Fedora directory users - Feb 2007 - RE: Forgive the misunderstandings of a "newb"

System-config-authentication should have picked this up on newer
versions of redhat and fedora

 
 
 
 
_________________________________________ 
Keir Whitlock
Unix Systems Administrator
Unix Operations Team


T: +44 (0)870 7748500
F: +44 (0)870 7748501
E: keir.whitlock@jobsite.co.uk 
W: www.jobsite.co.uk 


Legally privileged/Confidential Information may be contained in this
message. If you are not the addressee(s) legally indicated in this
message (or responsible for delivery of the message to such person), you
may not copy or deliver this message to anyone. In such case, you should
destroy this message, and notify us immediately. If you or your employer
does not consent to Internet e-mail messages of this kind, please advise
us immediately. Opinions, conclusions and other information expressed in
this message are not given or endorsed by my firm or employer unless
otherwise indicated by an authorised representative independent of this
message. Please note that despite using the latest virus software,
neither my employer nor I accept any responsibility for viruses and it
is your responsibility to scan attachments (if any).


-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Nathan
Kinder
Sent: 09 February 2007 16:26
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Forgive the misunderstandings of a
"newb"

Scott Ackerman wrote:
> Thanks Nathan, but where did I miss that in the how-to?
>   
It appears to be missing from the how-to (some of the how-to''s do make 
reference to nss_ldap being required though).
> Nathan Kinder wrote:
>   
>> lists@scott-ackerman.com wrote:
>>     
>>> I thought I was smart until I dove into LDAP. I am the sole
part-time IT
>>> Manager for a charter school (240 students, 20 staff, 60 computers)
and
>>> am migrating away from a Windows server environment to Linux. The
only
>>> services that are being provided by a Windows server now are AD,
file
>>> and print sharing services. Since we are turning about 15 of our
student
>>> computers into Linux stations, I decided on a "simpler"
method of
>>> managing authentication, login etc. and chose Fedora Directory
Server
>>> (after having beat my head against the wall with strictly OpenLDAP
for a
>>> month). I have successfully set up FDS and entered all students and
>>> staff. I have decided not to sync against our AD server because we
are
>>> changing the student login method, the old format was locker number
for
>>> user name and then a password. I have decided to use the first.last
name
>>> for user name and then a password.
>>>
>>> I am trying to set up posix authentication and Samba and am having
>>> difficulties with both, technical on the former and understanding
on
the
>>> latter. First posix, I have followed the how to on the FDS Wiki,
but
>>> there seems to be some steps missing. I have gotten an
authenticated
>>> student logon, but only after having created an account on the
local
>>> machine with the same UID. I made sure that the password was
different
>>> in FDS than when I created the user on the local machine and I am
able
>>> to login to using either password which would indicate to me that I
am
>>> successfully authenticating to FDS. However I don''t
particularly
care to
>>> have to add 240 students on all 15 computers to make this work, not
to
>>> mention all of the "home" directories that will be
mounted from the
NFS
>>> server. So the questions is, what steps am I missing here?
>>>   
>>>       
>> It sounds like you need to configure nss_ldap.  Assuming you have
>> nss_ldap installed on your client systems, you should be able to add
>> "ldap" as a service for looking up users and groups in your
>> /etc/nsswitch.conf file.
>>
>> -NGK
>>     
>>> Samba. As I understand it, Windows will only authenticate against
an
NT
>>> or "NT like (aka. Samba)" server, which means as far as I
can tell
that
>>> either I have Samba sync against FDS or I use pGina on the Windows
side
>>> to authenticate directly against LDAP or scrap LDAP all together
and
>>> just use an NIS server (don''t think this is a good idea,
but it is a
>>> possiblity). Of course trying to assess the pros and cons of either
has
>>> been somewhat difficult at best. Also the FDS Samba how-to
doesn''t
cover
>>> computer management which Samba is going to have to deal with as
well.
>>>
>>> Before someone replies with a "RTFM", I have read the
Install Guide
as
>>> well as the Red Hat Directory Server documentation and I am
currently
>>> half-way through the book "Understanding and Deploying LDAP
Directory
>>> Services", so I have a reasonable understanding of how to get
into
>>> trouble. Of course none of these provide in-depth (nor should they)
>>> information as to how to integrate with other services. I have
spent
a
>>> month reading, tinkering etc., and I am not asking anyone else to
do
my
>>> work for me, but I have seem to hit a wall and need a couple of
>>> "breadcrumbs" to get me back on the trail. Thank you for
your
patience
>>> and understanding.
>>>
>>>   
>>>       
>>
------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>>     
>
>

I am running Fedora Core 5 and have (as far as I can understand) all 
required modules, etc. installed, I have checked the ldap.conf file and 
it is pointing to our LDAP server, I have checked the nsswitch.conf file 
and it appears to be configured correctly. But after having deleted the 
user from the local machine, I now cannot login because of 
authentication failure.
System-config-authenticatin in pam.d contains this:

#%PAM-1.0
auth            include         config-util
account         include         config-util
session         include         config-util


So, back to the drawing board and more searching on the web. It seems as 
if most of these how-to''s are geared toward people what have a working 
understanding of how all of this integrates into LDAP. An assumption 
that I wouldn''t necessarily make, especially in light of the fact that 
if you come from a Windoze server environment, AD is used which doesn''t
have all of these configuration issues (you just get a whole new set of 
issues).

Keir Whitlock wrote:
> System-config-authentication should have picked this up on newer
> versions of redhat and fedora
>
>  
>  
>  
>  
> _________________________________________ 
> Keir Whitlock
> Unix Systems Administrator
> Unix Operations Team
>
>
> T: +44 (0)870 7748500
> F: +44 (0)870 7748501
> E: keir.whitlock@jobsite.co.uk 
> W: www.jobsite.co.uk 
>
>
> Legally privileged/Confidential Information may be contained in this
> message. If you are not the addressee(s) legally indicated in this
> message (or responsible for delivery of the message to such person), you
> may not copy or deliver this message to anyone. In such case, you should
> destroy this message, and notify us immediately. If you or your employer
> does not consent to Internet e-mail messages of this kind, please advise
> us immediately. Opinions, conclusions and other information expressed in
> this message are not given or endorsed by my firm or employer unless
> otherwise indicated by an authorised representative independent of this
> message. Please note that despite using the latest virus software,
> neither my employer nor I accept any responsibility for viruses and it
> is your responsibility to scan attachments (if any).
>
>
> -----Original Message-----
> From: fedora-directory-users-bounces@redhat.com
> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Nathan
> Kinder
> Sent: 09 February 2007 16:26
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: [Fedora-directory-users] Forgive the misunderstandings of a
> "newb"
>
> Scott Ackerman wrote:
>   
>> Thanks Nathan, but where did I miss that in the how-to?
>>   
>>     
> It appears to be missing from the how-to (some of the how-to''s do
make
> reference to nss_ldap being required though).
>   
>> Nathan Kinder wrote:
>>   
>>     
>>> lists@scott-ackerman.com wrote:
>>>     
>>>       
>>>> I thought I was smart until I dove into LDAP. I am the sole
>>>>         
> part-time IT
>   
>>>> Manager for a charter school (240 students, 20 staff, 60
computers)
>>>>         
> and
>   
>>>> am migrating away from a Windows server environment to Linux.
The
>>>>         
> only
>   
>>>> services that are being provided by a Windows server now are
AD,
>>>>         
> file
>   
>>>> and print sharing services. Since we are turning about 15 of
our
>>>>         
> student
>   
>>>> computers into Linux stations, I decided on a
"simpler" method of
>>>> managing authentication, login etc. and chose Fedora Directory
>>>>         
> Server
>   
>>>> (after having beat my head against the wall with strictly
OpenLDAP
>>>>         
> for a
>   
>>>> month). I have successfully set up FDS and entered all students
and
>>>> staff. I have decided not to sync against our AD server because
we
>>>>         
> are
>   
>>>> changing the student login method, the old format was locker
number
>>>>         
> for
>   
>>>> user name and then a password. I have decided to use the
first.last
>>>>         
> name
>   
>>>> for user name and then a password.
>>>>
>>>> I am trying to set up posix authentication and Samba and am
having
>>>> difficulties with both, technical on the former and
understanding on
>>>>         
> the
>   
>>>> latter. First posix, I have followed the how to on the FDS
Wiki, but
>>>> there seems to be some steps missing. I have gotten an
authenticated
>>>> student logon, but only after having created an account on the
local
>>>> machine with the same UID. I made sure that the password was
>>>>         
> different
>   
>>>> in FDS than when I created the user on the local machine and I
am
>>>>         
> able
>   
>>>> to login to using either password which would indicate to me
that I
>>>>         
> am
>   
>>>> successfully authenticating to FDS. However I don''t
particularly
>>>>         
> care to
>   
>>>> have to add 240 students on all 15 computers to make this work,
not
>>>>         
> to
>   
>>>> mention all of the "home" directories that will be
mounted from the
>>>>         
> NFS
>   
>>>> server. So the questions is, what steps am I missing here?
>>>>   
>>>>       
>>>>         
>>> It sounds like you need to configure nss_ldap.  Assuming you have
>>> nss_ldap installed on your client systems, you should be able to
add
>>> "ldap" as a service for looking up users and groups in
your
>>> /etc/nsswitch.conf file.
>>>
>>> -NGK
>>>     
>>>       
>>>> Samba. As I understand it, Windows will only authenticate
against an
>>>>         
> NT
>   
>>>> or "NT like (aka. Samba)" server, which means as far
as I can tell
>>>>         
> that
>   
>>>> either I have Samba sync against FDS or I use pGina on the
Windows
>>>>         
> side
>   
>>>> to authenticate directly against LDAP or scrap LDAP all
together and
>>>> just use an NIS server (don''t think this is a good
idea, but it is a
>>>> possiblity). Of course trying to assess the pros and cons of
either
>>>>         
> has
>   
>>>> been somewhat difficult at best. Also the FDS Samba how-to
doesn''t
>>>>         
> cover
>   
>>>> computer management which Samba is going to have to deal with
as
>>>>         
> well.
>   
>>>> Before someone replies with a "RTFM", I have read the
Install Guide
>>>>         
> as
>   
>>>> well as the Red Hat Directory Server documentation and I am
>>>>         
> currently
>   
>>>> half-way through the book "Understanding and Deploying
LDAP
>>>>         
> Directory
>   
>>>> Services", so I have a reasonable understanding of how to
get into
>>>> trouble. Of course none of these provide in-depth (nor should
they)
>>>> information as to how to integrate with other services. I have
spent
>>>>         
> a
>   
>>>> month reading, tinkering etc., and I am not asking anyone else
to do
>>>>         
> my
>   
>>>> work for me, but I have seem to hit a wall and need a couple of
>>>> "breadcrumbs" to get me back on the trail. Thank you
for your
>>>>         
> patience
>   
>>>> and understanding.
>>>>
>>>>   
>>>>       
>>>>         
> ------------------------------------------------------------------------
>   
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>>     
>>>       
>>   
>>     
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
-- 
Scott B. Ackerman
1212 Baker Street
Fort Collins, Colorado 80524
970-231-9035
scott@scott-ackerman.com


"Every improvement in the standard of work men do is followed swiftly and
inevitably by an improvement in the men who do it" - William Morris