WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: Authenticating TC Users  (Read 2629 times)

Offline SamK

  • Hero Member
  • *****
  • Posts: 713
Authenticating TC Users
« on: January 20, 2011, 10:23:13 AM »
I am interested in exploring the use of TC3.x as a workstation in a small trusted LAN, where each workstation may have multiple users.  The LAN has multiple workstations using various OSs (Windows, Lubuntu and Ubuntu).  Users are able to authenticate successfully via a Primary Domain Controller (PDC) and gain access to LAN based resources e.g. /home, printers, group shares etc.  The PDC is built using the open source project Zentyal, which in turn is based on Ubuntu-Server LTS.

Zentyal is modular by design, based on well proven Linux packages and integrates the management of them into a single web interface.  This package integration means that a change made in any module automatically takes care of any/all reconfiguration required in any other module.  The outcome is that the learning curve for the system administrator is much less steep than having to learn each package individually.  This results in simplified management and convenience of operation.

Simplicity and convenience, viewed from the perspective of a non-technical user of TC, are primary objectives in the current exploration.  Consequently, I prefer to avoid aspects such as kernel re-mastering, however, new extensions are fine.

I have ideas of where this may lead once it is working, but rather than 're-inventing the wheel' would like to learn of the success (or difficulties) of other users.  Has anyone succeeded in setting up TC to authenticate to a PDC?
   

Offline gutmensch

  • Retired Admins
  • Hero Member
  • *****
  • Posts: 605
  • I can make it disappear, have no fear!
    • remembrance blog
Re: Authenticating TC Users
« Reply #1 on: January 20, 2011, 06:36:46 PM »
Heyho Sam,

I'm dealing with that purpose myself for some weeks now because I have to setup Linux terminal servers at work (integrated into a big active directory). On other distros you can simply choose likewise-open or (if you're experienced) samba/winbind and it will work almost right out of the box since there are pam modules for both, which allows authenticating and logging in to the linux system.

But let's be honest: There's no AD integration software "stack", which is smaller than twice the size of tinycore itself. ;-) Samba wouldn't be my first choice for tinycore because it's really bloated. Likewise-Open is interesting and should work with less overhead. I already made some build environment, which results in a final likewise-open extension, building it from git.

Now the tricky part: To have a true multiuser system you need at least a login manager and for pam_lsass.so (the likewise open authentication module) I believe you'll need Linux PAM enabled in the system (same if you use Samba, there it's pam_winbind.so), which means recompiling busybox against PAM. Finally you would have to change the inittab behaviour of tc to spawn the login manager instead of a console/autologin. Of course when you joined the domain you would have to take care of the cache files/keys so that the tc doesn't have to rejoin after rebooting every time (I don't really know if this is possible though). If you're ready to do some testing as a domain admin you don't have to do all the work I've already done again, I can provide you with some packages and you can test it out!

Best regards,
Robert
If I seem unduly clear to you, you must have misunderstood what I said. (Alan Greenspan)

Offline SamK

  • Hero Member
  • *****
  • Posts: 713
Re: Authenticating TC Users
« Reply #2 on: January 21, 2011, 06:59:32 AM »
There's no AD integration software "stack", which is smaller than twice the size of tinycore itself...
At this stage I place more importance on finding a reliable method consistent with the objectives of simplicity and convenience.  This may sound like heresy, but years of experimentation suggest that the first concept is rarely identical to a finished result; it tends to be refined once it is working.


Likewise-Open is interesting...
I can see the attraction of this product.  From browsing the website there are many references to its use in conjunction with Microsoft Active Directory (AD) e.g.
Quote from: Likewise-Open website
...joins Linux, UNIX, and Mac OS systems to Microsoft Active Directory to securely authenticate non-Windows users with AD credentials.
[...]
You can standardize on Microsoft Active Directory without losing the flexibility to choose other operating systems.
Do you know whether Likewise-Open only works in an AD environment?  If it is mandatory I may have to find an alternative.  Zentyal positions itself as
Quote from: Zentyal website
Zentyal Linux Small Business Server
Broadly, this is equivalent to Microsoft Small Business Server.  Zentyal does not require AD, however it is optionally able to integrate with AD if necessary.


Now the tricky part: To have a true multiuser system you need at least a login manager and for pam_lsass.so (the likewise open authentication module) I believe you'll need Linux PAM enabled in the system (same if you use Samba, there it's pam_winbind.so), which means recompiling busybox against PAM. Finally you would have to change the inittab behaviour of tc to spawn the login manager instead of a console/autologin.
These may represent the potential deal breakers.  One of the primary attractions of Zentyal is the packaging together (as optional functional profiles or individual modules) the most common network services.
Quote from: Zentyal website
Zentyal can act as a Gateway, Infrastructure Manager, Unified Threat Manager, Office Server, Unified Communication Server or a combination of them.
Ally with this a web GUI through which they are managed in an integrated manner and it is evident that it is suited to circumstances where time, funds and brains are limited.  It conducts most of the 'heavy lifting' for the administrator.  The potential deal breakers mentioned above are not tasks to be undertaken lightly; they may be beyond the experience of many users.  They re-introduce 'heavy lifting' elements which detract from the objectives of simplicity and convenience.

As we may be the first to explore central authentication and provision of authorized resources, I can foresee some reluctance from the wider TC community.  It is possible that current users may see little value in this type of research as it is outside the mainstream way in which TC is currently being used.  Conversely, the partnering of two innovative OSS offerings (TC and Zentyal) may open doors into new areas (clubs, societies, home networks etc) that previously required higher levels of expertise and/or financial outlay for licences.  Additionally, they appear well suited to the type of hardware that might be available in such non-profit organizations.

Are the potential deal breakers actually such?  Are they able to be handled in a way that is simple and convenient and also in keeping with TC?