Hi! Great answer! I will work with this and see if I can get it working. Regarding the setup, it's not really finished I think. They havent investigated how and what informations should be stored on the LPAD, I know for sure that the uid is stored there but other stuff needed for a working login on linux isnt there, like default shell. I think that if I can set a default shell on login I guess I could use LDAP/kerberos + automount and get the same result that I currently get with NIS/Kerberos. All the users are on the same nfs export I think, so it wont require that much automount magic. And I just checked on the LDAP, there is a unused field called NFS home, so if I fill in the correct parameter like filerserver.ltu.se:/home/nisse in that I could automount that. Do you think thats a workable alternative? The problem is that there is no shell information and I not 100% sure that the unix id in LDAP is the same as in NIS (it should be, and the NIS one should be change if it differs). /nisse
On 7/20/05, Ryan Schultz <[EMAIL PROTECTED]> wrote: > On Wednesday 20 July 2005 02:41 pm, Nils Erik Svangård wrote: > > I cant! I dont have the authority to do that. > > I have setup NIS which authenticate via the Kerberos server. I guess > > it would be easiest to just add a group in NIS but LDAP is the future > > and there is such nice GUIs. > > Where do I prelogin scripting? > > Lets say a user enter a username and a password: First it checks via > > yp if the user is in passwd and then try to authenitcate via the > > kerberos server (via pam_krb5). > > What I want is a > > if(in_ldap(username)) > > { > > if(check_with_yp(username)) > > { > > if(krb5_authenticate(username,password) > > { > > login() > > } > > } > > } > > Where do I do this kind of magic? Somewhere with Pam? > > > > /nisse > > > > On 7/20/05, Carlos Rodrigues <[EMAIL PROTECTED]> wrote: > > > Nils Erik Svangård wrote: > > > > Hello! > > > > snip < < < > > That is possibly the most absolutely horrifying setup I've ever heard of, and > you have my deepest, most sincere sympathies at having to deal with not only > LDAP/Kerberos but also NIS. It's also worth noting that using NIS is probably > ruining any security you're getting from LDAP/SSL or Kerberos... but with > that out of the way, I think I can help. I'm not hugely familiar with NIS, so > don't assume anything here is true. > > Before you start, get a root terminal on your machine and leave it open. If > you make a mistake or my instructions are wrong, you can lose login access to > the system... (don't ever forget this when working on headless remote > systems... bad experiences) > > Okay, first you need to make the LDAP information available to the Name > Service Switch (NSS) part of your system, which will let you check the group > information and such without any particular black magic -- it'll be the same > as if it was in /etc/groups. For this, you want to install and configure > libnss-ldap (left to the reader), then modify your /etc/nsswitch.conf file so > that the 'group:' line looks like this: > > group: files ldap > > If you haven't already configured the NSS for NIS, do that too. Your > nsswitch.conf file should probably look something like this now: > > passwd: files nis > group: files ldap > shadow: files nis > ... (rest of the file unchanged) > > That will get shell/home information from NIS, group info from LDAP, and > shadow (passwords) from NIS which you say authenticates via Kerberos (are you > sure there aren't any passwords getting tossed around in plain text?). Make > sure this is all working perfectly -- you should be able to 'getent passwd > <username>' for a user in the NIS system and have it return his data, and you > should also be able to retrieve group info from LDAP with ldapsearch. You > shouldn't need any PAM magic if you're using NIS and it's configured > properly. Then, to restrict login to a certain group, you need some lines > in /etc/login.access looking something like: > > -:ALL:ALL > +:groupallowedtologin:ALL > > ... but I'm not hugely familiar with that file, man login.access for more on > that. > > I've never done anything quite like this (strictly LDAPS/Kerberos here) but I > think that information should at least get you going in the right direction. > I'll say again, however, that the setup you're working with is basically a > trainwreck and is probably leaking passwords and information all over the > place unless it's very carefully designed. Complain to someone with authority > and try to get the NIS information moved into LDAP -- it's generally much > nicer to administrate. > > Whew! HTH. > > -- > Ryan Schultz > -> floating point exception: divide by cucumber >