gssapi,
> ldap/sasl, AFS, the works) from both the XP clients and the linux/unix
> clients.
>
> The only way to do it is:
> authentication
> *Active Directory KDC + LDAP + RPC for windows authentication/authorization
> *Active Directory KDC for unixland kerberos authentication
>
> authorization
> * Active Directory ldap server schema extensions (ms SFUv3.5) to house
> the unix posix data (uid, gid, homedir, shell, supplemental gids
> ((/etc/group))
>
> or
> * seperate ldap resource (openldap, fedoraDS) dedicated to housing the
> unix posix data
> * scripting fun to keep your groups in order
>
> The reason for this lies in the way Windows handles the authorization
> part of the sign on process. ( unix clients dig their authorization
> data out of ldap, windows clients have it returned in the PAC field
> within their kerberos ticket)
>
> It's actually not that bad really.... AD can be manipulated from the
> linux command line via samba tools (net ads user add, net ads group
> delete, etc)
>
> ......
>
> now barring all that... if what you meant by "single sign on" is
> actually "unified passwords", then you can do it without AD using
> samba and ldap no problem. (well, only small problems anyway)
>
>
> No matter what you'll have to maintain TWO password databases, one for
> windows, and one for everyone else.
>
> The standard configuration for this is one of the two of these:
>
> a)
> authentication
> * Windows NT4 style NTLMv2 Samba v3 authentication
> * Samba looks at an ldap backend for:
> sambaLMPassword:
> sambaNTPassword:
>
> * unixland clients attempt a bind to the ldap server, testing against the field:
> userPassword
>
> authorization:
> Samba looks at an ldap backend for, and then returns to the windows
> machine via rpc:
> sambaAcctFlags
> sambaPrimaryGroupSID:
> sambaLogonTime:
> sambaPasswordHistory
> sambaSID
> sambaPwdCanChange:
> sambaAcctFlags:
> sambaPwdLastSet:
> sambaPwdMustChange
>
> b)
> authentication:
> samba stuff for windows
> unixland looks to an MIT or Heimdal KDC for authentication
>
> authorization:
> same stuff for windows
> unixland looks in the ldap directory for:
> uidNumber
> gidNumber
> homeDirectory
> groups information
>
> The consequences of the dual password sources will boil down to this:
>
> When a user changes his password via the unix passwd utility, it will
> only change:
> the userPassword field in the ldap record or the password on the
> kerberos principal.
>
> Windows users change it via samba, which can call a script to change
> both the sambaNTPassword fields and the userPassword fields in the
> ldap record.
>
> I'm not sure if its possible to have samba call a script to set the
> sambaNTPassword and change the kerberos princ.
>
> PS if you're going to get kerberos involved in any way, every machine
> needs to be able to resolve their FQDN, both forward and reverse. This
> means you either need to maintain lots of /etc/hosts entries in the
> form:
>
> 127.0.0.1        localhost        localhost.localdomain
> 127.0.0.1        somebox.mit.edu sombox
>
> or proper 1 to 1 mapped forward and reverse DNS.
>
> If your machine can't correctly do
> hostname and hostname -f, kerberos will NOT WORK.
>
> .....
>
> To answer your questions about the homedirs:
>
> You want a fileserver running both samba and NFS.
> Windows clients will use roaming profiles to mount their homedirs via
> SMB, linux will use NFS.
>
> Your error messages look like your ldap server isnt running.
>
> -s
>
>
>
> PS I live around the corner from MIT and I'm much better at explaining
> things when people buy me ronnie burgers ;)
>
> -s
>
>
> On 8/23/07, Scott Ehrlich <scott at mit.edu> wrote:
>> I have a RHEL5 Server and some dual-boot XP/CentOS 5 systems (Linux systems all
>> 64-bit).   All Linux is out-of-box, with all packages, minus international
>> languages, installed.  No patching has been done.
>>
>> On the server, I selected system-config-authentication and enabled LDAP for
>> User Information, Kerberos, LDAP, and SMB for Authentication, and Shadow and
>> MD5 Passwords, along with Authenticate system accounts by network services for
>> Options.
>>
>> All machines are on an isolated LAN, with no DNS server (I could always enable
>> and configure DNS on the server if it helps the cause).
>>
>> I also don't know if it matters, but the server is running the virtualization
>> kernel (xen), but the clients are not.
>>
>> I only have LDAP service enabled on the server.   Kerberos services are enabled
>> on both client and server.
>>
>> I tweaked the LDAP and Kerberos settings using the CentOS/RH GUIs, and have the
>> clients looking to the RH box for authentication.
>>
>> I also have the firewall enabled, but am letting kerberos and ldap ports
>> through as tcp.
>>
>> During a login test, /var/log/messages on the client showed:
>>
>> lin1 gdm[pid]: nss_ldap: failed to bind to LDAP server ldap://192.168.1.100:
>> Can't contact LDAP server
>>
>> lin1 gdm[pid]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
>>
>> lin1 dbus-daemon: nss_ldap: failed to bind to LDAP server ldap://192.168.1.100:
>> Can't contact LDAP server
>>
>> lin1 dbus-daemon: dss_ldap: failed to bind to LDAP server...
>>
>> lin1 xfs: ...
>>
>>
>> During boot time, Starting system message bus: [long pause] then error messages
>> about DB_CONFIG and /var/lib/ldap, the usual cannot find DB_CONFIG in
>> /var/lib/ldap, showing the example.com instead of my customized ldap settings,
>> etc.
>>
>> I've checked openldap.org, but I figured if the configuration appears to be
>> simplified via an included GUI, I shouldn't have much trouble gettigns things
>> going.
>>
>> Anyway, what am I missing?   Anything special RH 5 is doing compared to the
>> openldap docs?
>>
>> Both servers have been rebooted since adding the respective ports in the
>> firewall.
>>
>> The goal is a to permit my test user, created on the server, to sit at a
>> workstation, boot into either Linux or XP, and get their home directory.
>>
>> Ideally, the server only needs to consist of one account for them, which they
>> get upon login on the workstation.
>>
>> I want to highly restrict _any_ third-party tools/apps/etc.   I will be happy
>> to take suggestions and leads, but I want to try and rely on what RH has
>> provided.
>>
>> Thanks for any insight/help.
>>
>> Scott
>>
>> _______________________________________________
>> bblisa mailing list
>> bblisa at bblisa.org
>> http://www.bblisa.org/mailman/listinfo/bblisa
>>
>

More information about the bblisa mailing list