RE: SSO on linux

From: Niall J. Porter (niall.porter_at_helix-rds.com)
Date: 07/26/04

  • Next message: ET: "Re: SSO on linux"
    Date: Mon, 26 Jul 2004 09:05:13 +0100
    To: <spurgeonbj@softhome.net>, <focus-linux@securityfocus.com>
    
    

    Spurgeon,

    We were about to start looking at MS Services for Unix when I was informed by a contact of mine that it is possible to do what you suggest without it. Facing the same challenge I asked for his help and here's what he suggested:

    ------------------------------------------------------------------

    On recent version of Redhat there is the option at install time to
    enable LDAP authtication, I think authconfig should work as well.

    I messed with all of these files manualy.

    You will probably need pam_smb.

    Here is a list of RPMS that I have installed that might be important
    (and several that probably aren't)

    [root@tron etc]# rpm -qa | grep "ldap\|pam\|samba"
    php-ldap-4.2.2-17
    samba-common-2.2.7a-7.9.0
    openldap-2.0.27-8
    pam_smb-1.1.6-7
    samba-2.2.7a-7.9.0
    redhat-config-samba-1.0.4-1
    openldap-devel-2.0.27-8
    pam-devel-0.75-48
    pam-0.75-48
    nss_ldap-202-5
    pam_krb5-1.60-1
    samba-client-2.2.7a-7.9.0

    (I think samba can use it's own authentication to AD - independent of
    PAM)

    /etc/pam.d/system-auth (used in turn by all the other services (sshd,
    login etc)

    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time q is run.
    auth required /lib/security/$ISA/pam_env.so
    auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
    auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
    auth required /lib/security/$ISA/pam_deny.so
     
    account required /lib/security/$ISA/pam_unix.so
    account [default=bad success=ok user_unknown=ignore
    service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
     
    password required /lib/security/$ISA/pam_cracklib.so retry=3
    type=
    password sufficient /lib/security/$ISA/pam_unix.so nullok
    use_authtok md5 shadow
    password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
    password required /lib/security/$ISA/pam_deny.so
     
    session required /lib/security/$ISA/pam_limits.so
    session required /lib/security/$ISA/pam_unix.so
    session optional /lib/security/$ISA/pam_ldap.so

    /etc/ldap.conf
    # This is the configuration file for the LDAP nameservice
    # switch library and the LDAP PAM module.
    #
    # PADL Software
    # http://www.padl.com
    #

    You should research these blocks, although I think everything else I
    have is default.

    host 10.0.0.blah
    base (base DC=domain,DC=com)
    binddn CN=,usernameCN=Users,DC=domain,DC=com (This can't be anonymous as AD needs a valid user to
    bind)
    bindpw xxxxxxxx (password)
    pam_login_attribute sAMAccountName (this is a tricky one to find, it's
    the AD atribute that holds the username)
    ssl no
    pam_password md5

    It keeps root as a locally authenticated account.
    All other users are authenticated against AD, although they will still
    need a 'local' account/home directory.

    IT DOES WORK - it might just take a while to get all the bits right.

    Hope this helps

    b

    ------------------------------------------------------------------

    I haven't had time to try this but it comes to me from a well-respected source (thanks Bob) so I have no doubt of it's validity. Hope it helps.

    Niall

    -----Original Message-----
    From: Spurge [mailto:spurgeonbj@softhome.net]
    Sent: 24 July 2004 06:34
    To: focus-linux@securityfocus.com
    Subject: SSO on linux

    Hi,

    Could some one gimme some inputs / references about any existing howtos or
    guides on implementing 'Single Sign On' on a linux server using Kerberos,
    which is connected to a Win2K KDC.

    Basically, I wish to enable seamless SSO on this heterogenous network
    consisting of both W2K as well as linux (FC1) servers, where some services
    would be provided by W2K machines, while others from linux machines.

    I had googled quite a bit and stumbled upon Microsoft Services For Unix (SFU)
    framework, but am a bit wary of it and think there should be some other way
    to implement this.

    Samba that ships with FC1 (samba-3.0.0-15) seems to be kerberised out of box
    and could be setup with a few entries like 'security = ADS' and so on...

    I am looking for ways to kerberise Apache, VSFTPD, Postfix, MySQL and OpenLDAP
    to start with.

    Any help is appreciated.
    Regards.

    Spurgen

    ________________________________________________________________________
    This email has been scanned for all viruses by the MessageLabs Email
    Security System.
    http://www.messagelabs.com
    ________________________________________________________________________

    ________________________________________________________________________
    This email has been scanned for all viruses by the MessageLabs Email
    Security System.
    http://www.messagelabs.com
    ________________________________________________________________________


  • Next message: ET: "Re: SSO on linux"

    Relevant Pages

    • Re: What to do when ISP drops Pine??
      ... university moves away from UNIX / Linux towards a more Windows-centric ... UNIX / Linux variant on a machine at home, ... One, with a local *ix account, ssh/putty into that, and run Pine there. ...
      (comp.mail.pine)
    • Open Letter (Plea for Medical Help/Assistance) to World Leaders
      ... My Facebook account: http://www.facebook.com/profile.php?id=100000750083982 ... Linux on my home multimedia desktop tower system. ... Pass-through for PCI-Express x16 graphics card to Windows XP Home ... Edition HVM domU guest operating system at my Youtube account. ...
      (Fedora)
    • Squid
      ... Instant messenger on Linux ... Time difference between Win98 and Fedora ... Detecting inactive accounts ... > I'm trying to write a script that will detect if an account ...
      (Fedora)
    • Re: GLIDER
      ... maybe they just scan ur HD for Glider? ... You will find that during the last glider-banwave, a lot of Linux users ... logs and revoke a ban if it was unjustified. ... their accounts back and the time lost credited to their account, ...
      (alt.games.warcraft)
    • Re: stability help needed
      ... You might take into account to not post in html in any linux related mailings ... > do the post install update. ...
      (Fedora)