Re: [PLUG] Linux centralized authentication
This is great technical discussion, thanks for keeping it public. Reminds me my journey where implementing SSO/AD/LDAP - the project scope kept expanding beyond my initial expectations. As per your discussion - this, central, management/authentication needs fully configured, reverse and authoritative DNS domain and NTP. This is part of the host chain of trust/authentication. There is no workaround. Once you get it working though it will become great asset and absolutely worth it; think of access to data, services, etc. Because of the many moving parts, keep detailed notes or better a manifest of your setup. Also, plan for future migration now, when you understand every detail of your setup. Without that - you will find it very, very difficult to migrate/update your setup years from now. I certainly, found my memories and notes insufficient to effectively migrate/update 5 years later. -T On Jun 19, 2018 4:12 PM, "Tyrell Jentink" wrote: I also didn't answer about DHCP... DHCP and DNS shouldn't have to care about each other, unless IP addresses are likely to change; If they are, you will need a method of updating the DNS records. FreeIPA lets the client update their own records; Windows prefers to deal with it on the server. SO, the "Best Practice" is *probably* to let Windows play DHCP server. That's probably what I will do next. Currently, I'm using the DHCP server in my firewall, which is less-than-ideal for a number of reasons, not the least of which is: Because Windows machines belong to the win.example.com|10.42.2.0 network, and Linux machines belong to the lin.example.com|10.42.1.0 network, all of the leases need static reservations (As an aside, I don't put ALL machines in the domains... Things like phones and Rasperry Pi's are considered "Untrusted," get addresses out of the 10.42.0.0 IP pool, and don't have domain names at all...). Which sucks for onloading a new machine: I have to add the DHCP reservations to the firewall, then add the client to the domain... In two separate interfaces. I suppose if it were all in Windows Server, then it's at least all in the same place... On Tue, Jun 19, 2018, 13:35 Galen Seitz wrote: > On 06/19/2018 12:33 PM, Tyrell Jentink wrote:> > > The second is FreeIPA, lives at 10.42.1.10 and it serves the > lin.example.com > > subdomain and the 1.42.10.arpa reverse domain. It has a conditional > > forwarder to forward requests under win.example.com to 10.42.2.10 > > Some questions for you: > > What is the FQDN of your ipa server? > > Are you using DHCP for client machines? If so, where is it hosted and > how does it interact with your DNS server? > > > thanks, > galen > -- > Galen Seitz > gal...@seitzassoc.com > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
I also didn't answer about DHCP... DHCP and DNS shouldn't have to care about each other, unless IP addresses are likely to change; If they are, you will need a method of updating the DNS records. FreeIPA lets the client update their own records; Windows prefers to deal with it on the server. SO, the "Best Practice" is *probably* to let Windows play DHCP server. That's probably what I will do next. Currently, I'm using the DHCP server in my firewall, which is less-than-ideal for a number of reasons, not the least of which is: Because Windows machines belong to the win.example.com|10.42.2.0 network, and Linux machines belong to the lin.example.com|10.42.1.0 network, all of the leases need static reservations (As an aside, I don't put ALL machines in the domains... Things like phones and Rasperry Pi's are considered "Untrusted," get addresses out of the 10.42.0.0 IP pool, and don't have domain names at all...). Which sucks for onloading a new machine: I have to add the DHCP reservations to the firewall, then add the client to the domain... In two separate interfaces. I suppose if it were all in Windows Server, then it's at least all in the same place... On Tue, Jun 19, 2018, 13:35 Galen Seitz wrote: > On 06/19/2018 12:33 PM, Tyrell Jentink wrote:> > > The second is FreeIPA, lives at 10.42.1.10 and it serves the > lin.example.com > > subdomain and the 1.42.10.arpa reverse domain. It has a conditional > > forwarder to forward requests under win.example.com to 10.42.2.10 > > Some questions for you: > > What is the FQDN of your ipa server? > > Are you using DHCP for client machines? If so, where is it hosted and > how does it interact with your DNS server? > > > thanks, > galen > -- > Galen Seitz > gal...@seitzassoc.com > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
Oh... I meant to also mention... If you want to have a service authenticate both inside and outside your network, that particular service will need to have the same FQDN on both the inside and the outside of the network... Since they aren't likely to share the same IP address (Public vs Private), you MAY need to get very clever about your "Split Horizon DNS," Google for more details. On Tue, Jun 19, 2018, 13:35 Galen Seitz wrote: > On 06/19/2018 12:33 PM, Tyrell Jentink wrote:> > > The second is FreeIPA, lives at 10.42.1.10 and it serves the > lin.example.com > > subdomain and the 1.42.10.arpa reverse domain. It has a conditional > > forwarder to forward requests under win.example.com to 10.42.2.10 > > Some questions for you: > > What is the FQDN of your ipa server? > > Are you using DHCP for client machines? If so, where is it hosted and > how does it interact with your DNS server? > > > thanks, > galen > -- > Galen Seitz > gal...@seitzassoc.com > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
Both "Domain Controllers" are called 'pdc' on their respective subdomain; So, 'pdc.win.example.com' and 'pdc.lin.example.com.' Yes, my network has A LOT of infrastructure, for what is essentially a 3 user network... I did it as a learning experience, a "Home Lab," so to speak (Or, "Home Production," if you will, since my wife would slaughter me in my sleep if the Plex server ever went down...). I'm not convinced that I would recommend it to anyone... LOL. On Tue, Jun 19, 2018, 13:35 Galen Seitz wrote: > On 06/19/2018 12:33 PM, Tyrell Jentink wrote:> > > The second is FreeIPA, lives at 10.42.1.10 and it serves the > lin.example.com > > subdomain and the 1.42.10.arpa reverse domain. It has a conditional > > forwarder to forward requests under win.example.com to 10.42.2.10 > > Some questions for you: > > What is the FQDN of your ipa server? > > Are you using DHCP for client machines? If so, where is it hosted and > how does it interact with your DNS server? > > > thanks, > galen > -- > Galen Seitz > gal...@seitzassoc.com > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
On 06/19/2018 12:33 PM, Tyrell Jentink wrote:> The second is FreeIPA, lives at 10.42.1.10 and it serves the lin.example.com subdomain and the 1.42.10.arpa reverse domain. It has a conditional forwarder to forward requests under win.example.com to 10.42.2.10 Some questions for you: What is the FQDN of your ipa server? Are you using DHCP for client machines? If so, where is it hosted and how does it interact with your DNS server? thanks, galen -- Galen Seitz gal...@seitzassoc.com ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
On 06/19/2018 12:33 PM, Tyrell Jentink wrote: Yeah, this was a struggle for me, too... Not just the forward domains, but the reverse zones, too. It all required some thinking, and I think I'm about to change some of it... But this is what I did at the get-go: My domain name, let's use example.com, points at my public website, and my FreeIPA domain is only accessible internally; I just don't have a need to authenticate outside of the network. My desired setup is similar to yours, except that my public web presence just a port forward to an internal machine. I will need to authenticate on that machine. Inside the network, I have three DNS servers... One is just a resolver on a OPNSense firewall, and lives at 10.0.0.1. That isn't authoritative on any domain. The second is FreeIPA, lives at 10.42.1.10 and it serves the lin.example.com subdomain and the 1.42.10.arpa reverse domain. It has a conditional forwarder to forward requests under win.example.com to 10.42.2.10 The third is ActiveDirectory, serves the win.example.com subdomain and the 2.42.10.arpa reverse domain. It has a conditional forwarder to forward requests under lin.example.com to 10.42.1.10. Both of the authoritative servers point unresolved addresses to the resolver at 10.0.0.1; It forwards to 1.1.1.1. You run into problems if any given domain has two authoritative servers; That is in both the forward and reverse domains, so you have to ensure that each subdomain has a unique name -AND- a unique IP Address Space. Does that set you on the right path, or do you need me to retry? Yes, this helps. I really didn't want to learn more about DNS and BIND, but clearly it's necessary. The thing that was tripping me up was the need to send DNS updates to an authoritative server. The only authoritative server currently on my internal network is for the ipa.example.com domain. If a client is not in that domain, then the DNS updates are sent to the SOA of example.com. This fails since my DNS host is not configured to support this. Now that I understand what is going on, I need to decide how to best move forward. It feels like I need a lot of infrastructure for what is a tiny network. Perhaps I'm feeling how Richard Owlett is feeling about his network. galen -- Galen Seitz gal...@seitzassoc.com ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
Yeah, this was a struggle for me, too... Not just the forward domains, but the reverse zones, too. It all required some thinking, and I think I'm about to change some of it... But this is what I did at the get-go: My domain name, let's use example.com, points at my public website, and my FreeIPA domain is only accessible internally; I just don't have a need to authenticate outside of the network. Inside the network, I have three DNS servers... One is just a resolver on a OPNSense firewall, and lives at 10.0.0.1. That isn't authoritative on any domain. The second is FreeIPA, lives at 10.42.1.10 and it serves the lin.example.com subdomain and the 1.42.10.arpa reverse domain. It has a conditional forwarder to forward requests under win.example.com to 10.42.2.10 The third is ActiveDirectory, serves the win.example.com subdomain and the 2.42.10.arpa reverse domain. It has a conditional forwarder to forward requests under lin.example.com to 10.42.1.10. Both of the authoritative servers point unresolved addresses to the resolver at 10.0.0.1; It forwards to 1.1.1.1. You run into problems if any given domain has two authoritative servers; That is in both the forward and reverse domains, so you have to ensure that each subdomain has a unique name -AND- a unique IP Address Space. Does that set you on the right path, or do you need me to retry? On Tue, Jun 19, 2018, 12:11 Galen Seitz wrote: > Dredging up an old thread here... > > On 05/02/2018 08:25 PM, Tyrell Jentink wrote: > > I'm using FreeIPA here at home; As a product, it's really just a bunch of > > scripts and a web interface for LDAP+Kerberos+Certificate > management+Samba; > > It aims to be a complete identity management system, a product designed > to > > compete with (Or at the very least, perform an analogous set of tasks to) > > ActiveDirectory. It is completely open source, developed by Red Hat, for > > Fedora, and I use it on CentOS, but it is available for a number of other > > distros. > > If you (Tyrell) have the time, could you please describe whether you are > using the BIND part of FreeIPA, and if so, the DNS architecture of your > home network? I've been struggling to come up to speed on this. > > I use openwrt as a router on my home network. dnsmasq is enabled, and > all of my internal machines have host.example.com names. If dnsmasq > doesn't recognize a name, it forwards the lookup upstream to the real > dns host for my domain. Given this setup, I tried several naming > schemes for my ipa server. With some setups the ipa-server-install > failed early. With others, the server install would basically work, but > then in the client portion it would try to send DNS updates to the > upstream DNS host. These updates fail because my upstream DNS host > isn't configured to expect updates. My understanding is that these > updates shouldn't be going to this host anyway. > > What finally worked for me was to create a separate subdomain. I named > my ipa server ipa-1.ipa.example.com, and my ipa domain ipa.example.com > (with the Kerberos realm named IPA.SEITZASSOC.COM). I had to add a > server option in dnsmasq on my openwrt box to tell it to forward lookups > in the ipa.example.com domain to my ipa server. > > Note that example.com is just an example. I was using my actual domain > name above. > > thanks, > galen > -- > Galen Seitz > gal...@seitzassoc.com > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
Dredging up an old thread here... On 05/02/2018 08:25 PM, Tyrell Jentink wrote: I'm using FreeIPA here at home; As a product, it's really just a bunch of scripts and a web interface for LDAP+Kerberos+Certificate management+Samba; It aims to be a complete identity management system, a product designed to compete with (Or at the very least, perform an analogous set of tasks to) ActiveDirectory. It is completely open source, developed by Red Hat, for Fedora, and I use it on CentOS, but it is available for a number of other distros. If you (Tyrell) have the time, could you please describe whether you are using the BIND part of FreeIPA, and if so, the DNS architecture of your home network? I've been struggling to come up to speed on this. I use openwrt as a router on my home network. dnsmasq is enabled, and all of my internal machines have host.example.com names. If dnsmasq doesn't recognize a name, it forwards the lookup upstream to the real dns host for my domain. Given this setup, I tried several naming schemes for my ipa server. With some setups the ipa-server-install failed early. With others, the server install would basically work, but then in the client portion it would try to send DNS updates to the upstream DNS host. These updates fail because my upstream DNS host isn't configured to expect updates. My understanding is that these updates shouldn't be going to this host anyway. What finally worked for me was to create a separate subdomain. I named my ipa server ipa-1.ipa.example.com, and my ipa domain ipa.example.com (with the Kerberos realm named IPA.SEITZASSOC.COM). I had to add a server option in dnsmasq on my openwrt box to tell it to forward lookups in the ipa.example.com domain to my ipa server. Note that example.com is just an example. I was using my actual domain name above. thanks, galen -- Galen Seitz gal...@seitzassoc.com ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
The distribution lock-in does concern me. As well as it's all-in-one monolithic style. The web interface does look nice though. Right now compatibility with Windows is not something i am concerned with all all. More so compatibility with other UNIX like operating systems such as the BSDs. I am thinking it might be worth taking the time and writing out a custom configuration versus having a lot of automated scripts such as in FreeIPA. I have never used FreeIPA before but looking at what it offers from It's website does not look like what i am after. Cathy's recommendation of plain LDAP/DNS/Kerberos seems more appealing. I heard MIT has done something like this. They are calling it Project Athena. On 05/02/2018 08:25 PM, Tyrell Jentink wrote: > I'm using FreeIPA here at home; As a product, it's really just a bunch of > scripts and a web interface for LDAP+Kerberos+Certificate management+Samba; > It aims to be a complete identity management system, a product designed to > compete with (Or at the very least, perform an analogous set of tasks to) > ActiveDirectory. It is completely open source, developed by Red Hat, for > Fedora, and I use it on CentOS, but it is available for a number of other > distros. > > (Full disclosure: I do happen to use ActiveDirectory to store my user > accounts, and FreeIPA authenticates through an AD Interforest Trust, but > that's far from a requirement, and it probably causes me more grief than > many admins would tolerate) > > As for reading, I learned everything I know from their documentation: > https://www.freeipa.org/page/Documentation > > > On Wed, May 2, 2018, 20:01 Thomas Groman wrote: > >> Do you have any book or other resource recommendations for setting these >> up? I already do sysadmin work, just never done centralized auth before. >> >> >> On 05/02/2018 07:53 PM, Tomas Kuchta wrote: >>> The easiest is to pick LDAP or NIS, both work very well on Linux. With or >>> without Kerberos for local small setup. >>> >>> NIS with NFS for file sharing would be probably the simplest setup, but >> you >>> will eventually wish you had LDAP for integration with various other >>> services. >>> >>> LDAP + Kerberos + NFS is probably the most common and extensible >> solution. >>> You will absolutely need local DNS and NTP to get it going, but it is >> well >>> integrated extensible solution. >>> >>> Another option would be to uses Samba - it combines LDAP + Kerberos, so >> it >>> has less moving parts and can accept Windows hosts without much headache, >>> compared to LDAP and Kerberos. >>> >>> For both solution, you might need some enterprise admin to help setting >> it >>> up. If well and simply setup, it is not difficult to maintain and manage. >>> IMHO >>> >>> Tomas >>> >>> On Wed, May 2, 2018, 5:36 PM Smith, Cathy wrote: >>> There used to be dns, ldap, kerberos, nis. These are open source protocols and not restricted to Microsoft. -- Cathy L. Smith IT Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.4399 Email: cathy.sm...@pnnl.gov -Original Message- From: plug-boun...@pdxlinux.org [mailto:plug-boun...@pdxlinux.org] On Behalf Of Thomas Groman Sent: Wednesday, May 02, 2018 5:16 PM To: plug@pdxlinux.org Subject: [PLUG] Linux centralized authentication Has anyone ever made a 100% UNIX/BSD/Linux network with centralized authentication? Using native protocols not some sort of strange >> Microsoft AD mesh thing. I wanted to build a hacker-space for a school and since it would be starting from scratch there's no reason to get locked in to a Microsoft product from the start. Also the Microsoft's protocols are not open >> source and hard to debug. They never really work well with UNIX like operating systems requiring id/group mapping and such. ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug >>> ___ >>> PLUG mailing list >>> PLUG@pdxlinux.org >>> http://lists.pdxlinux.org/mailman/listinfo/plug >> ___ >> PLUG mailing list >> PLUG@pdxlinux.org >> http://lists.pdxlinux.org/mailman/listinfo/plug >> > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
On 5/4/18 9:02 AM, Tomas Kuchta wrote: Free IPA would be excellent topic for talk... What he said Michael ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
Free IPA would be excellent topic for talk... I for one would love to hear practical experience with it. Tomas On Thu, May 3, 2018, 8:59 AM Andrew Denton wrote: > At work we use FreeIPA for all our linux servers, it works really well. > It's nice to have a web interface for the LDAP/Kerberos/DNS/Certificate/nfs > automount stuff, and the client side setup automation (ipa-client-install > or the new realmd) is handy. > > Like you our humans actually have AD accounts that come in via trust. In > that case we still use FreeIPA to manage their shells, sudoers rules and > ssh keys. I've never had a problem with that trust breaking, my only > problem has been some weirdness with Kerberized NFS home directories not > always mounting properly. > > On Wed, May 2, 2018 at 8:25 PM Tyrell Jentink wrote: > > > I'm using FreeIPA here at home; As a product, it's really just a bunch of > > scripts and a web interface for LDAP+Kerberos+Certificate > management+Samba; > > It aims to be a complete identity management system, a product designed > to > > compete with (Or at the very least, perform an analogous set of tasks to) > > ActiveDirectory. It is completely open source, developed by Red Hat, for > > Fedora, and I use it on CentOS, but it is available for a number of other > > distros. > > > > (Full disclosure: I do happen to use ActiveDirectory to store my user > > accounts, and FreeIPA authenticates through an AD Interforest Trust, but > > that's far from a requirement, and it probably causes me more grief than > > many admins would tolerate) > > > > As for reading, I learned everything I know from their documentation: > > https://www.freeipa.org/page/Documentation > > > > > > On Wed, May 2, 2018, 20:01 Thomas Groman > > wrote: > > > > > Do you have any book or other resource recommendations for setting > these > > > up? I already do sysadmin work, just never done centralized auth > before. > > > > > > > > > On 05/02/2018 07:53 PM, Tomas Kuchta wrote: > > > > The easiest is to pick LDAP or NIS, both work very well on Linux. > With > > or > > > > without Kerberos for local small setup. > > > > > > > > NIS with NFS for file sharing would be probably the simplest setup, > but > > > you > > > > will eventually wish you had LDAP for integration with various other > > > > services. > > > > > > > > LDAP + Kerberos + NFS is probably the most common and extensible > > > solution. > > > > You will absolutely need local DNS and NTP to get it going, but it is > > > well > > > > integrated extensible solution. > > > > > > > > Another option would be to uses Samba - it combines LDAP + Kerberos, > so > > > it > > > > has less moving parts and can accept Windows hosts without much > > headache, > > > > compared to LDAP and Kerberos. > > > > > > > > For both solution, you might need some enterprise admin to help > setting > > > it > > > > up. If well and simply setup, it is not difficult to maintain and > > manage. > > > > IMHO > > > > > > > > Tomas > > > > > > > > On Wed, May 2, 2018, 5:36 PM Smith, Cathy > > wrote: > > > > > > > >> There used to be dns, ldap, kerberos, nis. These are open source > > > >> protocols and not restricted to Microsoft. > > > >> > > > >> > > > >> -- > > > >> Cathy L. Smith > > > >> IT Engineer > > > >> > > > >> Pacific Northwest National Laboratory > > > >> Operated by Battelle for the > > > >> U.S. Department of Energy > > > >> > > > >> Phone: 509.375.2687 > > > >> Fax: 509.375.4399 > > > >> Email: cathy.sm...@pnnl.gov > > > >> > > > >> > > > >> > > > >> -Original Message- > > > >> From: plug-boun...@pdxlinux.org [mailto:plug-boun...@pdxlinux.org] > On > > > >> Behalf Of Thomas Groman > > > >> Sent: Wednesday, May 02, 2018 5:16 PM > > > >> To: plug@pdxlinux.org > > > >> Subject: [PLUG] Linux centralized authentication > > > >> > > > >> Has anyone ever made a 100% UNIX/BSD/Linux network with centralized > > > >> authentication? Using native protocols not some sort of strange > > > Microsoft > > > >> AD mesh thing. > > > >> I wanted to build a hacker-space for a school and since it would be > > > >> starting from scratch there's no reason to get locked in to a > > Microsoft > > > >> product from the start. Also the Microsoft's protocols are not open > > > source > > > >> and hard to debug. They never really work well with UNIX like > > operating > > > >> systems requiring id/group mapping and such. > > > >> ___ > > > >> PLUG mailing list > > > >> PLUG@pdxlinux.org > > > >> http://lists.pdxlinux.org/mailman/listinfo/plug > > > >> ___ > > > >> PLUG mailing list > > > >> PLUG@pdxlinux.org > > > >> http://lists.pdxlinux.org/mailman/listinfo/plug > > > >> > > > > ___ > > > > PLUG mailing list > > > > PLUG@pdxlinux.org > > > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > > > > ___ > > > PLUG mailing list > > >
Re: [PLUG] Linux centralized authentication
At work we use FreeIPA for all our linux servers, it works really well. It's nice to have a web interface for the LDAP/Kerberos/DNS/Certificate/nfs automount stuff, and the client side setup automation (ipa-client-install or the new realmd) is handy. Like you our humans actually have AD accounts that come in via trust. In that case we still use FreeIPA to manage their shells, sudoers rules and ssh keys. I've never had a problem with that trust breaking, my only problem has been some weirdness with Kerberized NFS home directories not always mounting properly. On Wed, May 2, 2018 at 8:25 PM Tyrell Jentink wrote: > I'm using FreeIPA here at home; As a product, it's really just a bunch of > scripts and a web interface for LDAP+Kerberos+Certificate management+Samba; > It aims to be a complete identity management system, a product designed to > compete with (Or at the very least, perform an analogous set of tasks to) > ActiveDirectory. It is completely open source, developed by Red Hat, for > Fedora, and I use it on CentOS, but it is available for a number of other > distros. > > (Full disclosure: I do happen to use ActiveDirectory to store my user > accounts, and FreeIPA authenticates through an AD Interforest Trust, but > that's far from a requirement, and it probably causes me more grief than > many admins would tolerate) > > As for reading, I learned everything I know from their documentation: > https://www.freeipa.org/page/Documentation > > > On Wed, May 2, 2018, 20:01 Thomas Groman > wrote: > > > Do you have any book or other resource recommendations for setting these > > up? I already do sysadmin work, just never done centralized auth before. > > > > > > On 05/02/2018 07:53 PM, Tomas Kuchta wrote: > > > The easiest is to pick LDAP or NIS, both work very well on Linux. With > or > > > without Kerberos for local small setup. > > > > > > NIS with NFS for file sharing would be probably the simplest setup, but > > you > > > will eventually wish you had LDAP for integration with various other > > > services. > > > > > > LDAP + Kerberos + NFS is probably the most common and extensible > > solution. > > > You will absolutely need local DNS and NTP to get it going, but it is > > well > > > integrated extensible solution. > > > > > > Another option would be to uses Samba - it combines LDAP + Kerberos, so > > it > > > has less moving parts and can accept Windows hosts without much > headache, > > > compared to LDAP and Kerberos. > > > > > > For both solution, you might need some enterprise admin to help setting > > it > > > up. If well and simply setup, it is not difficult to maintain and > manage. > > > IMHO > > > > > > Tomas > > > > > > On Wed, May 2, 2018, 5:36 PM Smith, Cathy > wrote: > > > > > >> There used to be dns, ldap, kerberos, nis. These are open source > > >> protocols and not restricted to Microsoft. > > >> > > >> > > >> -- > > >> Cathy L. Smith > > >> IT Engineer > > >> > > >> Pacific Northwest National Laboratory > > >> Operated by Battelle for the > > >> U.S. Department of Energy > > >> > > >> Phone: 509.375.2687 > > >> Fax: 509.375.4399 > > >> Email: cathy.sm...@pnnl.gov > > >> > > >> > > >> > > >> -Original Message- > > >> From: plug-boun...@pdxlinux.org [mailto:plug-boun...@pdxlinux.org] On > > >> Behalf Of Thomas Groman > > >> Sent: Wednesday, May 02, 2018 5:16 PM > > >> To: plug@pdxlinux.org > > >> Subject: [PLUG] Linux centralized authentication > > >> > > >> Has anyone ever made a 100% UNIX/BSD/Linux network with centralized > > >> authentication? Using native protocols not some sort of strange > > Microsoft > > >> AD mesh thing. > > >> I wanted to build a hacker-space for a school and since it would be > > >> starting from scratch there's no reason to get locked in to a > Microsoft > > >> product from the start. Also the Microsoft's protocols are not open > > source > > >> and hard to debug. They never really work well with UNIX like > operating > > >> systems requiring id/group mapping and such. > > >> ___ > > >> PLUG mailing list > > >> PLUG@pdxlinux.org > > >> http://lists.pdxlinux.org/mailman/listinfo/plug > > >> ___ > > >> PLUG mailing list > > >> PLUG@pdxlinux.org > > >> http://lists.pdxlinux.org/mailman/listinfo/plug > > >> > > > ___ > > > PLUG mailing list > > > PLUG@pdxlinux.org > > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > > ___ > > PLUG mailing list > > PLUG@pdxlinux.org > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
Just google for tutorials on how to configure the various protocols. For example, DNS is really easy to set up. I got a number of hits looking for a tutorial to set up DNS. https://www.google.com/search?source=hp&ei=wivrWp71OYewjwPFsZL4Cg&q=howto+tutorial+configure+dns+server+in+linux&oq=howto+tutorial+configure+dns+ser&gs_l=psy-ab.3.1.33i22i29i30k1l10.12033.20875.0.24063.32.32.0.0.0.0.542.4276.0j25j4-1j1.27.00...1.1.64.psy-ab..5.27.4238...0j0i131k1j0i10k1j0i13k1j0i13i30k1j0i22i30k1.0.GRWi_-V6IfI -- Cathy L. Smith IT Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.4399 Email: cathy.sm...@pnnl.gov -Original Message- From: plug-boun...@pdxlinux.org [mailto:plug-boun...@pdxlinux.org] On Behalf Of Thomas Groman Sent: Wednesday, May 02, 2018 8:00 PM To: plug@pdxlinux.org Subject: Re: [PLUG] Linux centralized authentication Do you have any book or other resource recommendations for setting these up? I already do sysadmin work, just never done centralized auth before. On 05/02/2018 07:53 PM, Tomas Kuchta wrote: > The easiest is to pick LDAP or NIS, both work very well on Linux. With > or without Kerberos for local small setup. > > NIS with NFS for file sharing would be probably the simplest setup, > but you will eventually wish you had LDAP for integration with various > other services. > > LDAP + Kerberos + NFS is probably the most common and extensible solution. > You will absolutely need local DNS and NTP to get it going, but it is > well integrated extensible solution. > > Another option would be to uses Samba - it combines LDAP + Kerberos, > so it has less moving parts and can accept Windows hosts without much > headache, compared to LDAP and Kerberos. > > For both solution, you might need some enterprise admin to help > setting it up. If well and simply setup, it is not difficult to maintain and > manage. > IMHO > > Tomas > > On Wed, May 2, 2018, 5:36 PM Smith, Cathy wrote: > >> There used to be dns, ldap, kerberos, nis. These are open source >> protocols and not restricted to Microsoft. >> >> >> -- >> Cathy L. Smith >> IT Engineer >> >> Pacific Northwest National Laboratory Operated by Battelle for the >> U.S. Department of Energy >> >> Phone: 509.375.2687 >> Fax: 509.375.4399 >> Email: cathy.sm...@pnnl.gov >> >> >> >> -Original Message- >> From: plug-boun...@pdxlinux.org [mailto:plug-boun...@pdxlinux.org] On >> Behalf Of Thomas Groman >> Sent: Wednesday, May 02, 2018 5:16 PM >> To: plug@pdxlinux.org >> Subject: [PLUG] Linux centralized authentication >> >> Has anyone ever made a 100% UNIX/BSD/Linux network with centralized >> authentication? Using native protocols not some sort of strange >> Microsoft AD mesh thing. >> I wanted to build a hacker-space for a school and since it would be >> starting from scratch there's no reason to get locked in to a >> Microsoft product from the start. Also the Microsoft's protocols are >> not open source and hard to debug. They never really work well with >> UNIX like operating systems requiring id/group mapping and such. >> ___ >> PLUG mailing list >> PLUG@pdxlinux.org >> http://lists.pdxlinux.org/mailman/listinfo/plug >> ___ >> PLUG mailing list >> PLUG@pdxlinux.org >> http://lists.pdxlinux.org/mailman/listinfo/plug >> > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
On Thu, 3 May 2018, Ken Stephens wrote: What ever happened to the Lake Oswego Linux School System. Wasn't that a Server/Workstation distribution? Ken, Are you thinking of the Riverdale(?) District where we held the clinic at the elementary and high schools? Rich ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
OK, first off... A google search for 'site:linuxschools.com oswego' and for 'karoshi server "Oswego"' brought up nothing... So my crude guess is that " What happened" was that they had nothing to do with it? On the other hand, maybe they were successful in ridding any reference from the internet? Second off... The product that is promoted at linuxschools.com is called Karoshi Server and Karoshi Client. It also seems to be actively maintained, with the latest github commit 18 hours ago. So... Nothing "happened" to it? Third... LOSD uses Blackboard for their CMS, grade books, and school management... And they use Google Apps for Education for email and colaberation... and most (All?) of the staff uses PCs... While its fully within the realm of possibility that they could use an open source authentication system, they don't seem too afraid of using expensive proprietary providers in general, and I really don't see the IT director sacrificing Group Policy on Windows workstations... My pessimism and criticism of simple words aside, it looks promising. A shortcoming of FreeIPA when compared to Active Directory is the lack of Group Policy; The limitation really comes from the fact that Linux clients have never been asked to follow a centralized policy, so there isn't a standard. FreeIPA approximates some of it with Sudo lists and Host Based Access Control, but a real solution would require a REAL client. Maybe Karoshi provides that? But its not on the feature list, so maybe not... On Thu, May 3, 2018, 06:49 Ken Stephens wrote: > What ever happened to the Lake Oswego Linux School System. Wasn't that a > Server/Workstation distribution? > > https://www.linuxschools.com/forum/index-main.php > > > Ken > > On Wed, May 2, 2018 at 8:25 PM, Tyrell Jentink wrote: > > > I'm using FreeIPA here at home; As a product, it's really just a bunch of > > scripts and a web interface for LDAP+Kerberos+Certificate > management+Samba; > > It aims to be a complete identity management system, a product designed > to > > compete with (Or at the very least, perform an analogous set of tasks to) > > ActiveDirectory. It is completely open source, developed by Red Hat, for > > Fedora, and I use it on CentOS, but it is available for a number of other > > distros. > > > > (Full disclosure: I do happen to use ActiveDirectory to store my user > > accounts, and FreeIPA authenticates through an AD Interforest Trust, but > > that's far from a requirement, and it probably causes me more grief than > > many admins would tolerate) > > > > As for reading, I learned everything I know from their documentation: > > https://www.freeipa.org/page/Documentation > > > > > > On Wed, May 2, 2018, 20:01 Thomas Groman > > wrote: > > > > > Do you have any book or other resource recommendations for setting > these > > > up? I already do sysadmin work, just never done centralized auth > before. > > > > > > > > > On 05/02/2018 07:53 PM, Tomas Kuchta wrote: > > > > The easiest is to pick LDAP or NIS, both work very well on Linux. > With > > or > > > > without Kerberos for local small setup. > > > > > > > > NIS with NFS for file sharing would be probably the simplest setup, > but > > > you > > > > will eventually wish you had LDAP for integration with various other > > > > services. > > > > > > > > LDAP + Kerberos + NFS is probably the most common and extensible > > > solution. > > > > You will absolutely need local DNS and NTP to get it going, but it is > > > well > > > > integrated extensible solution. > > > > > > > > Another option would be to uses Samba - it combines LDAP + Kerberos, > so > > > it > > > > has less moving parts and can accept Windows hosts without much > > headache, > > > > compared to LDAP and Kerberos. > > > > > > > > For both solution, you might need some enterprise admin to help > setting > > > it > > > > up. If well and simply setup, it is not difficult to maintain and > > manage. > > > > IMHO > > > > > > > > Tomas > > > > > > > > On Wed, May 2, 2018, 5:36 PM Smith, Cathy > > wrote: > > > > > > > >> There used to be dns, ldap, kerberos, nis. These are open source > > > >> protocols and not restricted to Microsoft. > > > >> > > > >> > > > >> -- > > > >> Cathy L. Smith > > > >> IT Engineer > > > >> > > > >> Pacific Northwest National Laboratory > > > >> Operated by Battelle for the > > > >> U.S. Department of Energy > > > >> > > > >> Phone: 509.375.2687 > > > >> Fax: 509.375.4399 > > > >> Email: cathy.sm...@pnnl.gov > > > >> > > > >> > > > >> > > > >> -Original Message- > > > >> From: plug-boun...@pdxlinux.org [mailto:plug-boun...@pdxlinux.org] > On > > > >> Behalf Of Thomas Groman > > > >> Sent: Wednesday, May 02, 2018 5:16 PM > > > >> To: plug@pdxlinux.org > > > >> Subject: [PLUG] Linux centralized authentication > > > >> > > > >> Has anyone ever made a 100% UNIX/BSD/Linux network with centralized > > > >> authentication? Using native protocols not some sort of strange > > > Microsoft > > > >> AD mesh thing. > > > >> I w
Re: [PLUG] Linux centralized authentication
What ever happened to the Lake Oswego Linux School System. Wasn't that a Server/Workstation distribution? https://www.linuxschools.com/forum/index-main.php Ken On Wed, May 2, 2018 at 8:25 PM, Tyrell Jentink wrote: > I'm using FreeIPA here at home; As a product, it's really just a bunch of > scripts and a web interface for LDAP+Kerberos+Certificate management+Samba; > It aims to be a complete identity management system, a product designed to > compete with (Or at the very least, perform an analogous set of tasks to) > ActiveDirectory. It is completely open source, developed by Red Hat, for > Fedora, and I use it on CentOS, but it is available for a number of other > distros. > > (Full disclosure: I do happen to use ActiveDirectory to store my user > accounts, and FreeIPA authenticates through an AD Interforest Trust, but > that's far from a requirement, and it probably causes me more grief than > many admins would tolerate) > > As for reading, I learned everything I know from their documentation: > https://www.freeipa.org/page/Documentation > > > On Wed, May 2, 2018, 20:01 Thomas Groman > wrote: > > > Do you have any book or other resource recommendations for setting these > > up? I already do sysadmin work, just never done centralized auth before. > > > > > > On 05/02/2018 07:53 PM, Tomas Kuchta wrote: > > > The easiest is to pick LDAP or NIS, both work very well on Linux. With > or > > > without Kerberos for local small setup. > > > > > > NIS with NFS for file sharing would be probably the simplest setup, but > > you > > > will eventually wish you had LDAP for integration with various other > > > services. > > > > > > LDAP + Kerberos + NFS is probably the most common and extensible > > solution. > > > You will absolutely need local DNS and NTP to get it going, but it is > > well > > > integrated extensible solution. > > > > > > Another option would be to uses Samba - it combines LDAP + Kerberos, so > > it > > > has less moving parts and can accept Windows hosts without much > headache, > > > compared to LDAP and Kerberos. > > > > > > For both solution, you might need some enterprise admin to help setting > > it > > > up. If well and simply setup, it is not difficult to maintain and > manage. > > > IMHO > > > > > > Tomas > > > > > > On Wed, May 2, 2018, 5:36 PM Smith, Cathy > wrote: > > > > > >> There used to be dns, ldap, kerberos, nis. These are open source > > >> protocols and not restricted to Microsoft. > > >> > > >> > > >> -- > > >> Cathy L. Smith > > >> IT Engineer > > >> > > >> Pacific Northwest National Laboratory > > >> Operated by Battelle for the > > >> U.S. Department of Energy > > >> > > >> Phone: 509.375.2687 > > >> Fax: 509.375.4399 > > >> Email: cathy.sm...@pnnl.gov > > >> > > >> > > >> > > >> -Original Message- > > >> From: plug-boun...@pdxlinux.org [mailto:plug-boun...@pdxlinux.org] On > > >> Behalf Of Thomas Groman > > >> Sent: Wednesday, May 02, 2018 5:16 PM > > >> To: plug@pdxlinux.org > > >> Subject: [PLUG] Linux centralized authentication > > >> > > >> Has anyone ever made a 100% UNIX/BSD/Linux network with centralized > > >> authentication? Using native protocols not some sort of strange > > Microsoft > > >> AD mesh thing. > > >> I wanted to build a hacker-space for a school and since it would be > > >> starting from scratch there's no reason to get locked in to a > Microsoft > > >> product from the start. Also the Microsoft's protocols are not open > > source > > >> and hard to debug. They never really work well with UNIX like > operating > > >> systems requiring id/group mapping and such. > > >> ___ > > >> PLUG mailing list > > >> PLUG@pdxlinux.org > > >> http://lists.pdxlinux.org/mailman/listinfo/plug > > >> ___ > > >> PLUG mailing list > > >> PLUG@pdxlinux.org > > >> http://lists.pdxlinux.org/mailman/listinfo/plug > > >> > > > ___ > > > PLUG mailing list > > > PLUG@pdxlinux.org > > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > > ___ > > PLUG mailing list > > PLUG@pdxlinux.org > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
I'm using FreeIPA here at home; As a product, it's really just a bunch of scripts and a web interface for LDAP+Kerberos+Certificate management+Samba; It aims to be a complete identity management system, a product designed to compete with (Or at the very least, perform an analogous set of tasks to) ActiveDirectory. It is completely open source, developed by Red Hat, for Fedora, and I use it on CentOS, but it is available for a number of other distros. (Full disclosure: I do happen to use ActiveDirectory to store my user accounts, and FreeIPA authenticates through an AD Interforest Trust, but that's far from a requirement, and it probably causes me more grief than many admins would tolerate) As for reading, I learned everything I know from their documentation: https://www.freeipa.org/page/Documentation On Wed, May 2, 2018, 20:01 Thomas Groman wrote: > Do you have any book or other resource recommendations for setting these > up? I already do sysadmin work, just never done centralized auth before. > > > On 05/02/2018 07:53 PM, Tomas Kuchta wrote: > > The easiest is to pick LDAP or NIS, both work very well on Linux. With or > > without Kerberos for local small setup. > > > > NIS with NFS for file sharing would be probably the simplest setup, but > you > > will eventually wish you had LDAP for integration with various other > > services. > > > > LDAP + Kerberos + NFS is probably the most common and extensible > solution. > > You will absolutely need local DNS and NTP to get it going, but it is > well > > integrated extensible solution. > > > > Another option would be to uses Samba - it combines LDAP + Kerberos, so > it > > has less moving parts and can accept Windows hosts without much headache, > > compared to LDAP and Kerberos. > > > > For both solution, you might need some enterprise admin to help setting > it > > up. If well and simply setup, it is not difficult to maintain and manage. > > IMHO > > > > Tomas > > > > On Wed, May 2, 2018, 5:36 PM Smith, Cathy wrote: > > > >> There used to be dns, ldap, kerberos, nis. These are open source > >> protocols and not restricted to Microsoft. > >> > >> > >> -- > >> Cathy L. Smith > >> IT Engineer > >> > >> Pacific Northwest National Laboratory > >> Operated by Battelle for the > >> U.S. Department of Energy > >> > >> Phone: 509.375.2687 > >> Fax: 509.375.4399 > >> Email: cathy.sm...@pnnl.gov > >> > >> > >> > >> -Original Message- > >> From: plug-boun...@pdxlinux.org [mailto:plug-boun...@pdxlinux.org] On > >> Behalf Of Thomas Groman > >> Sent: Wednesday, May 02, 2018 5:16 PM > >> To: plug@pdxlinux.org > >> Subject: [PLUG] Linux centralized authentication > >> > >> Has anyone ever made a 100% UNIX/BSD/Linux network with centralized > >> authentication? Using native protocols not some sort of strange > Microsoft > >> AD mesh thing. > >> I wanted to build a hacker-space for a school and since it would be > >> starting from scratch there's no reason to get locked in to a Microsoft > >> product from the start. Also the Microsoft's protocols are not open > source > >> and hard to debug. They never really work well with UNIX like operating > >> systems requiring id/group mapping and such. > >> ___ > >> PLUG mailing list > >> PLUG@pdxlinux.org > >> http://lists.pdxlinux.org/mailman/listinfo/plug > >> ___ > >> PLUG mailing list > >> PLUG@pdxlinux.org > >> http://lists.pdxlinux.org/mailman/listinfo/plug > >> > > ___ > > PLUG mailing list > > PLUG@pdxlinux.org > > http://lists.pdxlinux.org/mailman/listinfo/plug > > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
Do you have any book or other resource recommendations for setting these up? I already do sysadmin work, just never done centralized auth before. On 05/02/2018 07:53 PM, Tomas Kuchta wrote: > The easiest is to pick LDAP or NIS, both work very well on Linux. With or > without Kerberos for local small setup. > > NIS with NFS for file sharing would be probably the simplest setup, but you > will eventually wish you had LDAP for integration with various other > services. > > LDAP + Kerberos + NFS is probably the most common and extensible solution. > You will absolutely need local DNS and NTP to get it going, but it is well > integrated extensible solution. > > Another option would be to uses Samba - it combines LDAP + Kerberos, so it > has less moving parts and can accept Windows hosts without much headache, > compared to LDAP and Kerberos. > > For both solution, you might need some enterprise admin to help setting it > up. If well and simply setup, it is not difficult to maintain and manage. > IMHO > > Tomas > > On Wed, May 2, 2018, 5:36 PM Smith, Cathy wrote: > >> There used to be dns, ldap, kerberos, nis. These are open source >> protocols and not restricted to Microsoft. >> >> >> -- >> Cathy L. Smith >> IT Engineer >> >> Pacific Northwest National Laboratory >> Operated by Battelle for the >> U.S. Department of Energy >> >> Phone: 509.375.2687 >> Fax: 509.375.4399 >> Email: cathy.sm...@pnnl.gov >> >> >> >> -Original Message- >> From: plug-boun...@pdxlinux.org [mailto:plug-boun...@pdxlinux.org] On >> Behalf Of Thomas Groman >> Sent: Wednesday, May 02, 2018 5:16 PM >> To: plug@pdxlinux.org >> Subject: [PLUG] Linux centralized authentication >> >> Has anyone ever made a 100% UNIX/BSD/Linux network with centralized >> authentication? Using native protocols not some sort of strange Microsoft >> AD mesh thing. >> I wanted to build a hacker-space for a school and since it would be >> starting from scratch there's no reason to get locked in to a Microsoft >> product from the start. Also the Microsoft's protocols are not open source >> and hard to debug. They never really work well with UNIX like operating >> systems requiring id/group mapping and such. >> ___ >> PLUG mailing list >> PLUG@pdxlinux.org >> http://lists.pdxlinux.org/mailman/listinfo/plug >> ___ >> PLUG mailing list >> PLUG@pdxlinux.org >> http://lists.pdxlinux.org/mailman/listinfo/plug >> > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
The easiest is to pick LDAP or NIS, both work very well on Linux. With or without Kerberos for local small setup. NIS with NFS for file sharing would be probably the simplest setup, but you will eventually wish you had LDAP for integration with various other services. LDAP + Kerberos + NFS is probably the most common and extensible solution. You will absolutely need local DNS and NTP to get it going, but it is well integrated extensible solution. Another option would be to uses Samba - it combines LDAP + Kerberos, so it has less moving parts and can accept Windows hosts without much headache, compared to LDAP and Kerberos. For both solution, you might need some enterprise admin to help setting it up. If well and simply setup, it is not difficult to maintain and manage. IMHO Tomas On Wed, May 2, 2018, 5:36 PM Smith, Cathy wrote: > There used to be dns, ldap, kerberos, nis. These are open source > protocols and not restricted to Microsoft. > > > -- > Cathy L. Smith > IT Engineer > > Pacific Northwest National Laboratory > Operated by Battelle for the > U.S. Department of Energy > > Phone: 509.375.2687 > Fax: 509.375.4399 > Email: cathy.sm...@pnnl.gov > > > > -Original Message- > From: plug-boun...@pdxlinux.org [mailto:plug-boun...@pdxlinux.org] On > Behalf Of Thomas Groman > Sent: Wednesday, May 02, 2018 5:16 PM > To: plug@pdxlinux.org > Subject: [PLUG] Linux centralized authentication > > Has anyone ever made a 100% UNIX/BSD/Linux network with centralized > authentication? Using native protocols not some sort of strange Microsoft > AD mesh thing. > I wanted to build a hacker-space for a school and since it would be > starting from scratch there's no reason to get locked in to a Microsoft > product from the start. Also the Microsoft's protocols are not open source > and hard to debug. They never really work well with UNIX like operating > systems requiring id/group mapping and such. > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Linux centralized authentication
There used to be dns, ldap, kerberos, nis. These are open source protocols and not restricted to Microsoft. -- Cathy L. Smith IT Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.4399 Email: cathy.sm...@pnnl.gov -Original Message- From: plug-boun...@pdxlinux.org [mailto:plug-boun...@pdxlinux.org] On Behalf Of Thomas Groman Sent: Wednesday, May 02, 2018 5:16 PM To: plug@pdxlinux.org Subject: [PLUG] Linux centralized authentication Has anyone ever made a 100% UNIX/BSD/Linux network with centralized authentication? Using native protocols not some sort of strange Microsoft AD mesh thing. I wanted to build a hacker-space for a school and since it would be starting from scratch there's no reason to get locked in to a Microsoft product from the start. Also the Microsoft's protocols are not open source and hard to debug. They never really work well with UNIX like operating systems requiring id/group mapping and such. ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug