Author Topic: Joining and authenticating a linux machine to an ebox domain.  (Read 24041 times)

jcanfield

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +2/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #15 on: April 29, 2008, 03:11:28 am »
Client user authentication works using the LDAP guide linked above along with some tampering, however,  the rest of this page shows you how to join the domain.  What benefits are there of joining the domain?  I can authenticate whether I join the domain or not through LDAP so what is the point?

When you join the domain the primary benefit is Domain access, just as the windows machines gain rights to the domain shares and machines.  True, you can authenticate w/o domain membership...but what fun is that if you are a second class citizen on the network?  :)

See: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#id350259

Also, You are right about having to make some changes that aren't covered in the howto, in fact, there are sereral things I would do differently.  I have a rough set of notes from my hardy install, i just haven't gotten around to creating an updated howto.  Feel free to post any necessary changes you made.

Hope this helps.

Jim

« Last Edit: April 29, 2008, 03:37:56 am by jcanfield »
"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius...and a lot of courage - to move in the opposite direction."  --  Albert Einstein

patcunha

  • Zen Apprentice
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #16 on: April 29, 2008, 10:31:46 am »
What should be in the LDAP base DN ?

themachine

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #17 on: April 30, 2008, 09:37:32 pm »
Client user authentication works using the LDAP guide linked above along with some tampering, however,  the rest of this page shows you how to join the domain.  What benefits are there of joining the domain?  I can authenticate whether I join the domain or not through LDAP so what is the point?

When you join the domain the primary benefit is Domain access, just as the windows machines gain rights to the domain shares and machines.  True, you can authenticate w/o domain membership...but what fun is that if you are a second class citizen on the network?  :)

See: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#id350259

Also, You are right about having to make some changes that aren't covered in the howto, in fact, there are sereral things I would do differently.  I have a rough set of notes from my hardy install, i just haven't gotten around to creating an updated howto.  Feel free to post any necessary changes you made.

Hope this helps.

Jim




Sorry, I am still not following.  I can authenticate to the server and I am able to access the network shares without joining the domain.  If I use  the "mount -t cifs" command I am able to access my shares.  I am running Ebox as a PDC with roaming profiles.


In windows I know that you have group policy to push out to clients, but even if you do not join a windows domain, you can still access shares if you provide credentials.



Here are some of the changes that I used to configure client authentication:


On the client machine edit /etc/ldap.conf
  • Ensure you comment out #pam_password md5
  • Set the "host" parameter to your server regardless of the uri pointing to the server


These 2 seemed to be the main culprits in preventing the "getent passwd" command from pulling down the users from the server.


I apologise about my poor post formatting, I am new to posting to forums, I usually search for hours to find solutions and decided I might finally be in a position where I can start contributing.

themachine

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #18 on: April 30, 2008, 09:40:47 pm »
What should be in the LDAP base DN ?

dc=ebox
cn=admin,dc=ebox

Regardless of what you have named your Domain.  I got stuck trying to set these up myself based on the domain name.  For example, if my domain is configured in Ebox as  mydomain.com, I join a windows client to this domain by entering mydomain.com and entering the administrative password.  However, with linux I was trying to use dc=mydomain,dc.com and it failed.  Simply using ebox worked for me.



jcanfield

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +2/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #19 on: May 01, 2008, 05:18:23 am »
Quote
Sorry, I am still not following.  I can authenticate to the server and I am able to access the network shares without joining the domain.  If I use  the "mount -t cifs" command I am able to access my shares.  I am running Ebox as a PDC with roaming profiles.

...but you have to access the share via authentication (some you have no access at all) every time you need access.  As a domain member, you do not have to authenticate.  Does that make sense?  Try browsing the windows network as a domain member vs a non-member.
"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius...and a lot of courage - to move in the opposite direction."  --  Albert Einstein

themachine

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #20 on: May 01, 2008, 11:18:57 am »
Quote
Sorry, I am still not following.  I can authenticate to the server and I am able to access the network shares without joining the domain.  If I use  the "mount -t cifs" command I am able to access my shares.  I am running Ebox as a PDC with roaming profiles.

...but you have to access the share via authentication (some you have no access at all) every time you need access.  As a domain member, you do not have to authenticate.  Does that make sense?  Try browsing the windows network as a domain member vs a non-member.



Yes Windows will send your credentials for you if you are a member of the domain.  I understand the benefits of windows joining the domain but I found with that with Linux clients I am  prompted for credentials when accessing a network share regardless of whether I join the domain or not.  The only way that I found I could  stop the prompts were to add the password to my keyring. 

Do you find that joining the domain as a linux client you are never prompted for a password for protected shares?
If so then I have missed something in the configuration.



dmeireles

  • Zen Monk
  • **
  • Posts: 51
  • Karma: +1/-0
  • Masturbation, the human version of autoexec.bat
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #21 on: May 30, 2008, 12:32:09 pm »
I installed Hardy Desktop 8.04 and the instructions did not work.

WIndows XP authenticated immediately with no client configuration, and I was determined to get a linux box to authenticate.  I finally succeeded after many hours of tampering and finding nothing online despite many searches and lots of reading.

The LDAP guide is nearly correct but there were a few things that also are important.

Now to my question:

Client user authentication works using the LDAP guide linked above along with some tampering, however,  the rest of this page shows you how to join the domain.  What benefits are there of joining the domain?  I can authenticate whether I join the domain or not through LDAP so what is the point?

I am not an expert and this is my first time using ebox and openLDAP authentication so any information or ideas are  appreciated.





I think that the advantage of joining the domain would be the fact that, when doing and smb://yourserver you wouldn't need to put your username and password, since you have been already authenticated with that server when logging in your machine. But still, there must be another way to do this without samba, something more linux native... no!?

dmeireles

  • Zen Monk
  • **
  • Posts: 51
  • Karma: +1/-0
  • Masturbation, the human version of autoexec.bat
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #22 on: August 22, 2008, 02:01:39 pm »
Hi all. A couple of questions before trying your setup:

- Can you login on the domain without a corresponding user account on the machine? And if you can, how do you define that you can use audio devices, mount drives, setup printers, do sudo, etc...? The eBox LDAP structure is prepared for Windows, users don't belong to unix groups such as audio and sudo, that's why I ask... =\
- Is there a way to have this centralized authentication without using samba? samba is mostly used for windows, since the server is linux, there must be a more native way to perform client pc's authentication agains the server's ldap db
- What happens if you tray to login without a connection to the server (like a road warrior)? Will the system use a cached password or it won't allow you to log in?

dmeireles

  • Zen Monk
  • **
  • Posts: 51
  • Karma: +1/-0
  • Masturbation, the human version of autoexec.bat
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #23 on: September 23, 2008, 12:50:06 pm »
bump please....

jcanfield

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +2/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #24 on: September 24, 2008, 03:59:43 am »
dmeireles,

Those are actually some of the biggest issues you will see, especially on a ubuntu machine, Redhat handles ldap auth much better with a very simple authconfig interface.  In my experience, you must either change the device groups or add the user locally to the Linux workstation. Concerning your road warrior issue, I've been working on that...You can log in using cached credentials [1] and log in when away from the ldap domain.

[1] https://help.ubuntu.com/community/PamCcredsHowto

Please post any progress you make on this issue back to the forums, this is one apple that needs polishing.

-jim


"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius...and a lot of courage - to move in the opposite direction."  --  Albert Einstein

pechenushka

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #25 on: June 24, 2010, 10:40:59 pm »
Can somebody provide a little  how-to  about joining the  fedora 13  to ebox's ldap and pdc please.

mauriziomarini

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #26 on: July 14, 2011, 08:08:42 am »
I wasable to join a centos 5.6 using authconfig without issues.
The trouble was to get getent passwd/group working and getting infos from ebox ldap; i solved at last copying from pdc the file ldap.conf, after adjusting ldapi with ldap:

Code: [Select]
base dc=pdc,dc=xxxxx,dc=it
uri ldap://192.168.111.6
ldap_version 3
bind_policy soft
rootbinddn cn=ebox,dc=pdc,dc=xxxxx,dc=it

christian

  • Guest
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #27 on: July 25, 2011, 12:23:38 am »
I need to read all the thread again but till now I'm a bit confused with some of the comment made here.
- What does it mean for Linux client to "join the domain"?
- Linux client side, use of LDAP as back-end for authentication and group membership requires PAM (for the authentication) and NSS to be configured to use LDAP. Notice that this doesn't provide SSO  ;)
- in order for Linux client to benefit from NSS-LDAP, objectclass for POSIX attributes is required (RFC2307bis)
- I don't understand what is the "LDAP related" security issue  :-[

arun

  • Zen Monk
  • **
  • Posts: 86
  • Karma: +0/-0
  • no windows, no gates, all open
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #28 on: July 26, 2011, 10:08:06 am »
As this thread has been read by 11308 times (as of now) shows the importance of the topic.

Can any expert / Zentyal rewrite this "how to" completely (and in current context and versions), would help lots of users like me ...

christian

  • Guest
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #29 on: July 26, 2011, 11:00:21 am »
Don't you feel we should first clarify the "what" before rushing to write "How to".
Furthermore, this thread should be moved elsewhere as there is no "tips and Trick" here but rather question about "how to achieve something". Does it make sense?