Today I decided that I should find a way to do centralized directory services and shared file systems. I decided that my Windows boxes need to get access to this easily as do my Linux boxes. After some searching around, I suspect I’m going to end up with LDAP+Kerberos V+OpenAFS.
A brief discussion of what I’ve considered and discarded. I feel funny about mounting things via Samba from other Unix boxen. I also don’t know of a good way to have my Samba server acting as, say, a PDC authenticate against, say, an LDAP database. Samba can’t be an AD master server or whatever they’re called. (BTW, apparently MS’ AD LDAP server has some weird shit, like generated values for some keys. Very strange.) NFS is OK, but I don’t think that’d allow me the control I want in Windows.
So far I appear to have directory services in LDAP. Try reading
something like the Red Hat manual on authenticating against
OpenLDAP.
This is pretty much correct. Note that RH8′s /etc/services borks
up the migration scripts that come with nss_ldap or whatever. I
recommend something like this for running migrate_all_online.sh:
perl -ne 'next if (/^s*#/);s/s+/ /g;s/s*#.*//;$_.="n";print'
/etc/services | sort | uniq > /tmp/services
ETC_SERVICES=/tmp/services ./migrate_all_online.sh
Even then I had some problems because there were apparently three
echo service entries. I think I just deleted the one for the
ddp protocol (what’s DDP again?) and it worked.
To graphically edit stuff I dug up GQ. Don’t
use 0.6.0, since it appears to have problems binding correctly. (As
in, I couldn’t modify anything when I was supposed to have bound to my
rootdn.) I used 0.7.0 beta 2 instead, which I got from GQ’s
SourceForge.net project page.
You need the GQ language pack 0.7.0beta2-0 or something, too. Note
that GQ has a spec file in it; I never managed to make rpmbuild -ta
gq*.tar.gz work. Also, to build GQ 0.7.0 beta 2 in RH8, I suggest
modifying the %build section to read as:
%build
./configure --with-included-gettext --prefix=%{prefix}
aclocal
automake --add-missing
make
IIRC the aclocal and automake --add-missing above were
required to make some depmod script/program/link/whatever that
it’ll look for. If you get some error about a missing ./depmod or
something like that, try the above. (Can you tell how familiar I am
with the auto* tools?)
I used RH’s authconfig to set up LDAP directory services and
authentication. It appears to have worked. I did a diff -urN on
a version of the directory before and after the authconfig. To
see what changed check out my /etc LDAP changes
patch.
Next: Kerberos V. Stay tuned.