Mageia forum

[ZombieRyushu]

I'm going to this discussion into two threads. One will be about the current situation with "Open Directory Services" and I'll start another thread about "Active Directory Services" with Samba 4.0

This thread will discuss Open Directory services. Open Directory Service is a term coined by Apple. It consists of OpenLDAP, Heimdal Kerberos, Samba 3.x, and FreeRadius. Other components are optional. At a bare minimum, an Open Directory Domain Controller:

Runs an OpenLdAP in Multimaster mode with replication to other OpenLDAP servers.
Runs a Kerberos KDC that draws on the OpenLDAP database for information about accounts.
Runs a Samba server in PDC mode normally, even when communicating with other Linux machines only.
Runs a FreeRadius Server which uses LDAP to authorize services like PPP and 802.1X
uses LDAP for NSS authorization against itself (localhost or ldapi:/// socket.)
uses Kerberos for PAM authentication against itself.

Commonly there are other things that Open Directory servers can have:

DNS Servers. Bind as of 9.7.3 can store Zone updates in an LDAP Backend
DHCP can store DHCP control directives in OpenLDAP
Apache can authorize users in LDAP, and with the help of FireFox, Authenticate using Kerberos.
PostFix can check for bogus records against LDAP
Cyrus IMAP can authenticate using Kerberos and Authorize using LDAP
eGroupware can draw Groupware information against LDAP.
Has SRV records that point to it in DNS.
NFSv4 can use Kerberos
AFS uses Kerberos
sudoers can be domain level with LDAP.

So there is alot of flexibility.

A Linux workstation in an Open Directory Domain:

Is a Member of Open Directory based Samba 3 Domain.
uses LDAP for NSS authorization against Open Directory Domain Controllers based on SRV records in DNS (nss_ldap)
uses Kerberos for PAM authentication against Open Directory Domain KDC based on SRV records in DNS (pam_krb5)

Now I know that drakauth does a fairly decent job of setting up the client side. The Domain Control side, not so much. Kerberos, and OpenLDAP configurations normally have to be done completely by hand. Samba configuration, you get a little help from drakxtools. But you should "blank" the Samba config first. Kerberos, OpenLDAP, and FreeRadius you are left high and dry. Also, by default, libuser.conf is not configured to look for LDAP users so you can't use userdrake to alter domain level users unless you edit the libuser.conf file by hand. this is something Drakauth should take care of. But correctly configured, userdrake can handle POSIX LDAP users, POSIX LDAP Groups, and Samba Groups.

Here are the changes I'd like to see:
[list]
drakauth modifies libuser.conf and installs the libuser-ldap module. (If you just change libuser.conf, userdrake will crash.)
Samba config properly sets up ldapsam:editposix
Add A tab to userdrak for FreeRadius LDAP Attributes.
Create a one-stop Samba+OpenLDAP+Kerberos setup for servers. Minimalistic configuration.

[ZombieRyushu]

While I am thinking about it, why can we not have this on a Thumb Drive? Plug in Drive, boot, instant PDC.

[zekemx]

Hello ZombieRyushu,

Do you know a site where I can find instructions on how to join Mageia to an Windows Active Directory Server?.

I tried likewiseopen with Mandriva 2010 and it kinda work, it did join the Mandriva PC to ADS but it didn't login. It works great with Fedora and it doesn't even install on Mageia 1 or 2.

On Mandriva it gave me a PAM error while login, and on Mageia 1 and 2 it doesn't install because it complains about sh-utils missing.

The nice thing about Likewiseopen is that once you join the the ADS server, you can login as domain\user + password and it works great on everything else as if it was windows.


Thanks.

[zekemx]

I think it would be a plus for mageia to have the likewise package...

Regards

[doktor5000]

https://wiki.mageia.org/en/How_to_repor ... ge_request