AD is the next step. I only chose ldap first, because it is easier for me to test, and I wanted to get something into gutsy. I read your whitpaper at the sprint. I noticed you had done a few things different that clifton1, who is also working on it.
BTW, The last time I checked, smbmount still did not have working kerberos support. On Thu, 2007-07-19 at 10:01 -0400, Peter Matulis wrote: > Hi Server team, > > The Support team receives requests for single-signon authentication with > Active Directory on a regular basis. So this work is a definite plus > from the paid customer's point of view. I've managed to implement this > manually with the exception of mounting an AD share automatically (i.e. > user's home share) using pam_mount. I began to write a whitepaper on > it. Hopefully pam_mount can also be included in the > 'auth-client-config' work. > > I'm willing to help test the new script here in the Support office. > > Thank you, > > p.s. Contact me if anyone wants to help me troubleshoot my pam_mount issue. > > -- > Peter Matulis, Ubuntu Support Analyst > Tel: +1 514 940 8917 > Canonical Services and Support > http://www.canonical.com/support/ > 0x34F740E8 7EFC B394 871D CA0B 6AB7 DB5E 91F8 F8EF 34F7 40E8 > > > James Strandboge wrote: > > Hi, > > > > As per the meeting the other day, I created the 'auth-client-config' > > script to help with management of nsswitch.conf and pam. > > > > Summary > > ------- > > The basic idea came from a conversation with dendrobates, where he > > wanted a script that debconf (or other programs) could call and handle > > the updating of pam and nsswitch.conf, ala update-inetd. > > > > Implementation > > -------------- > > auth-client-config is written in python (OO). It is non-interactive cli > > only. It supports modifying nss, pam-account, pam-auth, pam-password, > > and pam-session types, and any number of configurable profiles. > > Profiles are configured in a configuration file (via ConfigParser) that > > is simply a database of various authentication 'profiles'. Eg, an > > example entry from the database is: > > > > [ldap] > > nss_passwd=passwd: files ldap > > nss_group=group: files ldap > > nss_shadow=shadow: files ldap > > pam_auth=auth required pam_env.so > > auth sufficient pam_unix.so likeauth nullok > > auth sufficient pam_ldap.so use_first_pass > > auth required pam_deny.so > > pam_account=account sufficient pam_unix.so > > account sufficient pam_ldap.so > > account required pam_deny.so > > pam_password=password required pam_cracklib.so difok=2 minlen=8 > > dcredit=2 ocredit=2 retry=3 > > password sufficient pam_unix.so nullok md5 shadow > > use_authtok > > password sufficient pam_ldap.so use_first_pass > > password required pam_deny.so > > pam_session=session required pam_limits.so > > session required pam_unix.so > > session optional pam_ldap.so > > > > As you can see, this is in the INI config style (this is what > > ConfigParser supports), and for each 'key', its value is what you want > > in a particular type. > > > > Usage > > ----- > > To update a particular file, run auth-client-config with the type to > > modify, and the profile to use. Eg, to update nsswitch.conf with the > > above ldap entry, you would run: > > > > auth-client-config -t nss -p ldap > > > > This will change the standard /etc/nsswitch.conf file to: > > ... > > # pre_auth-client-config # passwd: compat > > passwd: files ldap > > # pre_auth-client-config # group: compat > > group: files ldap > > # pre_auth-client-config # shadow: compat > > shadow: files ldap > > ... > > > > The '# pre_auth-client-config #' comment allows for users to easily back > > out changes to the original, pre-auth-client-config state. > > > > auth-client-config also supports an '-f' option for specifying a > > different file to use than the default (eg /tmp/nsswitch.conf, instead > > of /etc/nsswitch.conf), and also a '-n' option for a dry-run that will > > not modify anything. See the man page for all options. > > > > Discussion > > ---------- > > I envision this being integrated with dendrobates' work, where he will > > setup the various profiles for auth-client-config (see TODO for more > > discussion). The profile name will correspond to a debconf option in > > his 'ldap-auth-client' package. Eg: > > > > Choose an authentication/authorization method: > > > > Ubuntu Directory > > Active Directory > > Fedora Directory Server > > Novell > > LDAP > > Local > > > > Ok > > > > If the user chooses 'Active Directory' say, then debconf would run: > > auth-client-config -t nss -p ad > > auth-client-config -t pam_auth -p ad > > auth-client-config -t pam_account -p ad > > auth-client-config -t pam_password -p ad > > auth-client-config -t pam_session -p ad > > > > and auth-client-config's profiles database would have: > > [ad] > > ... > > > > > > TODO > > ---- > > 1. Move some configuration from auth-client-config > > into /etc/auth-client-config/acc.conf > > > > 2. Currently, the database is stored > > in /etc/auth-client-config/profile.d/acc-default. This value is hard > > coded. I plan on making auth-client-config support reading all files > > from the /etc/auth-client-config/profile.d directory, so that packages > > can drop in authentication profiles, and have them picked up easily. > > > > Eg, dendrobates' 'ldap-auth-client' package might create: > > /etc/auth-client-config/profile.d/ldap > > > > and a future kerberos-auth-client might create: > > /etc/auth-client-config/profile.d/kerberos > > > > The design also supports local administrators to create their own > > profiles, so that site wide network authentication roll-outs can be > > better supported. Eg, the sysadmin at ABC.com might create: > > /etc/auth-client-config/profile.d/abc > > > > Through creative use of install scripts/kickstart/etc, they can get > > unattended client installs that end up with proper configuration of > > network authentication. > > > > 'authtool' could also create profiles and use auth-client-config as a > > backend. > > > > User's could create different profiles for different networks, and add > > these to /etc/auth-client-config/profile.d/ (maybe even for future > > network-manager integration) > > > > 3. create some testing scripts for automated testing > > > > 4. testing, testing, and more testing > > > > > > Download > > -------- > > Currently the files are at: > > http://www.strandboge.com/software/auth-client-config/ > > > > There is a deb file too. This has been tested on dapper, but should > > work on any system supporting python 2.4. > > > > > > > > Take a look at the man page (or run 'auth-client-config -h'). I highly > > recommend running this as non-root against non-system files until it has > > received thorough testing. If running as root, be sure to make backups > > of /etc/nsswitch.conf and /etc/pam.d/common-*, and leave one root > > terminal/console open (sudo is not enough!) while testing logins in > > another, so you can back out the changes. > > > > Please feel free to give me feedback or ask questions. > > > > > > Jamie Strandboge (aka 'jdstrand' on IRC) > > > > > > >
signature.asc
Description: This is a digitally signed message part
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
