Hi!
Great answer! I will work with this and see if I can get it working.
Regarding the setup, it's not really finished I think. They havent
investigated how and what informations should be stored on the LPAD, I
know for sure that the uid is stored there but other stuff needed for
a working login on linux isnt there, like default shell.
I think that if I can set a default shell on login I guess I could use
LDAP/kerberos + automount and get the same result that I currently get
with NIS/Kerberos. All the users are on the same nfs export I think,
so it wont require that much automount magic. And I just checked on
the LDAP, there is a unused field called NFS home, so if I fill in the
correct parameter like filerserver.ltu.se:/home/nisse in that I could
automount that.
Do you think thats a workable alternative?
The problem is that there is no shell information and I not 100% sure
that the unix id in LDAP is the same as in NIS (it should be, and the
NIS one should be change if it differs).
/nisse
On 7/20/05, Ryan Schultz <[EMAIL PROTECTED]> wrote:
> On Wednesday 20 July 2005 02:41 pm, Nils Erik Svangård wrote:
> > I cant! I dont have the authority to do that.
> > I have setup NIS which authenticate via the Kerberos server. I guess
> > it would be easiest to just add a group in NIS but LDAP is the future
> > and there is such nice GUIs.
> > Where do I prelogin scripting?
> > Lets say a user enter a username and a password: First it checks via
> > yp if the user is in passwd and then try to authenitcate via the
> > kerberos server (via pam_krb5).
> > What I want is a
> > if(in_ldap(username))
> > {
> > if(check_with_yp(username))
> > {
> > if(krb5_authenticate(username,password)
> > {
> > login()
> > }
> > }
> > }
> > Where do I do this kind of magic? Somewhere with Pam?
> >
> > /nisse
> >
> > On 7/20/05, Carlos Rodrigues <[EMAIL PROTECTED]> wrote:
> > > Nils Erik Svangård wrote:
> > > > Hello!
> > > > snip < < <
>
> That is possibly the most absolutely horrifying setup I've ever heard of, and
> you have my deepest, most sincere sympathies at having to deal with not only
> LDAP/Kerberos but also NIS. It's also worth noting that using NIS is probably
> ruining any security you're getting from LDAP/SSL or Kerberos... but with
> that out of the way, I think I can help. I'm not hugely familiar with NIS, so
> don't assume anything here is true.
>
> Before you start, get a root terminal on your machine and leave it open. If
> you make a mistake or my instructions are wrong, you can lose login access to
> the system... (don't ever forget this when working on headless remote
> systems... bad experiences)
>
> Okay, first you need to make the LDAP information available to the Name
> Service Switch (NSS) part of your system, which will let you check the group
> information and such without any particular black magic -- it'll be the same
> as if it was in /etc/groups. For this, you want to install and configure
> libnss-ldap (left to the reader), then modify your /etc/nsswitch.conf file so
> that the 'group:' line looks like this:
>
> group: files ldap
>
> If you haven't already configured the NSS for NIS, do that too. Your
> nsswitch.conf file should probably look something like this now:
>
> passwd: files nis
> group: files ldap
> shadow: files nis
> ... (rest of the file unchanged)
>
> That will get shell/home information from NIS, group info from LDAP, and
> shadow (passwords) from NIS which you say authenticates via Kerberos (are you
> sure there aren't any passwords getting tossed around in plain text?). Make
> sure this is all working perfectly -- you should be able to 'getent passwd
> <username>' for a user in the NIS system and have it return his data, and you
> should also be able to retrieve group info from LDAP with ldapsearch. You
> shouldn't need any PAM magic if you're using NIS and it's configured
> properly. Then, to restrict login to a certain group, you need some lines
> in /etc/login.access looking something like:
>
> -:ALL:ALL
> +:groupallowedtologin:ALL
>
> ... but I'm not hugely familiar with that file, man login.access for more on
> that.
>
> I've never done anything quite like this (strictly LDAPS/Kerberos here) but I
> think that information should at least get you going in the right direction.
> I'll say again, however, that the setup you're working with is basically a
> trainwreck and is probably leaking passwords and information all over the
> place unless it's very carefully designed. Complain to someone with authority
> and try to get the NIS information moved into LDAP -- it's generally much
> nicer to administrate.
>
> Whew! HTH.
>
> --
> Ryan Schultz
> -> floating point exception: divide by cucumber
>
