AFP548 - Topic: linux ldap clients to authenticate to OD

This topic has 21 replies, 4 voices, and was last updated 17 years, 10 months ago by jerkyjerk.

Viewing 15 posts - 1 through 15 (of 19 total)

1 2 →

Author

Posts
April 19, 2007 at 8:04 am #368794

bagadat
Participant

hello anyone out there…

i need advice and major help from you since i’m a new mac os x sys admin

i’ve got an xserve with mac os x 10.4.9… OD is up and running, all is fine, ie dns, afp, kerberos and what not….
i’ve configured OD as such:
– ssl is not enables
– directory binding is activated and i require clients to bind to the directory

my os x clients authenticated without any problems to the OD… and i’ve got both network home folders and mobile ones… all obviously using afp… should i change that?

now i would also like to add some linux workstations to my network and i would like to get them authenticated to the OD and have network home folders…

so here are my questions

1. what distro should i be using?
2. how to i get the linux client authenticated to OD, considering that i’ve got to bind to it first and use kerberos?
3. what should i use to store their home folders, smb or nfs? and why?
4. if i’m using smb to store the home folders, must i activate the PDC too or in standalone mode?
5. finally, if a user that usually access its home folder from a os x client, needs to do so also from a linux client, is that possible?

thank you so much for any help

April 20, 2007 at 10:02 am #368813

bagadat
Participant

[QUOTE][u]Quote by: MacTroll[/u][p]1) RedHat and Debian seem popular. Most any mainstream modern one should make this easy.

2) Most distros know have their own config tools to set this all up for you.

3) Typically this is most easiest when done via NFS. Automounting SMB is still a bit of a chore last time I looked at it.

4) No, you’re using LDAP for auth, so wouldn’t need the PDC.

5) Yes, and commonly done in situations like this.[/p][/QUOTE]

thanks so much mactroll for taking the time to answering….

1. i’ve decided to use fedora core 6, as client

2. i’ve been googling but i haven’t found anyone that explains how to authenticate to OD with the settings i mentioned in my 1st post… would you be able to explain or point me to someone who could help me please

3. Ok, NFS will be the one, but does that mean that i’ll also have to use NFS for the mac clients? sorry if all of these are dumb questions!

4. thats great news, but just to confirm, for windows clients, i’ll have to activate the PDC and as a result, will i also be able to access the same windows account using the os x and linux clients?

5. are there any special configurations that needs to be done for this to work?

thank you so much for your help

April 23, 2007 at 9:03 am #368819

bagadat
Participant

[QUOTE][u]Quote by: MacTroll[/u][p]2) on RHFC it’s “authconfig” IIRC. This will walk you through setting up the LDAP auth settings and the Kerberos as well.

3) It’s usually easiest if you use the same for both. Not that you have to, but it does keep things simpler.

4) Yes, if you want to support Windows clients, you’ll need to enable the PDC. If you do enable the PDC, yes, you can have the same account, and the same home with a bit of work, across all 3 OSs.

5) You’ll have to read up on automounting NFS shares on Red Hat, should be readily googleable.[/p][/QUOTE]

once again mactroll, i’m grateful for your input…

2) if i use “authconfig”, does that also take care of the home directory? while googling i see that one is suppose to add an entry in the “common-session” pam module, ie, something like that “session required pam_mkhomedir.so skel=/etc/skel/”… what does that mean? where does it create the home folder? is it on the server or on the client?

4) would you be able to help me achieve this setup?

thanks

April 26, 2007 at 6:05 pm #368854

bagadat
Participant

hi MacTroll

are you able to help me out? i’m sure you must be busy but i’m getting desperate cause i need to get this server up and running pretty soon…
are you able to help me out in any way?

by the way, i’m grateful to you for having taken time to answer me…

May 7, 2007 at 11:53 am #368960

bagadat
Participant

hello MacTroll

its seems you gave up on me, but no worries i’m starting to see the light at the end of the tunnel…

this is what i’ve learned in the last 2 weeks… please bare in mind that the OD and homedirs are on the same server…

1. i’ve finally managed to authenticate using Fedora Core 6 to the OD using kerberos… as you said, it was very easy using “authconfig-tui”…. but my boss still insisted that i use ubuntu as a client, so after 10 days of digging, i finally managed to get it to authenticate using kerberos… the only bizarre thing is that i have to put my password twice to authenticate… would you know why? i suppose it has something to do with my pam modules…

2. i decided to use nfs for the homedirs of the linux clients. to do so,
a) i used WGM (dah….), and did an nfs export of the “/Users” folder
b) still in WGM, under the “home” section of the accounts tab, i put these values….
Mac OS X Serve/Share Point URL: afp://example.com/Users/
Path: badgers
Home: /mnt/home/badgers
c) i mounted the nfs export on the linux client by modifying the fstab and adding this line to it…. example.com:/Users /mnt/home nfs rw,hard,intr 0 0

from here this is what i would like to do… would you be able to let me know if its good or bad?

Now that i’ve managed to get the linux clients authentication with the OD and using nfs to host the homedirs… it appears you told me that i could have “the same home with a bit of work, across all 3 OSs”. could you help me:

1. making the Mac OS X Clients access the same homedirs using afp
2. making the windows clients access the same homedirs using smb

thank you in advance for any input

May 15, 2007 at 8:18 am #369041

bagadat
Participant

MacTroll

thank you for all you help and input… i’m very much grateful…

for linux and mxc, all is pretty much sweet…
but without any surprises, i’ve still got a few issues with the windows clients…

i would have had the same homedir across all 3 OSs, but the problem with this is that each time i logout of a windows client, it replaces the network homedir with its content (ie, its local profile), it doesn’t sync, it just replaces!!!
is there a way of controlling this? have i missed something? or this windows just retarted… by the way, i’ve got 5 win2k, and 10 xp clients…

any advise concerning this?

by the way, is it possible to purely have network homedirs through smb using windows clients?

thank you for any input

May 15, 2007 at 8:54 am #369042

bagadat
Participant

Hello again Mactroll

i was on the apple server website and i help upon this quote by apple…

“Network Home Directories

Home directories hosted on Mac OS X Server can be accessed from both Mac and Windows clients. This enables users to log in to any computer on the network — Mac or PC — and securely access all their personal files and system preferences from either platform.”

is that mambo jumbo, or a trick quote?

by the way, do would prefer me to create a new thread for this topic?

May 17, 2007 at 5:36 am #369061

jerkyjerk
Participant

I believe I have, what it sounds like you are describing, working for quite a while now. Here’s what I have:

linux host using OD for LDAP lookup.
Linux host allowing Kerberos logon both remotely and locally.
automouting nfs file system.

I’ve recently starting compiling all my notes into articles and publishiing them on a wiki. I’d recommend you take a peek a few of the articles and see if any of it helps.

[url=http://www.jerkys.org/wiki/x/OwAf]article about using automouted filesystem[/url]

[url=http://www.jerkys.org/wiki/x/YgAf]articles about using OD and Kerberos with linux[/url]

[url=http://www.jerkys.org/wiki/x/CQAQ]article about creating a keytab file[/url]

Hopefully that helps.

May 17, 2007 at 11:35 am #369063

Uncle B
Participant

I had the Windows and Mac clients working fine. This post and associated links may be a ray of hope.

In repsonse to the Windows vs Other OS home directories I followed the advice from Systems Boy’s site [i](I tried to link to it but got a ‘Spam detected’ warning and my post was deleted)[/i].

Systems Boy’s solution is to make within each network home a Windows profile location called, in this case, Windows.

* To a Mac client the home will list the following folders: Desktop, Documents, Library… Sites, Windows. So they can easily navigate to their XP files or alias them to the desktop etc.
* To XP the view starts at the specified “Windows” folder but they have rights to their Mac home so clever users or an admin can alias the Mac desktop etc.

Seemed to be a workable solution although I stalled on getting Ubuntu authenticated and got distracted by other issues.

A comprehensive (and idiot proof) guide to this would be much appreciated, Bagadat. My linux skills are weak so I’m getting lost reading your progress.

May 17, 2007 at 1:27 pm #369066

jerkyjerk
Participant

If you skip the Kerberos part you should be able to get a RedHat (or CentOS) host to at least use OD/LDAP without even cracking open the command line. If you are using Ubuntu it might be a bit more tricky. I’ve gotten Debian working with this in the past but it was more way more involved. Last I remember Debian and probably Ubuntu doesn’t have anything like the system-config-authentication tool.

May 18, 2007 at 3:24 pm #369077

bagadat
Participant

thank you jerkyjerk for your info… its was much appreciated… but i didn’t use it cause i managed to already authenticate using ubuntu 7….

as for uncle B, i’m busy working on my ubuntu 7 client authentication howto and once its done, i shall post it here…

but i’m still not clear on how to unify all 3 OSs to have one homedir and have what apple says….

quote:

“Network Home Directories

Home directories hosted on Mac OS X Server can be accessed from both Mac and Windows clients. This enables users to log in to any computer on the network — Mac or PC — and securely access all their personal files and system preferences from either platform.”

i just wander why to they mention something like this when you have to bend over backwards to unify windows and unix homedirs….

i think i must have missed something or i’m just assuming to much…

but i’ll go check systemboy’s setup again to see how he did it… thanks

May 18, 2007 at 4:37 pm #369079

Uncle B
Participant

I’ll look forward to that HowTo.

Hope the Systems Boy thing helps. It worked for me. I just can’t get Ubuntu in on the act.

May 18, 2007 at 7:19 pm #369082

jerkyjerk
Participant

I have been using autofs and have unified homes between UNIX and Mac OS. I guess my method is a bit different. Correct me if I’m wrong but you are trying to use WGM for controlling the homes automounting for BOTH unix and Mac OS but it only has an option for either AFP or NFS. My approach just uses what the home directory that OD has stored. I’m not sure what your user profile info look like but under the home tab on a user in my WGM it looks like:

[url=WGM home folder screen]https://www.jerkys.org/wiki/download/attachments/2490370/WGM_screen.jpg[/url]

Once you have the LDAP user info setup and working on linux run the command “getent passwd” in a terminal session your OD entries should look like

[code]jeffh:x:100:20:Jerky Jerk:/Network/Servers/odmaster.jerkys.org/Users/jeffh:/bin/bash[/code]

Setup autofs on the linux side to automount the directory “/Network/Servers/odmaster.jerkys.org/Users/”

One of the wiki links cover how to do that. Even though I only tested it on CentOS it should be the same for any linux distro. I even have the automounted home working on Solaris as well(I just haven’t documented yet)

When I log in to a Mac OS host it automounts via AFP and I see any files that I added or deleted on an NFS mounted host.

Oh yeah and in the Sharing setup. The nfs export isn’t really exported as /Network/Servers/odmaster.jerkys.org/Users/ it’s really exported as /Users but the automount mounts it at the location LDAP said it should be which is the /Network/Servers path.

June 7, 2007 at 12:38 pm #369244

bagadat
Participant

jerkyjerk, i just wanted to thank you for sharing all of your experience with us… that is great…

i check out your [url=http://http://www.jerkys.org/wiki/pages/viewpage.action?pageId=2490374]Open Directory & Kerberos Authentication with Debian and family[/url] and i know you said that its a rough draft, it seems you installed a whole lot of stuff, but i’m not sure they are all necessary….
to get mine going, i simply had to install the following with their dependancies:

krb5-config (1.12)
krb5-user (1.4.4-5ubuntu3)
ldap-utils (2.3.30-2)
libkadm55 (1.4.4-5ubuntu3)
libldap-2.3-0 (2.3.30-2)
libnss-ldap (251-7.5)
libpam-krb5 (2.6-1)
nscd (2.5-0ubuntu14)

as for your automounted nfs howto, that was great…. i’m sorry i didn’t find it early, it would have saved me a few hours of works!!!

i was authenticating Ubuntu 7.04 to the OD, but the sad thing is that there is a major network bug where it just keeps losing it ethernet network connection by reverting to a loopback…. really random, i’m surprised they released it like that! as a result, i got fed up with ubuntu and decided to get fedora cause everything is pretty much automated… also, i got some other random problems with ubuntu network users….

Uncle B, do you still need help with ubuntu authentication? which version of it are you using? and i presume you authenticating to an OD using kerberos?

jerkyjerk, would you like us to work together to write a proper howto for ubuntu authentication to an OD using kerberos?

June 7, 2007 at 1:04 pm #369247

Uncle B
Participant

I am indeed still trying that although it’s been on the back burner, so to speak.

Since I joined this thread I’ve done next to no reading on the subject so I’m still a little in the dark about some of the items you’re saying Ubuntu needs.

I’m running all 7.04 builds now and the domain would be a kerberized OD.

Thanks for keeping it up.
Author

Posts