Edubuntu LTSP with Netware Authentication
Willis, Ben
BenWillis at anderson5.net
Wed Feb 21 13:06:00 UTC 2007
A little more info (for anyone listening :) )
I have been able to make logging in to the local server work consistently with pam_ncp_auth using this line in my /etc/pam.d/gdm file
"auth sufficient /lib/security/pam_ncp_auth.so -d -u10000,50000,f,c ndsserver=10.10.50.1:a5do.adm.acsd5 -a -l -m -L -zATX3 -A"
I still cannot get this authentication to work via SSH. As I understand it Edubuntu's thin client will not log in unless an SSH session can be authenticated. While searching around the net I found this page:
http://prope.insa-lyon.fr/~ppollet/netware/ncpfs/pamncp/auth/
It lists all of the Zenux flags that have to be set. This one in particular has me worried:
"T Allow remote Telnet and ssh access As the other remote access restrictions this flag will grant remote access to any Unix client by Telnet or ssh.
With telnet, the account may be automatically created if it does not exist yet.
With openssh , automagic account creation does not work, since ssh dameon first peeks into the local database to fetch credentials before calling PAM. If account does not exist, it refuses connection.
Solutions, including automatic synchronization of local database and a nss switch library for ncpfs are under finalization. Details will be available on this site."
If this is still a limitation in the current module then I'm worried that it may never work.
Thoughts?
Ben Willis
-----Original Message-----
From: edubuntu-devel-bounces at lists.ubuntu.com on behalf of Willis, Ben
Sent: Tue 2/20/2007 2:20 PM
To: Edubuntu Devel Group; edubuntu-devel at lists.ubuntu.com
Subject: RE: Edubuntu LTSP with Netware Authentication
I have tried this again with a new installation of Edubuntu as well as an install of Ubuntu Edgy. I can't get anything to authenticate.
I am using the following in my common-auth file to get SSH to authenticate to NDS:
#---------BEGIN----------
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_unix.so nullok_secure
#auth sufficient /lib/security/pam_ncp_auth.so -d -a -l -L -u2000,4000,pn,gcd -g2000,4000,pn -zTX -A ndsserver=10.10.50.3:ou=hwec.ou=hs.o=acsd5
#auth sufficient /lib/security/pam_ncp_auth.so -zTX -a -m -u10000,50000,f,c tree=acsd5_tree:A5DO.ADM.acsd5,SWMS.MS.acsd5
auth sufficient /lib/security/pam_ncp_auth.so -zTX3 -a -A -m -u10000,50000,f,c ndsserver=10.10.50.3:ou=a5do.ou=adm.o=acsd5
#auth sufficient /lib/security/pam_ncp_auth.so nullok use_first_pass ndsserver=10.10.50.1:ou=a5do.ou=adm.o=acsd5 -a -d -L -u2000,4000,pn,gcd -g,2000,4000,pn -zATX3 -A
#auth sufficient /lib/security/pam_ncp_auth.so nullok use_first_pass ndsserver=10.10.50.3:ou=a5do.ou=adm.o=acsd5,ou=mcms.ou=ms.o=acsd5 -a -d -zABTX3 -m -u2000,4000,pn,gcds -g2000,4000,pn -zA
#auth sufficient /lib/security/pam_ncp_auth.so nullok use_first_pass ndsserver=10.10.50.3:lsms.ms.acsd5 -a -d -zAX3 -L -u2000,4000,pn,gcds -g2000,4000,pn -A
#auth sufficient /lib/security/pam_ncp_auth.so -d -a -L -u2000,4000,pn,gcd -g2000,4000,pn -zATX3 -m -A ndsserver=10.10.50.3:swms.ms.acsd5
#auth sufficient /lib/security/pam_ncp_auth.so -d -a -l -L -u2000,4000,pn,gcd -g2000,4000,pn -zATX3 -m -A ndsserver=10.10.50.4:ou=a5do.ou=adm.o=acsd5,ou=mcms.ou=ms.o=acsd5,swms.ms.acsd5
#--------------END-----------
As you can see I've tried all kinds of connection strings. I keep getting this in the auth.log but the password is correct:
#---------Begin
eb 20 10:02:24 A5DO-Eduubuntu pam_ncp_auth[1635]: nw_create_verify_conn_to_tree: trying to resolve studentuser.lsms.ms.acsd5
Feb 20 10:02:24 A5DO-Eduubuntu pam_ncp_auth[1635]: trying to login as studentuser.lsms.ms.acsd5
Feb 20 10:02:27 A5DO-Eduubuntu pam_ncp_auth[1635]: Invalid password (-669) when trying to login
Feb 20 10:02:27 A5DO-Eduubuntu pam_ncp_auth[1635]: final PAM retval 7
Feb 20 10:02:29 A5DO-Eduubuntu sshd[1635]: Failed password for invalid user studentuser from 10.10.15.1 port 51325 ssh2
#---------END
Thanks,
Ben
-----Original Message-----
From: edubuntu-devel-bounces at lists.ubuntu.com on behalf of Gavin McCullagh
Sent: Mon 2/19/2007 6:23 PM
To: edubuntu-devel at lists.ubuntu.com
Subject: Re: Edubuntu LTSP with Netware Authentication
On Mon, 19 Feb 2007, Willis, Ben wrote:
> Well its still kickin my butt here. No matter what I do I cant get the
> login via ssh to work for anything other than local users.
Just so we're clear. You seem to be saying that:
1. You were able to modify /etc/pam.d/gdm so that gdm could authenticate
netware users. What did you change to do achieve this?
2. Trying the same approach with ssh, you have not been able to get ssh to
authenticate netware users, only local linux accounts. What exact
changes have you tried?
Am I wrong in interpreting the above? It seems like the exact same change
should be needed for ssh as for gdm (though I can't say I've much
experience of this).
You should get an error printed in /var/log/auth.log after you try the ssh
login. Is there anything informative there?
This page probably isn't relevant to your problem but just on the
off-chance:
http://wiki.novell.com/index.php/OpenSSH_on_NetWare_Gotchas
Gavin
--
edubuntu-devel mailing list
edubuntu-devel at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-devel
--
edubuntu-devel mailing list
edubuntu-devel at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-devel
More information about the edubuntu-devel
mailing list