Jump to content

Universal Authentication

Guest starbane

By Guest starbane
in Networking

 Share

Recommended Posts

Guest starbane

Guest starbane

Posted
Posted

In the ongiong (and at this point, infinite) process of converting our WAN from M$ to nix, one of the ideas we've been tossing around has been a universal authentication base.

 

Of course pam and ldap came to mind, but this is (like so many things for me since entering the Linuxverse) over my head. I've spent the last month or so reading the huge amount of materiel on all this, and at this point am mentally regrouping and trying to organize thoughts.

 

Here are some of the hoped-for features in this system:

 

Can authenticate Windows clients via SMB and authenticate for UNC shares

Cau auth for IMAP/POP mail

Replicates to remote servers (PDCs)

 

 

What we have now is a multiple-master network running:

 

Exchange 5.5 for email

9 Windows NT PDCs, with one PDC being trusted and trusting the remote PDCS (connected via T1/frame relay)

Proxy 2.0 on a Windows 2000 standalone

1200+ clients in 7 physical networks running various flavors of Windows (9x, 2k, and two or three XP machines we valiantly, but futily attempted to keep out)

 

Web server and firewall are running various nix services software.

 

Obviously, the proxy needs to go, but I have yet to see an elegant soltion that would allow us to autheticate the windows users to something like squid running on Linux. Which begs for a different method of authentication. Which implies replacement of the PDCs... And I've come full circle again.

 

If anyone bothers to read all the way through this cluttered mess, feel free to chime in with any "AHA"s or "but"s. Or questions like "Why the hell are you running M$ Proxy 2.0 on Win2k?" <g>

 

What I'm really hoping for is anyone who has had any experience migrating a beast like this from a mixed Win server environment to a pure linux animal lending me the benefit of their experience.

Link to comment
Share on other sites
Guest starbane

Guest starbane

Posted
Posted

Wow, no one has thought about this?

 

Couple of resources that have helped a bit:

 

http://student.bii.a-star.edu.sg/~adrianq/...roject_one.html

(wierd, but a good roadmap, I suppose)

 

http://www.mandrakesecure.net/en/docs/ldap-auth.php

(old, but groovy)

 

Wonder if there's a new version of that mandrakesecure article somewhere...

Link to comment
Share on other sites
ranger casual

ranger

Posted
Posted
In the ongiong (and at this point, infinite) process of converting our WAN from M$ to nix, one of the ideas we've been tossing around has been a universal authentication base.

 

Of course pam and ldap came to mind, but this is (like so many things for me since entering the Linuxverse) over my head.  I've spent the last month or so reading the huge amount of materiel on all this, and at this point am mentally regrouping and trying to organize thoughts.

 

Well, active directory is pretty much a standard LDAP implementation (with more comprehensive ACLs and schemas) + Kerberos + Kerberos-style DNS. Unfortunately there is currently really no way to do Kerberos with windows clients, so we will ignore it (and I don't know much about it anyway ;-)).

 

Here are some of the hoped-for features in this system:

 

Can authenticate Windows clients via SMB and authenticate for UNC shares

Cau auth for IMAP/POP mail

Replicates to remote servers (PDCs)

 

 

What we have now is a multiple-master network running:

 

Exchange 5.5 for email

9 Windows NT PDCs, with one PDC being trusted and trusting the remote PDCS (connected via T1/frame relay)

Proxy 2.0 on a Windows 2000 standalone

1200+ clients in 7 physical networks running various flavors of Windows (9x, 2k, and two or three XP machines we valiantly, but futily attempted to keep out)

 

You have 9 domains then?? OK, this is quite a complex network, and one should proceed carefully ;-). In the end, samba-2.2.x really isn't up to this AFAIK (even with LDAP support), and samba3 will be able to do PDC/BDC and trust relationships with NT4. What are you running on the DCs (NT or 2k?).

 

Web server and firewall are running various nix services software.

 

Obviously, the proxy needs to go, but I have yet to see an elegant soltion that would allow us to autheticate the windows users to something like squid running on Linux.  Which begs for a different method of authentication.  Which implies replacement of the PDCs... And I've come full circle again.

 

Not necessarily. I think there is no easy way to migrate this away from windows-style stuff, so it's going to require a windows-look-alike DC, so you're going to have to wait for samba3 to switch your DCs, but you can switch your proxy before that. Apparently squid-2.6 can do NTLM auth in conjuntion with winbind from samba-2.2.7 (if compiled with the right option). I think this is a reasonable place to start (and file/print servers can be next). Of course, you will gain the most in CAL fees if you can switch your DCs, but is also higher risk ...

 

POP/IMAP can currently be done easily with WINBIND (I have a production Winbind/postfix/courier server in a small network) authenticating against your windows domain. If you have a windows NT domain, or 2k with anonymous access (aka pre-Windows-2000-compatible), then you can even set Mandrake 9.0 up during installation to authenticate by winbind (must use expert mode for auth setup though).

 

File/print servers with winbind is also trivial, but you will need to modify the smb.conf after installation if you set it up during installation. You can even have ACLs out the box.

 

If anyone bothers to read all the way through this cluttered mess, feel free to chime in with any "AHA"s or "but"s.  Or questions like "Why the hell are you running M$ Proxy 2.0 on Win2k?"  <g>

 

What I'm really hoping for is anyone who has had any experience migrating a beast like this from a mixed Win server environment to a pure linux animal lending me the benefit of their experience.

 

We didn't ever have a windows server environment, we kept our single win2k server as a member server in our samba domain.

 

If you want to have a go with samba3, I have RPMs for 9.0 that will install alongside 2.2.x cleanly, if you want to experiment. I am not sure if the current samba RPMs for Mandrake 9.0 are built with the options squid requires for NTLM, but if you ask nicely I could build some (heck, I need someone to test this anyway).

 

I suspect we are just getting in the way of everyone else here, so you may want to send me mail (bgmilne at cae dot co dot za) on this matter, and we can possibly pull some other people in on the discussion.

 

RPMS of samba3:

http://ranger.dnsalias.com/mandrake/mandra...mba-3.0alpha21/

 

If you are running something else than 9.0, please rebuild the SRPM from cooker contribs, it should build cleanly on 8.0 or newer, possilbly older releases too.

 

(FYI, we run samba 2.2.x as a DC on LDAP backend, but we may have to go to samba3 to get better LDAP support, such as LDAP referrals for write, before we finish the implementation of our WAN).

Link to comment
Share on other sites
ranger casual

ranger

Posted
Posted
Wow  :shock:  :!: ranger is a Samba-God 8)

 

But I am only 8 of the first 10 hits (name, email address, or website) for this google search:

http://www.google.com/search?hl=en&ie=UTF-...andrake%20samba

 

Don't know how to displace the other two ...

 

But if you haven't been to http://ranger.dnsalias.com/mandrake/samba , do make a turn. It's not a very creative place (heck, it's just an apache index), but there's quite a bit there ...

 

Currently updating the samba-vscan (on-access virus-scanning with samba) for samba3 RPMs for cooker contrib ...

Link to comment
Share on other sites
ranger casual

ranger

Posted
Posted
Wrote a long reply to ranger, then decided to email it, instead, and avoid cluttering up the board. :)

 

Found some doco on winbind + squid:

 

http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5

 

I will see if I can build a squid-2.6 package that works, may need a new samba-winbind also, since I don't think we have been building with the --with-winbind-auth-challenge, since we hadn't tested it at all ....

 

I guess I could setup a test network (with samba3, winbind from 2.2.x, and squid 2.6) for fun ... I need to play with samba3 to get decent configuration examples anyway.

Link to comment
Share on other sites
ranger casual

ranger

Posted
Posted
I will see if I can build a squid-2.6 package that works, may need a new samba-winbind also, since I don't think we have been building with the --with-winbind-auth-challenge, since we hadn't tested it at all ....

 

Actually, it seems that squid-2.5 will do, and I should just have to patch in a newer header for a more recent winbind than squid-2.5 knew about ...

 

BTW, got winbind working yet?

Link to comment
Share on other sites
Guest starbane

Guest starbane

Posted
Posted

It's alive!

 

I found that ater simply choosing "Windows Domain" in the expert setup on mdk 9.0 - winbind is locked and loaded on boot with one cavaet.

 

I had to rejoin the domain (recreate the machine trust) with smbpasswd -j <DOMAIN> -U <Administrative account> and then things worked great!

 

My NT admin was impressed with how easy home directories were created, too . :)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...