Baby steps on centralized authentication

28 12 2008

I’ve had a small project churning along in the background for the past couple weeks. The goal is to come up with a way to have Active Directory like services for an all Linux environment without going through a major yak-shaving exercise of setting up all the individual components.

My first glimmer of hope in this idea was finding Zeroshell, a Linux live CD application designed to run all the major components for a network from one simple install. It includes LDAP, Kerberos, DNS, and a well put together web interface, making setting up the server side of things quite simple.

The goals of the project are pretty straightforward. Mimic the single-point authentication / authorization services that Active Directory has, and configure all clients in the network to use a centralized server for these functions. Adding a user to all machines should be as simple as adding said user to the central server.

Here’s where I am so far…

  • Build a central server with all the services enabled and accessble. Status: Done – Zeroshell is the answer there. Booyah.
  • Learn enough about how central authentication and authorization works. Status Done – These sorts of functions require LDAP, DNS, and Kerberos services.
  • Set up a single client machine that can retrieve credentials from the central server. Status: Done – Enabling Kerberos on Zeroshell and installing the krb5 suite on Linux and KFW – Kerberos for Windows allow single login and ticket generation.
  • Configure a host computer to act within the realm and accept credentials from the zeroshell server. Status: Done – My media server, ‘yawl’ is acting as my guinea pig. It’s now a part of my internal realm, and accepts Kerberos credentials from the zeroshell server when requested.
  • Configure a host computer to use LDAP for extended GECOS information. Status: Done – ‘yawl’ now allows me to look up users that are being served from LDAP as if they were local users. I can use ‘finger’ ‘getent’ ‘id’, etc – and as far as ‘yawl’ is concerned, they’re local users.
  • Configure PAM to accept Kerberos authorization for ssh logins. Status: Done, dammit. This was the trickiest bit, because it requires the correct fiddling between PAM, Kerberos, LDAP, and ssh. But this afternoon, I was able to log into ‘yawl’ via kerberos-backed authentication from both my Windows box and my Linux laptop, without needing to provide a local password. Score!
  • Allow Samba shares to be mounted / authenticated via Kerberos. Status: Not working yet. I’ve only just started this side of things, but I want to be able to browse shares on ‘yawl’ as if they were natural Windows CIFS volumes, while authenticating via Kerberos, as managed by the zeroshell machine. This’ll take some time.

99% of the work for this process has been learning the terminology of Kerberos, LDAP, and PAM. Once all the pieces are in place, it actually makes an awful lot of sense. But there is one well shaved yak behind me. I’m documenting each and every step of this process, so that when I upgrade my colo’ed servers, I can implement a similar setup.

Feel free to catch me online if you have questions, but stay tuned – I’ll be writing a pretty in depth HowTo on this entire process once I’m able to repeat the configuration end to end from scratch.





This I Believe

26 12 2008

When I first starting hearing the audio submissions for NPR’s “This I Believe” project, I wondered if I were given the opportunity, what would I say?

In this confusing season, with wildly contradictory messages being pushed in from all quarters, I thought it was time to sit down and say…

This I believe…

Read the rest of this entry »





KnetworkManager equivelent for Gnome?

25 12 2008

Am I totally bonkers, or is there no Gnome equivelent of knetworkmanager for Gnome? This seems like a huge missing piece. (Knetworkmanager is a wireless network browse and configuration tool – a standard component of any modern OS).
I’m currently experimenting with using Gnome as my primary OS, and so far it’s doing quite well, but not being able to browse and connect to wireless networks graphically seems pretty glaring.
Or am I just missing something?





A beautiful view, a grumpy situation.

14 12 2008



20081214 maine 020

Originally uploaded by eidolon

Today I made an unexpected trip up to our Maine house after a friend of ours (who has an all season house just down-lake from us) let us know he saw some damage 2 of our sheds.

When I got there, I found all 3 of our outbuildings had been broken into sometime, I’m guessing, in the last month or so. It looks like the only thing that was stolen was a toolbox from the tool shed, but the damage to the door of the shed will require replacing the door (and frame). Blah!

At one point working around the house I turned around and saw this view out across the lake, so I had to take a picture. It’s on my iphone, so what I could do with the image was limited, but it’s a beautiful view of the frozen lake and the ice on the trees.





OLPC – Why we’re doing it.

12 12 2008

For anyone who has asked “Is it working?” or “So these things are for kids in developing countries. What happens when they get there?”, there is a fantastic article up on OLPC News called OLE Nepal Notes from an OLPC Deployment. It details a six month old deployment of 135 XO laptops to children in Nepal.

Some choice bits:

0 laptops stolen, lost, or otherwise missing. One laptop has been seriously damaged when the child who owned it cleaned it carefully with soap and water. Otherwise no laptops have been seriously damaged as a result of use.

We conducted four days of teacher training off-site and five days on-site in the classroom with both the students and teachers. A large portion of our teachers had never used a computer before but they learned very quickly. Their enthusiasm was amazing. Training during the off-site sessions formally ended at 5:30 pm but the teachers stayed in our training room each night until 11 pm, pounding away on the XO’s and asking endless questions.

I am continuing to contribute to the program whenever possible by helping out with the support queues and other discussions on the mailing lists. But there is also a need for software to be written. Most of the XO runs on Python, a language I very much want to learn, and seeing this list of ‘most requested applications’ just tickles that interest further:

  • Easier way to play music and video
  • A better E-Book reader
  • A lot more activities for learning English
  • All the Nepali textbooks in digital format
  • A comprehensive digital library with lots of Nepali-language reading materials
  • A Typing Tutor program for learning English and Nepali
  • Interactive learning activities that match the Nepali curriculum
  • A car racing game (the kids)

This naturally during my copious spare time… But what a noble cause.





When will it End? MacOS on an iPhone??

11 12 2008

Have to share this image. Perley has installed a Mac emulator on his iPhone, and now has MacOS running. I’m not sure to be blown away or horrified. I think I’ll do both.





A Scary Metric of my Geekitude

6 12 2008

I’m sort of frightened that I’ve either owned or worked with virtually every Obsolete Technology computer pictures page. A few I had to think about a few minutes, but I’ve owned about half of those machines at one point or another, and either supported or worked directly with another third.