single sign-on for linux ?

single sign-on for linux ?

[arslan saeed]

hi,

We are running all linux backend solution in our network. From DHCP, DNS ,
SQUID, SAMBA, Firewall, NIDS, FTP, printing, Sendmail, IPOP to Oracle
databases and financial software everything is running on redhat and suse
linux.

Currently we have windows 98, 2k and XP clients in network. We want to
achieve  single signon facility, in which users type their username/password
credentials once to access all the services. I was wondering how to make it
happen in such diversified enviroment (backend linux n frontend windows). we
dont have windows 2000 Active directory installed , neither I would like to
go for windows solution in backend. I would like to achieve it in
linux-only solution.

I think single signon could be achieved through LDAP, Kerberos and by
configuring all services to use LDAP/Kerberos or is there another way. Any
thoughts and experiences regarding the matter is eagerly waited.

thanks.
arslan.

Re: single sign-on for linux ?

[Paul Furness]

Hi, Arslan.

I'm not sure exactly what services you want to include under the single
login, but this may help.

Here, we have all our servers running on RedHat linux (various versions,
but slowly converging to 7.3). Almost all our workstations run Windows
of some kind (mostly 2000). All the shared network drives are held on
the linux servers and shared using Samba and NFS. This means that you
can mount the drive, whatever OS you have.

For authentication, we run a NIS (ypserv) on our authentication server,
and also run Samba on the same machine as a password server; I'm just in
the process of updating it to run a windows domain, so all workstation
logins will be authenticated from that server.


As part of the NIS, we have a "netgroups" file, and in the "/etc/export"
file of the machines sharing disks, we put an entry like this:

/export/FileSys	   @NETGROUPNAME(rw)

then add to the netgroup file all the machines that should be allowed to
access that drive.

The full setup is a bit more complicated, but that is broadly how it
works.

Of course, there are by default two different password databses in use -
the NIS and the Samba. Samba documentation talks about synchronising
them so that when you change your samba password, the NIS one is also
updated.

However, I haven't expermented with that yet.

Paul.


On Tue, 2003-03-18 at 20:49, arslan saeed wrote:
> hi,
> 
> We are running all linux backend solution in our network. From DHCP, DNS ,
> SQUID, SAMBA, Firewall, NIDS, FTP, printing, Sendmail, IPOP to Oracle
> databases and financial software everything is running on redhat and suse
> linux.
> 
> Currently we have windows 98, 2k and XP clients in network. We want to
> achieve  single signon facility, in which users type their username/password
> credentials once to access all the services. I was wondering how to make it
> happen in such diversified enviroment (backend linux n frontend windows). we
> dont have windows 2000 Active directory installed , neither I would like to
> go for windows solution in backend. I would like to achieve it in
> linux-only solution.
> 
> I think single signon could be achieved through LDAP, Kerberos and by
> configuring all services to use LDAP/Kerberos or is there another way. Any
> thoughts and experiences regarding the matter is eagerly waited.
> 
> thanks.
> arslan.
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
-- 
Paul Furness

Systems Manager
Visual Information Lab
Mitsubsihi Electric ITE BV
Guildford, UK
 __________________________________________________________
|  Fight Spam! Join EuroCAUCE: http://www.euro.cauce.org/  |
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~