Fedora Installation :: LDAP - NIS - Kerberos - Add Mint Machines To Server To Use New Security Settings
Dec 10, 2009
I wish to setup a network that works like windows but for with lunix of course!. It will need to be able to handle security/DNS/DHCP & Document store from one location. I've been doing some reading and have found that I think I need to be using one of the following:
I have looked at a few Linux based OS's. I did notice that when you install fedora live desktop it gives you the option to connect to one of the above. So I am looking for a complete solution.
1. How to setup fedora to act as server for my needs (or other Linux build)
2. Add fedora/linux mint machines to server to use new security settings. (or other linux build)
we're running an Ubuntu 10.04 LTS network on our company, authenticating against an Openldap/heimdal-kerberos server.Previously, the clients were authenticating against a Windows 2003 Domain without any problems.After modifying the krb.conf, ldap.conf, nsswitch.conf and nscd.conf files to authenticate the machines against the openldap/heimdal setup, we started experiencing strange problems.
One issue is, for example, the polkit-agent-gnome not starting. This component integrates policykit into gnome. It looks like the agent is unable to start due to some kind of delay with DBUS. Starting the agent manually keeps giving errors until about 70 seconds after login, when the agent can be started without problems. During the delay it is also impossible, for instance, to open the "shut down" menu on the top right of gnome. You can click on the menu, but nothing appears.Trying to start the polkit-agent manually gives these errors (I'll be attaching detailed errors when at work!):
DBus error org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken
GLIB ERROR ** default - Not enough memory to set up DBusConnection for use with GLib It really looks like DBus or something related to it is starting "too late" but I can't seem to find the reason. I'm pretty sure this has to do with some timings or whatever in the krb/ldap config files...
I am trying to deploy Kerberos and LDAP so users will be able to login in to a server on the edge of the LAN, and afterwards be able to establish a SSH connection to all the computers in that LAN without the need to type any passwords, and without the need for me to manage SSH keys [beside the SSH keys on the login server] and local user accounts.
1. When i create the users in OpenLDAP i use a template that i created by reading documentation from the Internet. In the template one piece of information that is neede is the UID. Is there any clever way the keep track of the numbers so i do not assign the same UID to two users, besides using a pen and paper?
2. For the users to be able to establish SSH connections between the computers, the host is going to be added to the keytab like this: ktadd host/client.example.com Is is possible to replace client with something genric so i do not need to mange these keytab files between the hosts?
3. Users will be logging on the the server on the edge of LAN by using SSH keys. How can i configure the setup so the users will recieve a ticket automatically when the logon without executing kinit and without entering a password, just by having a valid SSH key?
4. krb5kdc is running on all the network interfaces in the server i want it to only run on eth1, how can this be done?
I am integrating my Unix box to the Windows AD using PAM_LDAP and Kerberos enabled. I was wondering, since Kerberos is enabled is there any point to enable SSL on my LDAP.conf? My understanding is that since Kerberos is enabled, therefore the username/password is sent securely there isn't any benefit of enabling SSL on the LDAP.conf? It's one of or another.
Set up a lab full of Lucid boxes that authenticate against the main university Sun ldap server and create local, limited, homedirs if they don't already exist.
The ldap server is freely accessible on our network and does not require authentication to do a query. Users will not be able to make changes on the ldap server from these workstations. I cannot set up homedirs of users manually - any one of 15,000 people could walk in and use one of these machines.
What I've got working so far: Authentication works, but when I log in through GDM, after a few errors, I get nothing but a blank desktop (with wallpaper and cursor). If I log in as a local user and su to an ldapuser I get assigned a home directory at /, which explains the errors; this kind of user can't write to /. I've seen posts on this but nothing that works for me.
The problem, as I've identified it: I'm using pam_mkhomedir to create home directories on first login, but I don't seem to have any way of telling pam_mkhomedir *where* to create the home directories. I've tried to use the nss_map_attribute in /etc/ldap.conf (like this: nss_map_attribute homeDirectory "/home/users/"uid), but my syntax is all guesswork - I can't seem to find anyone else trying to mangle a homedir this way.
Most either don't deal with the homedir thing at all, or if they do, they only cover nfs/smb shares.
Is it possible to secure samba server with kerberos? I want to know whether we can use kerberos authentication to secure samba user name and password so that mo one can sniff that information. configuration or any URL link from I can get the exact configuration.
I've currently got Ubuntu server configured so that clients can login using LDAP user accounts that I've created using ldapadduser (from the ldapscripts package).
I've also got NFS exports working so that /home can be exported to clients. Kerberos authentication is enabled for NFS and clients require a nfs/clienthostname.domain principal to be able to mount the NFS share.
However, I now realise that for LDAP users to be able to access the mount they need their own Kerberos principal. If I run kinit dan@DANBISHOP.ORG then I can access /home/dan as user dan otherwise I get permission denied.
My question then is how best to proceed... is there a way to configure the client/server so that once a client has mounted the nfs share using Kerberos, all users can access it without their own principal?
It seems more usual to create kerberos principles for all users, but then how does one manage users? Using ldapscripts is very easy, but if the admin then has to manually create kerberos principals everytime, it could become very tedious. Furthermore how do users change their password if kerberos is used for authentication?
I am confused with the concept of Kerberos and LDAP SSL. I am in the midst of integrating my Unix box with the Active Directory hence the use of PAM_LDAP method. I understand that since it's non-secure transmission hence We use Kerberos to authenticate. If we already used kerberos to authenticate i.e. it means that the username/password is not transmitted in clear text. Why we still need LDAP SSL? What is the benefit?
I have a Kerberos/LDAP/OpenAFS server running on Debian lenny, set up according to Davor Ocelic's excellent guide here (url). SSHd has ben configured to use GSSAPI auth and the clients have been configured to pass auth tokens through to the server.
My clients are all Ubuntu 9.10 x86 fully patched. On the clients, OpenAFS has been compiled and installed as a kernel module and git 1.6.6 has been compiled from source and installed. Otherwise, all software is stock Ubuntu repository-ware.
The setup is working fine as long as I connect to the primary server using its hostname:
peter@client01:~$ ssh nana <connection goes through seamlessly without prompting> peter@nana:~$
If I try to connect via a DNS alias (actually a second CNAME record), I get:
In the OpenSUSE documentation I red this very exciting chapter Chapter 6. Network Authentication with Kerberos That mentions "Using LDAP and Kerberos" which combined with NFSv4 would give my office net functionality of a M$ Win network.
We are still on 11.2 (we have no win clients at all) and I was testing different setups of 11.4 in VM, but I can't get YaST to configure the LDAP with Kerberos setup (our current setup does not use Kerberos only LDAP). Unfortunately I could not find any meaningful HOWTO on how to do it in SuSE. The page in docs involves editing config files, but I would like to avoid this, because from my former experience with Samba, as it would mean I cannot use yast anymore and that is sad.
Is there a way to configure LDAP + Kerberos (in terms of issuing of krb tickets at login) with YaST?
PS: I basically need Kerberos for NFS and Intranet site.
I have installed keberos on my suse machine, but after installation now I am not able to login in it even with the root password. I search over the internet but could not find the solution. What to do now and how to configure Kerberos on a local machine with only local users authentication. I mean client and server both are on the same machine.
Trying to setup a Kerberos + OpenLDAP server to manage users for our Samba shares (was going to use just OpenLDAP, but apparently it is less secure than using Kerberos with it). (Distro: CentOS 5.5) Haven't even gotten to the point of connecting either to Samba yet. I have set up a Kerberos server, and configured it as necessary. I am happy that it is working as intended, as I can login and manage principals from both the local terminal and remotely on other clients.
I have setup a server (sv1.myhost.net), and configured it to talk to Kerberos (auth.myhost.net). I have created both a [URL] principal, and a testuser principal. I have set the password on the testuser but not on the host/sv1.myhost.net. I have added the keys for both users to the keytab file on the sv1.myhost.net. I am at a Windows 7 machine (on the same internal network), and have installed the Network Identity Manager. It is able to request a ticket successfully for the testuser account.
When I use putty w/GSSAPI (0.58) to remote login to the system, it says using 'testuser' and then just hangs there. Eventually putty connection times out. The fact that both machines can connect to the auth server to communicate with kerberos correctly suggests firewalls are correct. The relevant entries in sshd_config have been uncommented to tell srv1 to use Kerberos authentication.
I have installed servers(10.04 LTS Server) with Kerberos + LDAP, now I can ssh to all those servers and login with kerberos principle. But when I want to change password, I got such error:
Code: Current Kerberos password: Enter new Kerberos password: Retype new Kerberos password: Password change rejected: Password not changed. Kerberos database constraints violated while trying to change password.
passwd: Authentication token manipulation error passwd: password unchanged I have search this issue but cannot any useful information. Would someone give me a direction?
I am interested learning about networks in Linux and prefer to use Ubuntu. I hope the title is reflects what I really need to know. If not sorry about that.I have an requirement, it is to have a server to handle authenticaition of users so generally users can use that server to use specific services such as login (to linux), mail (postfix) and perhaps a file server (to hold user data, lets say what we have on /home/[username])I did some reading, and it looks like I will need LDAP and Kerberos. But I couldn't get a good understanding on how to practically deploy such a service.I would be obliged if some you guys can give me some guidelines on how to achieve my goal. Topics I need to read, books I could refer would be a plus.To tell you some thing about me, I am not a *NIX guy, my knowledge is kinda just above basic.
I can't forward my kerberos credentials to a computing resource before connecting to the resource for which I have kerberos credentials. In other words, from my machine at work I obtain my ticket with kinit -f to a computing facility off in some lab somewhere.
Then, I want to ssh to another machine in another department (I don't have control over the krb5.conf file or this would have been easy) where I work. It is on this machine I want to be able to ssh,scp, etc to this far off lab. I've tried several options around this barrier, but I'm a total failure thus far. I checked that GSSAPIAuthentication is set to yes.
I have an environment with multiple projects that have a variety of government and commercial sponsors. We have been satisfied to this point with a netapp serving nfs/cifs and keeping a tight reign on nfs exports.Some of these projects have started asking us to provide access restricted sub-folders of the project space based on different groups that contain a user subset of the primary group.
We have a linux machine that serves as a version control front end to the netapp, mounting the project spaces via nfs. People are now mounting their project space via sshfs to this "front end" and sharing the root password of this sshfs client with everyone in their project, in turn creating a security hole to access the so called restricted sub-folders. I know all the obligatory responses referring to irresponsible user behavior but would like to see how others have addressed something like this where user behavior seems out of control.
we are having new printers. At the moment we over 1000 machines on multiple sites but no print server they are manually added on the machine ( I know don't ask).
Anyway there is no way they would let use a windows server so the only option I have is to use linux however I little unsure if it is capable of doing the job I need it to do. Basically I want to add the printers on the linux server either using samba or ipp (I would assume samba would be best).
The reason i want to do this is when we have to do around the machines I just want to go around the machines and just the map the printer and it brings down the driver and config etc as we want them to duplex. The issue is I been trying to gain information on the internet and getting conflicting information apparently I can add the windows driver onto the server so when I map the printer it brings it down. However some guides state you still have through the whole process of adding the printer and then choosing the driver etc. Which kinda of makes it pointless to do the printer server since I would already have to do this anyway if we don't have one.
I just want to go be able to go around the machines and for example click star run and do something like \192.168.1.1printer01 and then it done kind of thing.
I started to install Fedora thinking I was just going to place it in the / and /home partitions I already have but the installer only seems to give me the option to use the whole disk.I have 3 / and 3 /home partitions 2 of each are occupied by Linux Mint and Mint KDE so I wanted to use the last / and /home for Fedora.
I have set up a 389 DS server and a kdc. However there is not a howto or any document concerning setting up the DS as a Kerberos database back-end. Nor is there a 389 DS forum, so I am asking here and hopefully some of you could possibly help or throw in some light as to this kind of setup.I have read the 389 DS features page and the Redhat documents but there is no reference to this feature.
we have a weird problem with our opensuse 11.2 server installation.
We want to set up a LDAP Server using the Yast-LDAP Server configuriation tool.
This indeed already worked weeks ago until....this week. Maybe some updates??!
I do not know what happend exactly. The server just does not want to start again and throws following error:
Starting ldap-serverstartproc: exit status of parent of /usr/lib/openldap/slapd: 1 failed
This happend after a little check of the configuration, but without a change, with Yast. Google delivered only "reinstall your box"-answers.
So.. i did that. And now the "mystical" part: The SAME ERROR occurs with a fresh vanilla system with a brand new and simple configuration (certificats, database, pw...the first Yast config dialog...). I did not change the way i set it up.
I remember, when i did this the first time with 11.2 on that machine, when no problems occured...everything was running out of the box (except the "use commen server certificate" option...).
Im an IT manager for a small company with a small ammount of users. We already use linux for our data server and I would like to implement a domain controller. All of our user machines are WIndows XP pro.
Ive been reading up on using OpenLDAP as an alternative to active directory.
What I want is just a simple active directory like server, with a GUI if possible.
What do I need to look at and how would I go about setting this up? Im fairly proficient with Ubuntu already, I just need to be pointed in the right direction.
Is it even possible to have my windows users be able to log in to their machines using an ubuntu domain controller?
I have a problem with my fedora workstation.I am trying to change my ldap user password through passwd command.When I first create the user on ldap server, I use md5 and create the user password.This is the entry:
I am using Fedora 13 x86_64 on a Acer Aspire 7730ZG laptop with: 01:00.0 VGA compatible controller: nVidia Corporation G98 [GeForce 9300M GS] (rev a1) I have kmod-nvidia-126.96.36.199-147.2.4.fc13.x86_64-195.36.31-1.fc13.2.x86_64 installed from rpmfuison when I plug in the hdmi cable to the tv, my tv says the resoultion is at 720p, and I can not get any of the resolutions settings to look right on seperate x screen with the nvidia X server settings gui. my tv is a vizo 42inch. also another question is their a way to set the video card to output at 1080? this might be part of my problem?
I would like to set the firewall in Ubuntu Server 10.10 up to be very secure but perform these tasks:
1. File server to windows 7 and windows xp machines both over ethernet and wireless via a router. 2. Print server for these 2 machines. 3. Auto backup these 2 machines.
So far I have set the server up with a static ip, do the 2 windows machines need static ip's as well? I don't need remote access to the server, only over the lan. I thought this may be all I needed to do:
I have Ubuntu 10.04 configured to login with Kerberos (as in [url]). Everything works fine, except gnome-keyring-daemon:
-If I login with a local user, gnome-keyring-daemon works right. Besides, the keyring is automatically unlocked with the login password.
-If I login with a Kerberos user:
- The session startup is considerably slower.
- /var/log/auth.log says something like:
- If I execute a program that needs the gnome-keyring (like Evolution), is desperately slow, and it says:
Message: secret service operation failed: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
- If I kill all gnome-keyring-daemon (killall gnome-keyring-daemon), start a new one (gnome-keyring-daemon), and restart the application that uses the gnome-keyring, it works fine, but it ask me for the password to unlock the keyring (I think that this is the normal behaviour if gnome-keyring-daemon did not start before).
I have seen the configurations in /etc/pam.d and everything looks fine (with pam_gnome_keyring.so). Indeed, I think that if something was wrong here, the local user would not have the keyring unlocked automatically.
Is there a way to use kerberos (or baring that a trusted CA) to allow users to ssh across machines in an environment isntead of having to manage the hash keys per user/server? I'm using kerberos+ldap to log folks in and get their settings but I'd like to take it a step further. I've been reading a lot but still can't quite get it all to come together.
Do I need to create a SPN for each host to do this? Sorry if I am asking a dumb question, I am returning to the *nix fold after a decade+ in the Microsoft world, be gentle with me.