[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [school-discuss] Authentication advice needed please

The gotcha you're gonna hit (which I forgot to mention the other day)
is that you'll need separate home directories for your users on the
Linux side. If you want truly unified home directories, the only way
I know to do it is to configure Samba to use LDAP on the backend --
i.e., to use Samba/LDAP.

But if you don't mind having dual home directories (i.e., Linux users
will have to browse to their Windows home), using Samba with its own
backend should be fine.

Hmm. On second (third, fourth) thought, each separate Linux client
will have its own correlation of Samba user to uid (its own "ID
mapping database"). If you have each user log in as "generic
student/generic password", and then re-authenticate to the Samba
server to access home directories, this will work.

If you want each user to initially authenticate as him/herself, this
will be a mess and I can't think of any way around it.

I keep forgetting about this problem, since I haven't worked in this
space for a while or enough. I no longer think bare Samba will be
a good solution for you unless
1) you're going to have generic accounts for the initial
   authentication to your Linux clients, or
2) you only have one Edubuntu box, probably an LTSP server.

In the second case, there will only be one ID mapping database, stored
on the Edubuntu server, so your users will still have two home
directories but you won't have network-wide ID mapping issues. But if
you add a second Linux client, beware!

I've probably made this more confusing than it needs to be, so if this
is unclear feel free to say so and I'll try to clarify.


Peter Ruwoldt wrote:    [Thu May 04 2006, 11:00:55PM EDT]
> Thanks for such a quick response Matt.
> We have found a guide for authenticating edubuntu against active 
> directory in windows 2000 server.
> http://ubuntuforums.org/showthread.php?t=91510&highlight=winbind
> We are hoping that the process outlined in this guide will be 'easily' 
> adaptable to authenticating edubuntu against samba on our sme server.
> Does this look like we are on the right track? Any clues or hints?
> Peter
> Matt Oquist wrote:
> >Hopefully I'm not stating the obvious, but 'winbind' is a chunk of
> >Samba technology that allows a *nix client to authenticate to
> >a Windows (or Samba!) server. If you set your terminal server up to
> >authenticate against your SME Samba server, then you will have
> >single-sign-on. Just google 'winbind' and you'll find plenty of
> >how-tos.
> >
> >Alternatively, if you're willing to consider a different solution than
> >Samba by itself, you can look at configuring Samba to work with
> >OpenLDAP as its back-end. Then you configure your Windows clients to
> >authenticate to the Samba domain, and you configure your Linux clients
> >to authenticate to the LDAP directory. Single-sign-on attained!  There
> >are several how-tos out there and several commercial tools intended to
> >take the work out of doing this.  One option is the
> >"smbldap-installer" project that I've worked on; see
> >http://majen.net/smbldap/ if you're interested.
> >
> >--matt
> >
> >Peter Ruwoldt wrote:    [Tue May 02 2006, 06:14:07PM EDT]
> >  
> >>We are trying to work toward a more useful implementation of Linux 
> >>terminal services for us. We are having difficulty making the system so 
> >>that users do not have to have a special user account to login into a 
> >>terminal server.
> >>
> >>We use sme-server/ e-smith version 6.01 ( http://contribs.org/ 
> >>http://www.e-smith.com/ ) It uses samba 2.2.8a as a domain controller.
> >>
> >>We need a terminal client solution that will authenticate to our domain 
> >>controller using the samba server.
> >>
> >>This would ideally be edubuntu 6.06 (which is to be released in a couple 
> >>of weeks as we understand)
> >>
> >>Any clues , suggestions or solutions gratefully received.
> >>
> >>Peter
> >>
> >>-- 
> >>Free and Open education for all
> >>
> >>Peter Ruwoldt
> >>Grant High School
> >>Hosking Avenue
> >>
> >>http://waraku.blogspot.com/
> >>
> >>    
> >--
> >Open Source Software Engineering Consultant
> >http://majen.net/
> >  
> -- 
> Free and Open education for all
> Peter Ruwoldt
> Grant High School
> Hosking Avenue
> P. 08 87263107 (Do not leave voice mail)
> F. 08 87250173
> ruwoldtp@xxxxxxxxxxxxxxxxx
> http://waraku.blogspot.com/
Open Source Software Engineering Consultant

718 Fox Hollow Drive
Hudson, NH  03051  U.S.A.
+1 603.236.1054 (cell)

Attachment: signature.asc
Description: Digital signature