[jerkyjerk]

I’m not sure what your level of familarity is of OS X Server. Since you are looking to adapt Server to a home environment you probably won’t find too many articles that will give you a hand holding blow by blow play of what you want to do if you don’t have much experience with it. I think I’d be acurate in saying this group, which includes myself, is a small minority that uses Server as a part of their home network. I can require you to use a bit of creativity to combine seemingly dissimlar sources to get this working up to your expectations and would also explain the dearth of articles describing its use in this capacity.

I’ll give you an example:
[b]master iTunes library[/b]

What are your requirements for this? Is is as simple as mine? All our music from our ripped CDs are located on an AFP share on the server. I’m probably 75% complete with the task. All I’ve done is occasionally wacked all the items in my wife’s iTunes library and drag and dropped the shared folder back to iTunes so it picks up any new CDs added to the share. There might be some other better ways to do it but it is simple enough and provides what we wanted if you are looking for something like actually sharing the everything like the iTunes library files you might want to combine the share with the information [url=http://elasticdog.com/2007/04/howto-have-multiple-users-share-an-itunes-library-on-one-machine/]found in this article[/url] IIRC there are some other articles out there that have worked out similar issues with sharing iPhoto libraries. [url=http://macosxhints.com]Mac OS X hints might be helpful on that one[/url] As time goes on I’ll maybe take the time to attempt something like this but for now its been good enough.

I’m not sure if you mistyped it but the VPN won’t really help you to access the internet while on the rode but it will help you access your non-public network services and computers on your home network while on the road. I think that [url=http://www.maclive.net/sid/132]previous link[/url] will get you started with the VPN setup now that I know you are using Server.

If your network is primarily macs you might want to consider setting up Open Directory. I’ve been pretty obsessed with it since Panther trying to make it work with every operating system I can throw at it. Being able to sign on once and access the shares and resources without retyping your password is pretty convenient. There was a good series of articles recently on macdevcenter.com about Open Directory. It was focused on using the non-server Mac OS X as an OD master type setup. Again you can probably shoehorn the information into working with OS X Server.

[jerkyjerk]

Are you using Mac OS X Server or just plain old Mac OS X? If using Server then there is a [url=http://www.maclive.net/sid/132]VPN server and simple GUI[/url] you can use to get started. looks like a good page Or if you are using regular Mac OS X you could install something like [url=http://www.openvpn.net]OpenVPN[/url]

Technically you can use any domain you’d like internally. The only issue I see is if you use an existing domain. For example you started using something like apple.com internally you would loose access to all apple.com sites because your dns server will never look outside itself for apple.com hosts. If you are going to make things like mail and web services availaible externally will you need to register a real domain. If you are only setting up VPN access you could alwasy just use something like DynDNS for a hostname with one of their free names like .dyndns.org

The minimum services I think a home network could use especially if you are using a dedicated machine is caching DNS, file server and if you have a printer, some way to network it whether its via somthing like a JetDirect or just simply hooked up to your “server” via usb and shared.

jerky

[jerkyjerk]

I’m glad you were able find some of the information useful. One additonal thing besides the debian notes being rough is they are also rather old. The file those notes were copied from is from is dated Feb 2004. I think I was still using Panther at the time. You’re probably right that ther might be more debs listed than needed. I just didn’t spend the time to refine it like the redhat doc.

I would definitely be open to some sort of collaboration on Ubuntu. We could maybe do some kind of creative commons license for it. I have Ubuntu(i think 6.06 server LTS) setup in a VM and played with it off and on but haven’t spent any time beyond installation and just general poking around in X Windows. I think it looks like a good distro though.

[jerkyjerk]

are you sure that an /etc/krb5.conf file is supposed to exist. I just looked at my odmaster and don’t see anything in /etc/ only krb5.keytab. The only other thing I could think of was /var/db/krb5kdc/kdc.conf. Traditionally in the other UNIX flavors I’ve dealt with krb5.conf is stored in /Library/Preferences/edu.mit.Kerberos in Mac OS.

[jerkyjerk]

I have been using autofs and have unified homes between UNIX and Mac OS. I guess my method is a bit different. Correct me if I’m wrong but you are trying to use WGM for controlling the homes automounting for BOTH unix and Mac OS but it only has an option for either AFP or NFS. My approach just uses what the home directory that OD has stored. I’m not sure what your user profile info look like but under the home tab on a user in my WGM it looks like:

[url=WGM home folder screen]https://www.jerkys.org/wiki/download/attachments/2490370/WGM_screen.jpg[/url]

Once you have the LDAP user info setup and working on linux run the command “getent passwd” in a terminal session your OD entries should look like

[code]jeffh:x:100:20:Jerky Jerk:/Network/Servers/odmaster.jerkys.org/Users/jeffh:/bin/bash[/code]

Setup autofs on the linux side to automount the directory “/Network/Servers/odmaster.jerkys.org/Users/”

One of the wiki links cover how to do that. Even though I only tested it on CentOS it should be the same for any linux distro. I even have the automounted home working on Solaris as well(I just haven’t documented yet)

When I log in to a Mac OS host it automounts via AFP and I see any files that I added or deleted on an NFS mounted host.

Oh yeah and in the Sharing setup. The nfs export isn’t really exported as /Network/Servers/odmaster.jerkys.org/Users/ it’s really exported as /Users but the automount mounts it at the location LDAP said it should be which is the /Network/Servers path.

[jerkyjerk]

Debian was the first linux I attempted to integrate with OpenDirectory. I was successful bit never really went back and cleaned up my notes about what I did. Especially since I tend to spend more time with RedHat EL or CentOS.

I’ve posted [url=http://www.jerkys.org/wiki/x/BgAm]what rough notes I do have on my wiki[/url] depending on how much of a UNIX hacker you are you might be able to glean something from them or they just might look like jibberish. One day when I have time or the urge to revisit it again I’ll update and clean them up.

the RedHat/Fedora and clones are definately easier to get working than any other linux distro I’ve used.

[jerkyjerk]

I wasn’t familar with Rumpus so I took a look and see it’s an FTP daemon with a nice admin front end on it. Looking though the GUI though I don’t see any alterative forms of authentication like LDAP or MySQL. But reading though the technical details document it stores all it’s info in /usr/Rumpus and the file of interest is rumpus.users. Excerpted from the Technical Details pdf:

Rumpus.users
This text file contains the user account definitions for all Rumpus user accounts. The file is maintained
in tabs-delimited ASCII format and includes the following fields, in order:
Field Comment
Account Name login name
Password user account password, encrypted or plain text
Home Folder “ROOT” or a full path to user home folder
Permissions “Y” or “N” for specific privileges, see below
Max Folder Size in MB
Folder Set ID a numeric ID, see the “Rumpus.fsets” file
Upload Notice Name must exactly match a defined notice name
Max Simultaneous Connections “Y” or “N” enables the option, followed by value
Max Upload Rate use “Y” or “N”, followed by value in KBps
Max Upload/Download Ratio use “Y” or “N”, followed by value
Custom File Permission Settings “Y” or “N”, plus “N” (none), “R” (read) or “B” (read & write)
Account Expiration Info use “P” (permanent), “D” (disable) or “R” (remove)
Max Download Rate use “Y” or “N”, followed by value in KBps

Using this info I was able to manually manipulate the the file into adding in a user without using the GUI

testuser mcrypt:-284218835,254703885,756252252,-2063730403 ROOT YYYYYYYYNNN 0 0 N4 N16 N100 NBRR P N16 N-
testuser2 testuser2 ROOT YYYYYYYYNNN 0 0 N4 N16 N100 NBRR P N16 N-

Without spending much time figuring out how to do it as a crypted string, I just stored a clear text password as you can see by the testuser2 entry. I restarted the daemon and was able to login as testuser2.

Where I’m going with all this is you could probably do without ODBC, mysql and LDAP to support the storing username/password info in Filemaker while using that same username/password combo to allow clients to log into Rumpus. Depending on what your strong points are you could probably use anything from Applescript to perl to a shell script to make this work. I haven’t used FileMaker in a long time(I think 4 or 5 was the last version I touched) but if you can schedule a daily export of your records to a text file. You should be able to use any of the three lanugaues to execute an import into the rumpus.users file via cron.

[jerkyjerk]

Is your goal some kind of single sign on? You have an application that uses mysql for authentication and you want some workstations to use LDAP for authentication? and by using MySQL as your back-end instead of bdb you get to drive both from the same username/passwords? is the ODBC export to mysql one time or are you going to use the ODBC from filemaker to drive only the username passwords while you contiue to use you filemaker app and the logic is it would be easier to use MySQL with some kind of LDAP instead of filemaker. I’m just trying to figure out what’s the motivation for using MySQL instead the the default bdb backend with LDAP. What kind of clients are you using? Mac, Windows, *NIX? a mix?

[jerkyjerk]

What are you using plain OpenLDAP, Open Directory or something else? If you are using plain OpenLDAP then I think you should be able to.

article in spanish might be able to glean something from the example configs.
[url]http://www.ecualug.org/?q=2006/07/21/forums/openldap_con_mysql_backend[/url]

A pdf HOWTO
[url]http://www.noofs.org/doc/ldap_sql.pdf[/url]

[jerkyjerk]

If you skip the Kerberos part you should be able to get a RedHat (or CentOS) host to at least use OD/LDAP without even cracking open the command line. If you are using Ubuntu it might be a bit more tricky. I’ve gotten Debian working with this in the past but it was more way more involved. Last I remember Debian and probably Ubuntu doesn’t have anything like the system-config-authentication tool.

[jerkyjerk]

I’ve recently aquired one of the original XServe G4’s and figured I’d respond to my own question in case anyone else might be curious how loud they are. If you are not used to working in a datacenter with server grade hardware then they would definitely seem ridiculously loud. Compared to other servers I would say it’s a bit louder but it’s a different noise. When powering up a Hewlett-Compaqard DL320 G2 the fans go full speed. There are many little fans and they make a bit of a high pitched whine when they are on. The XServe doesn’t have the high pitched whine about it more of the sound of moving a large volume of air. The fans,er blowers, never spin up or down in any noticeable amount so it just appears constant. I’ve heard that the subsequent generations have the abillity to spin the blowers down to reasonable speeds if the machine is idle.

On a side note it’s super quick compared to the first gen PowerMac G4 it’s replacing.

[jerkyjerk]

I believe I have, what it sounds like you are describing, working for quite a while now. Here’s what I have:

linux host using OD for LDAP lookup.
Linux host allowing Kerberos logon both remotely and locally.
automouting nfs file system.

I’ve recently starting compiling all my notes into articles and publishiing them on a wiki. I’d recommend you take a peek a few of the articles and see if any of it helps.

[url=http://www.jerkys.org/wiki/x/OwAf]article about using automouted filesystem[/url]

[url=http://www.jerkys.org/wiki/x/YgAf]articles about using OD and Kerberos with linux[/url]

[url=http://www.jerkys.org/wiki/x/CQAQ]article about creating a keytab file[/url]

Hopefully that helps.

[jerkyjerk]

No my mac roots don’t go back quite that far. I started right at the PowerPC phase. The x100 family. I’ve heard it being comparable to say a PowerMac MDD when the fans go on high. Which if that is really close then I have a good idea what I’m getting into. I’ve also read posts stating it’s so loud that you can’t even talk to someone standing next to you to you need earplugs and I’ve seen other state it’s loud but comparied to other rack servers it’s only slight higher than what would be par for the course. So I don’t know what to believe since I’ve never worked with on. Thanks for the input.

jerky

[jerkyjerk]

PITA might be an understatement but I hear you. Apparently Solaris 10 isn’t really any better than Solaris 9 since everything still revolves around that damn ldapclient utility. The only improvement/difference I really noticed was in Kerberos/SEAM since 9 only supports DES while 10 supports 3DES and IIRC AES. Several times I had thought of “cheating” and just compiling my own OpenLDAP and Kerberos binaries but chose to stick it out, work though it and use the Sun supplied versions for better patch supportability. I didn’t want to have to constantly rebuild OpenLDAP and Kerberos myself. After working with getting this same thing working on a RedHat clone distro I was amazed at how convoluted and bordering on sadistic, the whole process is in Solaris.The Linux camp (or at least the Redhat team in my experience) is light years ahead of them in configuration simplicity and it seems not much has changed since the older version 7(circa 2000??) with regards to their auth-config tools. The other commercial UNIXes aren’t any better than Sun. I’ve spent some time(albeit less) with IRIX, HP-UX and AIX. IRIX is the only other commerical UNIX I had success with. I will say HP and IBM’s ldap clients are a PITA as well. IIRC they want special schema extensions.

Were you trying to get ldap auth working or going the whole SSO route with kerberos? LDAP auth was still kind of eluding me but I got distracted and never revisited it since kerberos auth was working properly and ldap was doing its thing providing the user/authorization info. It was good enough for my purposes.

[jerkyjerk]

Earlier this year I spent time hacking on this. I had worked on it off and on for a year on one of my Sun boxes it
my home lab. On my last attempt my search yielded someone on the apple disussions talking about his trying to
do that. I then got motiviated to pick it up again since I might have someone to bounce ideas off of.

It appears, at least where I am, the apple discussions are running a bit slow but the thread can
be found at.

http://discussions.apple.com/thread.jspa?messageID=1827113&#1827113

below is the text of the thread in case anyone is impatient and doesn’t want to currently wait. My next thing I wanted to do
is get TLS to work but if you are using Kerberos I don’t think it’s such a major thing on a closed network. I’d be interested
in hearing about any attempts of using LDAP-TLS with Solaris. I’ve gotten it working rather easily on Linux but having had
the time to work out the Solaris thing yet.

Solaris authentication with 10.4 Server Open Directory
Posted: Feb 27, 2006 2:38 PM

I have 10.4.4 Server running on a dual 2.3G G5, and it’s working very well… Mac clients and Windows clients can authenticate, change passwords, mount home directories and all is well.

The Mac is an Open Directory Master and SSL is not enabled ( I don’t need that, it’s a private network )..

Does anyone know how to get a Solaris 9 machine to authenticate against the Mac ?

PowerBook G4 (15-inch Titanium Mac OS X (10.4.5)

Did this topic solve your issue?

Jerky

Posts: 11
From: Midwest
Registered: Feb 20, 2006
Re: Solaris authentication with 10.4 Server Open Directory
Posted: Feb 27, 2006 9:35 PM in response to: Mike Ingram

Have you attempted it at all? If so how far did you get. I’ve been working on that off and on for quite a while. I recently picked it up again and I’ve gotten a little further. I’ve gotten the command ldaplist to output all of the directory’s top level list like:

dn: cn=config,dc=foo,dc=net
dn: cn=users,dc=foo,dc=net
dn: cn=groups,dc=foo,dc=net
dn: cn=mounts,dc=foo,dc=net
<...snip...>
dn: cn=autoserversetup,dc=foo,dc=net
dn: cn=neighborhoods,dc=foo,dc=net

I’m still a bit off since getent passwd/group doesn’t yield any LDAP users or groups but at least I know it’s talking to the LDAP server somewhat.

In the research I’ve done Solaris’s LDAP and Kerberos (SEAM) libraries appear to be a little funky in getting to interop with other LDAP and Kerberos implementations. A lot of people complain about them in the various place I’ve read and any that did get it working recommend just forgoing the stock libraries altogether and build OpenLDAP along with MIT or Heimdal kerberos instead. I’ve been stubborn and haven’t wanted to do that sticking with the stock libs seems easier from a support standpoint. I don’t want to have to rebuild the OpenLDAP and Kerberos libs from source when I need update due to some gaping security hole. It’s easier to just install a Sun provided patch I think.

Since I’ve made some headway. I’m a bit encouraged to continue hacking away at it. I’ll post anything I can regarding what I did if I do get it to work. My goal is the get both LDAP and Kerberos working for the single sign effect. I’ve got it working with a Linux client and it’s really convenient.

jerky

PowerMac G4 Mac OS X (10.3.9)
Did this topic solve your issue?

Mike Ingram

Posts: 7
Registered: Jan 5, 2005
Re: Solaris authentication with 10.4 Server Open Directory
Posted: Feb 28, 2006 9:35 AM in response to: Jerky

Yes, I have attempted it… The Solaris box ( Solaris 9 and 10 by the way ), seems to “see” the Mac LDAP server, ldaplist comes back with the same information that I get when I use LDAP Browser to view the directory entries..

On the Mac I have added the DUAConfig and solaris schemas into /etc/openldap/schemas and altered /etc/openldap/slapd.conf to include them, restarted the Mac and OpenDirectory was still alive ( Yay ! )

On the Solaris box I have:

set the domainname to be the same as the LDAP domain
example.com where LDAP domain is dc=example,dc=com

ldapclient manual \
-a credentialLevel=anonymous \
-a authenticationMethod=simple \
-a defaultSearchBase=dc=example,dc=com \
-a defaultServerList=zeus.example.com \
-a domainName=example.com

But this is about as far as I get… I started working with changing /etc/pam.conf per some man pages and some examples that recommend replacing auth required pam_unix_auth.so.1
with auth binding pam_unix_auth.so.1 server_policy

and then adding auth required pam_ldap.so.1

But it still doesn’t work… can’t get the Sun to find a user that definately exists as a loginable user on the Mac and on the Windows boxen..

That’s my story so far !

PowerBook G4 (15-inch Titanium Mac OS X (10.3.7)

PowerBook G4 (15-inch Titanium Mac OS X (10.3.7)

PowerBook G4 (15-inch Titanium Mac OS X (10.4.4)
Did this topic solve your issue?

Jerky

Posts: 11
From: Midwest
Registered: Feb 20, 2006
Re: Solaris authentication with 10.4 Server Open Directory
Posted: Mar 8, 2006 9:12 PM in response to: Mike Ingram

I’m still hacking away at this one. I think I’ve made some headway so I figured I’d share what I got so far so I don’t lose the info. I’m actually getting ldap users returned. I think my next step is to start tackling PAM and then start working on Kerberos. I’m getting sleepy so I think I’ll let this rest for a bit. I’ll post more when I make some more progress.

The following is the relevent output from my terminal session on my Solaris 10 box:

bash-3.00# ldapclient manual -v -a domainName=foo.bar
-a serviceSearchDescriptor=passwd:cn=users,dc=foo,dc=bar
-a serviceSearchDescriptor=group:cn=groups,dc=foo,dc=bar
-a authenticationMethod=none -a credentialLevel=proxy
-a defaultSearchBase=dc=foo,dc=bar
-a searchTimeLimit=60
-a proxyDN=uid=root,cn=users,dc=foo,dc=bar
-a proxyPassword=password 172.1.1.10
Parsing domainName=foo.bar
Parsing serviceSearchDescriptor=passwd:cn=users,dc=foo,dc=bar
Parsing serviceSearchDescriptor=group:cn=groups,dc=foo,dc=bar
Parsing authenticationMethod=none
Parsing credentialLevel=proxy
Parsing defaultSearchBase=dc=foo,dc=bar
Parsing searchTimeLimit=60
Parsing profileTTL=3600
Parsing proxyDN=uid=root,cn=users,dc=foo,dc=bar
Parsing proxyPassword=password
Arguments parsed:
authenticationMethod: none
defaultSearchBase: dc=foo,dc=bar
credentialLevel: proxy
domainName: foo.bar
proxyDN: uid=root,cn=users,dc=foo,dc=bar
profileTTL: 3600
searchTimeLimit: 60
serviceSearchDescriptor:
arg[0]: passwd:cn=users,dc=foo,dc=bar
arg[1]: group:cn=groups,dc=foo,dc=bar
proxyPassword: password
defaultServerList: 192.168.50.46
Handling manual option
Manual aborted: profileTTL is not supported in manual mode.
<=60 -a proxyDN=uid=root,cn=users,dc=foo,dc=bar -a proxyPassword=password 1>
Parsing domainName=foo.bar
Parsing serviceSearchDescriptor=passwd:cn=users,dc=foo,dc=bar
Parsing serviceSearchDescriptor=group:cn=groups,dc=foo,dc=bar
Parsing authenticationMethod=none
Parsing credentialLevel=proxy
Parsing defaultSearchBase=dc=foo,dc=bar
Parsing searchTimeLimit=60
Parsing proxyDN=uid=root,cn=users,dc=foo,dc=bar
Parsing proxyPassword=password
Arguments parsed:
authenticationMethod: none
defaultSearchBase: dc=foo,dc=bar
credentialLevel: proxy
domainName: foo.bar
proxyDN: uid=root,cn=users,dc=foo,dc=bar
searchTimeLimit: 60
serviceSearchDescriptor:
arg[0]: passwd:cn=users,dc=foo,dc=bar
arg[1]: group:cn=groups,dc=foo,dc=bar
proxyPassword: password
defaultServerList: 192.168.50.46
Handling manual option
Proxy DN: uid=root,cn=users,dc=foo,dc=bar
Proxy password: {NS1} 1a2b3c4d5e6f7g8h
Credential level: 1
Authentication method: 0
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: network/smtp:sendmail… success
Stopping nscd
stop: sleep 100000 microseconds
stop: system/name-service-cache:default… success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default… success
ldap not running
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is “foo.bar”
file_backup: stat(/var/yp/binding/foo.bar)=-1
file_backup: No /var/yp/binding/foo.bar directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname foo.bar… success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: network/ldap/client:default… success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: system/filesystem/autofs:default… success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: system/name-service-cache:default… success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: network/smtp:sendmail… success
restart: sleep 100000 microseconds
restart: sleep 200000 microseconds
restart: milestone/name-services:default… success
System successfully configured
bash-3.00# listusers
ldapuser1
ldapuser2
ldapuser3
jerky local test Solaris user
noaccess No Access User
nobody NFS Anonymous Access User
nobody4 SunOS 4.x NFS Anonymous Access User

regards,
jerky

PowerMac G4 Mac OS X Server (10.3.9) client Sun Fire v100 Solaris 10

PowerBook G4 Mac OS X (10.4.5)

Did this topic solve your issue?

Jerky

Posts: 11
From: Midwest
Registered: Feb 20, 2006
Re: Solaris authentication with 10.4 Server Open Directory
Posted: Mar 11, 2006 12:35 PM in response to: Jerky

Mike,

I’ve messed around with pam a little bit but haven’t gotten it quite yet. RedHat makes this much easier. If you can recall what changes to pam you had made could you post them? On the client side it is definitely trying to negotiate Kerberos authentication. When I try to ssh to my Solaris machine I get a new ticket for host/[email protected]. (yes, I have created a keytab for it in the kdc) I think at this point I think pam is getting in my way. I’m still searching and reading but thought it might be useful to see what someone else had come up with or was trying.

regards,
jerky

PowerBook G4 Mac OS X (10.4.5)
Did this topic solve your issue?

Jerky

Posts: 11
From: Midwest
Registered: Feb 20, 2006
Re: Solaris authentication with 10.4 Server Open Directory
Posted: Mar 13, 2006 1:06 PM in response to: Jerky

I can’t believe I didn’t catch this! I created a principal for the Solaris machine,exported it to a keytab, modified the solaris /etc/pam.conf file(see far below for an excerpt), transferred the keytab via ssh from the OD machine to the Solaris host but never placed it into the /etc/krb5 folder on the Solaris host. So I’ve been sitting on a working configuration for a few days now but didn’t realize how close I was. If you followed along with the above, the last piece of the puzzle is setting up Kerberos. You’ll need a keytab to use. I haven’t really spent the time to wrap my head around the why but I’ve found it easier to just create the keytabs from a terminal session on the OD console. When I’ve tried to do it logged in via ssh I get errors like “Unknown credential cache type while opening default credentials cache” I’m sure they mean something but it hasn’t been such a priority for me to figure it out. If you know feel free to chime in with an explaination. the following is my terminal session output.

Last login: Mon Mar 13 13:22:46 from 127.0.0.1
Welcome to Darwin!
od-server:~ adminuser$ sudo kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local: listprincs
K/[email protected]
afpserver/[email protected]
[email protected]

…

pop/[email protected]
smtp/[email protected]
kadmin.local: addprinc -randkey host/[email protected]
WARNING: no policy specified for host/[email protected]; defaulting to no policy
Principal “host/[email protected]” created.
kadmin.local: ktadd -k /tmp/host.solarishost.keytab host/[email protected]
kadmin.local: quit
od-server:~ adminuser$ scp /tmp/host.solarishost.keytab [email protected]:/somewhere/on/a/filesystem

On the solaris host you’ll need to copy the OD’s /Library/Preferences/edu.mit.kerberos file to /etc/krb5/krb5.conf on the solaris host and copy/move that host.solarishost.keytab file to /etc/krb5/krb5.keytab. Just to be safe you might want to backup the existing /etc/krb5.conf file to something like /etc/krb5.conf.DIST

I think this should be everything you need to get the solaris host using OD’s ldap directory(authorization) and Kerberos Realm(authentication). Keep in mind ldap by default a clear text protocol so I’d strongly recommend using SSL. I plan on collecting this into a coherent HOWTO and at that time I’ll add in the SSL bits and improving the method if possible. It would be nice if the authorization info from LDAP could be sucked down without a “proxy user” then the only password type info transmitted on the wire is the kerberos transaction which is encrypted anyhow.

Hope this helps,

jerky

Excerpt from Solaris /etc/pam.conf file

# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policy
#login auth required pam_unix_auth.so.1
login password sufficient pam_krb5.so.1
login auth required pam_dial_auth.so.1
login auth required pam_ldap.so.1

…

# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password sufficient pam_krb5.so.1
other password required pam_authtok_store.so.1

PowerBook G4 Mac OS X (10.4.5)

PowerMac G4 Mac OS X (10.3.9) Client Sun Fire v100 Solaris 10

Did this topic solve your issue?

Mike Ingram

Posts: 7
Registered: Jan 5, 2005
Re: Solaris authentication with 10.4 Server Open Directory
Posted: Mar 23, 2006 2:19 PM in response to: Jerky

Excellent ! This is all starting to come together. I actually got the Solaris 9 box to login to the Kerberos realm and got the home directory mounted from the Mac Server box and the users can actually create files. So now, I have a single-sign-on for Solaris, Windows and OSX !! The only thing I had to alter from your instructions was in the creation of the krb5.conf file for the Solaris machine… seems that Solaris 9 only likes a des-cbc-crc key, so I had to do something like

addprinc -randkey -e “des-cbc-crc:normal” host/[email protected]

and ktadd -k /tmp/solariskey.keytab -e “des-cbc-crc:normal host/[email protected]

I still have something hosed in my /etc/pam.conf file as it asks me for the password and the LDAP password, but we’re making progress..

many thanks, and I’ll post my /etc/pam.conf file when I get it ironed out.

PowerBook G4 (15-inch Titanium Mac OS X (10.4.5)

PowerBook G4 (15-inch Titanium Mac OS X (10.3.7)
Did this topic solve your issue?

Jerky

Posts: 11
From: Midwest
Registered: Feb 20, 2006
Re: Solaris authentication with 10.4 Server Open Directory
Posted: Mar 24, 2006 11:35 AM in response to: Mike Ingram

That’s great Mike. I was curious so I looked into that des keytab issue and triple DES isn’t supported by Solaris 9’s SEAM. Solaris 10’s SEAM is the first release to support it.

http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/febf8204c96399d8/43d7e86f28849819?lnk=st&q=Solaris+9+SEAM+3des&rnum=1#43d7e86f28849819

It’s not as important but something that I haven’t gotten working yet is 100% LDAP authentication. If I try to log onto the Sun’s console (or ssh without a TGT) as an OD user it doesn’t work. I get some error logged about no legal LDAP authentication methods. Is that what you are trying to get worked in with pam? If it helps I can post my entire pam.conf file.

So are you automounting the homes on the Solaris box or do you just have a static nfs mount? I take it they are coming from the Mac OS server via NFS.

jerky

PowerMac G4 Mac OS X Server (10.3.9) Solaris 10 client

PowerBook G4 Mac OS X (10.4.5)
Did this topic solve your issue?

Mike Ingram

Posts: 7
Registered: Jan 5, 2005
Re: Solaris authentication with 10.4 Server Open Directory
Posted: Apr 3, 2006 11:27 AM in response to: Jerky

Wow, it all seems to be working. I found an example pam.conf file at:

http://www.ofb.net/~jheiss/krbldap/files/pam.conf-9 and it’s working for console access and for ssh.

I used a fixed mount point to mount

zeus:/Users

at

/Network/Servers/zeus.foo.bar/Users

and having setup NFS exports for the home directories, the User area is mounted ok on the Sun.

Here is the pam.conf file in case the link above is busted or goes away:
==================
# PAM configuration
#
# Customized to try pam_unix, then pam_krb5
#
# Unless explicitly defined, all services use the modules
# defined in the “other” section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# Default definition for Authentication management
# Used when service name is not explicitly mentioned for authentication
# management
#
other auth requisite pam_authtok_get.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_krb5.so.1 use_first_pass
#
# Account
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
# See notes about pam_krb5 in “other” section below
cron account optional pam_krb5.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
# According to the pam_krb5 man page, this checks for password expiration.
# I’m not sure this does anything since I’ve flagged it as optional.
# I’m not sure if I can make it required because of root.
other account optional pam_krb5.so.1
#
# Session
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session optional pam_krb5.so.1
other session required pam_unix_session.so.1
#
# Password
#
# (Don’t list pam_krb5 here, this section is only for root. Regular
# users must use the centralized department password changing mechanism.)
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
==========

Thanks for your help, hope this helps.

Mike

[Author]

Posts