Topic: Authenticate Ubuntu desktops against SME?

[levien]

I currently administer a network with an SME 7.0 server and a bunch of Windows computers. A number of the Windows computers are going to be migrated to Ubuntu Linux, which is of course A Good Thing. However, I have trouble figuring out how to best authenticate users on the Ubuntu machines against the SME server. I noticed SME 7 runs freeradius, but docs on using it for authenticating users on Linux clients seem hard to find. Other options would be to use NIS or SMB for authentication. Are there more options?

And does anyone have any thoughts or experiences on what would be easiest to set up on both client- and server-side?

Thanks!
Levien

[dtech]

Other options would be to use NIS or SMB for authentication.

And does anyone have any thoughts or experiences on what would be easiest to set up on both client- and server-side?

Hi Levien;

I tried to do the same thing about a year ago, that is, Ubuntu on the workstations and SME on the server. I won't claim to know all of the possible options, and I'll be interested to see if anyone comes up with any new information.

Currently I use FC6 on the workstations instead of Ubuntu, and here's why; I wanted to use NFS home directories. So right off the bat I ran into the different UID/GID problem. I never found a functioning way to sync them between Ubuntu and SME. Of course with FC6 I don't have the problem, the UID/GIDs are the same (except for Tor, but this hasn't caused me a problem).

I also use SMB mounts of ibays on the FC machines because I rather prefer the permissions management of SMB to NFS. This all works fairly well for me. If you are not interested in serving your home directories via NFS, I think I would go for the SMB option.

-P

[stephen noble]

see bug http://bugs.contribs.org/show_bug.cgi?id=1973
Linux clients cannot join SMB domain

[HebsgaardS]

see bug http://bugs.contribs.org/show_bug.cgi?id=1973
Linux clients cannot join SMB domain

That is not completely true, but you need to enable the account on the SME Server by issuing the following command as root on your server:

Code: [Select]

smbpasswd -a -m client_machine_name$

More information can be found in this post:
http://forums.contribs.org/index.php?topic=33276.0

Stefan

[oblooblo2000]

hello, the best answer is ldap authentification of course, in order to have a "centralisation" of the infos (accounts...).

for example...
http://www.howtoforge.com/linux_ldap_authentication

[HebsgaardS]

hello, the best answer is ldap authentification of course, in order to have a "centralisation" of the infos (accounts...).

for example...
http://www.howtoforge.com/linux_ldap_authentication

Just out of curiosity; why is ldap authentication a better solution than smb authentication against SME Server? ldap seems to be fairly poorly integrated whereas smb (nearly) works out of the box.

[cactus]

hello, the best answer is ldap authentification of course, in order to have a "centralisation" of the infos (accounts...).

for example...
http://www.howtoforge.com/linux_ldap_authentication

Just out of curiosity; why is ldap authentication a better solution than smb authentication against SME Server? ldap seems to be fairly poorly integrated whereas smb (nearly) works out of the box.

The whole concept of Microsofts Active Direcotry is pretty much LDAP though... this is a fairly wide spread system

[HebsgaardS]

The whole concept of Microsofts Active Direcotry is pretty much LDAP though... this is a fairly wide spread system

I don't really get your point. What does this have to do with what is the best solution in combination with SME Server and Linux clients?

[oblooblo2000]

ldap is the most centralized protocol in linux and in IT world (In my mind)!!

For example, you've got a PDC with users accounts. Theses accounts are used for other linux computer that need access. With samba, you can also ask the ldap directory with windows client.
Your users have a groupware software access via outlook and/or web. The groupware/crm/erp check access and others informations of the user in the ldap directory (just schema has to be modified), the contacts like client, buyer... are stores as well in the ldap directory (schema different of the users account).
You have a fax tool, when you fax (hylafax), you need fax number, it is stored in ldap...
I've got copy machine (printer and scaner). When I scan, I can ask ldap directory for client email, then email my document that is scanned, or I can fax too...

this list is a part of the possibilities of ldap. It's great, but hard to implement in a full system.

search for sso (single sign on - i guess)
CU

[levien]

Does SME support remote authentication using LDAP? I recall that this wasn't possible until recently. From what I can make up from Bug 1543 it still isn't?
http://bugs.contribs.org/show_bug.cgi?id=1543

I think I'm going to give it a try using smb authentication and homedirs, this way:
http://tech.canterburyschool.org/tech/UbuntuWorkstations
and then see if I still want to switch to LDAP authentication if it becomes possible...

-L.

[levien]

Currently I use FC6 on the workstations instead of Ubuntu, and here's why; I wanted to use NFS home directories. So right off the bat I ran into the different UID/GID problem. I never found a functioning way to sync them between Ubuntu and SME. Of course with FC6 I don't have the problem, the UID/GIDs are the same (except for Tor, but this hasn't caused me a problem).

I just did some research, and it seems that syncing UIDs and GIDs is indeed a bit of a problem. A possible solution is the ugidd RPC demon (see http://www.faqs.org/docs/linux_network/x-087-2-nfs.daemons.html), but there seems to be no CentOS package for it. For NFSv4 this
probably won't work (see http://www.faqs.org/docs/linux_network/x-087-2-nfs.daemons.html),
but I assume SME uses NFS3?

Anyway, I can use smbfs for mounting the homedir and ibays. I might try using NFS to mount /usr, (parts of) /etc and a few other dirs read-only from a master system. That would save me a lot of hassle updating the Ubuntu workstations. I guess the UID/GID issue will be less of a problem here, because none of the files in those dirs will be owned by the user...

-L.