|
Home > Archive > Debian Linux Users forum > January 2006 > Centralized user management: what is best?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Centralized user management: what is best?
|
|
| Mauro Condarelli 2006-01-13, 10:44 pm |
| Hi,
I have a small (<8 hosts) lan with mixed Linux (debian) and winXP hosts.
Up to now I managed the debian hosts manually (copying /etc/passwd, /erc/groups, ..., manually), but that is a real pain.
I did recently suffer a severe breakdown so I reinstalled most of the machines.
At this point I would like to setup some centralized way to manage the whole network.
I would like to manage:
- users (<20)
- file servers (2)
- printers (3)
- firewall (ADSL, fixed IP, currently managed with shorewall/webmin)
- mail (currently on a separate host, but I plan to move it to the firewall)
In the past I used NIS, but that is UNIX-only.
I know there's OpenLDAP, but I never used it.
Probably some other package is available.
Question is:
Given the needs, what is the "best" solution?
Should I bother at all? (the main reason I want to install some management is that I began having a lot of permission problems when I moved hard disks from one host to another; I know how to fix them, but I would like to avoid re-doing all that next time.
..).
Can someone point me in the right direction? I would like to avoid false starts.
Thanks in Advance
Mauro
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Johannes Wiedersich 2006-01-13, 10:44 pm |
| Mauro Condarelli wrote:
> Hi,
> I have a small (<8 hosts) lan with mixed Linux (debian) and winXP hosts.
> Up to now I managed the debian hosts manually (copying /etc/passwd, /erc/groups, ..., manually), but that is a real pain.
> I did recently suffer a severe breakdown so I reinstalled most of the machines.
> At this point I would like to setup some centralized way to manage the whole network.
> I would like to manage:
> - users (<20)
> - file servers (2)
> - printers (3)
> - firewall (ADSL, fixed IP, currently managed with shorewall/webmin)
> - mail (currently on a separate host, but I plan to move it to the firewall)
>
> In the past I used NIS, but that is UNIX-only.
> I know there's OpenLDAP, but I never used it.
> Probably some other package is available.
For a similar environment we use nis and samba (as domain controller) on
a central file server. So all our user data is on one machine. It takes
some effort to set up a 'good' samba domain, but it works. As far as I
know there is a way to set it up to automatically use the same passwords
for linux and Windows, but we have different passwords for linux/Winnt
winxp. It's just one more step to set up a user.
My approach would be to set up one of your file servers as nis and samba
master and backup config, passwd etc. to the second file server.
For our other linux boxes, we only keep package selection information.
They are basically standard installations with almost no configuration
except for IP, so they are quickly reinstalled, if anything goes wrong.
(In fact, it takes less time to install Debian from scratch (from a
local cache) than a complete virus scan takes on our XP-boxes :-)
Johannes
(NB: domain conroll doesn't work for winxp home - only professional.)
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Jay Zach 2006-01-14, 5:52 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mauro Condarelli wrote:
> Hi,
> I have a small (<8 hosts) lan with mixed Linux (debian) and winXP hosts.
> Up to now I managed the debian hosts manually (copying /etc/passwd, /erc/groups, ..., manually), but that is a real pain.
> I did recently suffer a severe breakdown so I reinstalled most of the machines.
> At this point I would like to setup some centralized way to manage the whole network.
> I would like to manage:
> - users (<20)
> - file servers (2)
> - printers (3)
> - firewall (ADSL, fixed IP, currently managed with shorewall/webmin)
> - mail (currently on a separate host, but I plan to move it to the firewall)
>
> In the past I used NIS, but that is UNIX-only.
> I know there's OpenLDAP, but I never used it.
> Probably some other package is available.
>
> Question is:
> Given the needs, what is the "best" solution?
> Should I bother at all? (the main reason I want to install some management is that I began having a lot of permission problems when I moved hard disks from one host to another; I know how to fix them, but I would like to avoid re-doing all that next tim
e...).
> Can someone point me in the right direction? I would like to avoid false starts.
>
>
> Thanks in Advance
> Mauro
>
>
A year ago, I was in the same boat as you..... I now have all my Linux machines
authenticating to OpenLDAP database, and all my Windows machines authenticating
to a Samba domain, which is using the same LDAP db as it's backend. It took a
lot of work and a lot of how-to reading, but I finally made it ;)
I started small, just getting the LDAP database working. I then went on to
figure out how to use PAM, nsswitch, et al, to auth my linux workstations to ldap.
Finally I got my Samba server working as a Windows domain, and using LDAP. It
was a long road, but worth it, and I now have much more knowledge of the subject.
Contact me if you want my pertinent config files.
Good Luck 
- --
- --------------------------------------------------------------------------------
Always leave room to add an explanation if it doesn't work out.
Saturday Jan 14, 2006
- --------------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQEVAwUBQ8knea3rZxntQpytAQKz9ggAipnK/tEURCbQ084vWpmR+NXydR+0Nu+R
imETzIojoKfOQDzH6PqdbY3irePxwvgbHUWy+Pzx
w2peBWpYbwe8QC/ClzWn/9n/
qn9IN//MYHKhIKVUsfkNO7KFtubk8l6osQb/C2PAQjNOJrjFJ1a7QVm3pNluTlVj
vpxndt58KDQgwBVNZ2KVy/2BE9zU0dIDZAhDAHf8O73KfuV/6VHqnhGljcknUs6K
oek0Nc7GcTC46VUEc59n5zvtybbTNOJKfuOikdlH
rFdN8pkdN/sbsz8knMKfSAHz
BYcO/Uewplmv5Uzd8mtGkAEQpAeawW//pC70L1FLVt787gg3JO+Dqw==
=Jvbe
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
|
| Mauro Condarelli wrote:
> Hi,
> I have a small (<8 hosts) lan with mixed Linux (debian) and winXP hosts.
> Up to now I managed the debian hosts manually (copying /etc/passwd, /erc/groups, ..., manually), but that is a real pain.
> I did recently suffer a severe breakdown so I reinstalled most of the machines.
> At this point I would like to setup some centralized way to manage the whole network.
> I would like to manage:
> - users (<20)
> - file servers (2)
> - printers (3)
> - firewall (ADSL, fixed IP, currently managed with shorewall/webmin)
> - mail (currently on a separate host, but I plan to move it to the firewall)
>
> In the past I used NIS, but that is UNIX-only.
> I know there's OpenLDAP, but I never used it.
> Probably some other package is available.
>
> Question is:
> Given the needs, what is the "best" solution?
> Should I bother at all? (the main reason I want to install some management is that I began having a lot of permission problems when I moved hard disks from one host to another; I know how to fix them, but I would like to avoid re-doing all that next tim
e...).
> Can someone point me in the right direction? I would like to avoid false starts.
>
>
> Thanks in Advance
> Mauro
>
>
I think the default answer for Unix is automounting, and I would be surprised if
you are not aware of it since you did mention NIS. Is this also something that
you consider as "UNIX-only?" (If so, why? My understanding is that it's at
least nominally supported by Debian.)
For the XP boxes, the standard solution seems to be a master bootable disk image
on a server which is loaded over the network each time the machine boots.
(Saves the standard periodic Windows reinstall cycle.) Debian can handle the
loading and booting, but I don't know the details.
Of course, both of these solutions together give the user the option of running
either Debian or Windows on each machine on the network. (It's only temporary
of course, until everyone on the network is weaned from 'Doze. :-)
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Clive Menzies 2006-01-14, 5:52 pm |
| On (14/01/06 11:31), Jay Zach wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mauro Condarelli wrote:
ime...).[vbcol=seagreen]
>
> A year ago, I was in the same boat as you..... I now have all my Linux machines
> authenticating to OpenLDAP database, and all my Windows machines authenticating
> to a Samba domain, which is using the same LDAP db as it's backend. It took a
> lot of work and a lot of how-to reading, but I finally made it ;)
>
> I started small, just getting the LDAP database working. I then went on to
> figure out how to use PAM, nsswitch, et al, to auth my linux workstations to ldap.
>
> Finally I got my Samba server working as a Windows domain, and using LDAP. It
> was a long road, but worth it, and I now have much more knowledge of the subject.
>
> Contact me if you want my pertinent config files.
I've also been pondering this for a while; have you got any particular
links you found useful .... howtos, etc.?
Regards
Clive
--
www.clivemenzies.co.uk ...
....strategies for business
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Žáček Kryštof 2006-01-16, 7:50 am |
| I think there should be a debian package/packages solving this problem =
automagically for those who do not want to go through all the reading =
themselves.
It should contain something like this:
openldap, samba, kerberos, nsswitch, pam-ldap with all the needed =
configuration and simple wizards, allowing to choose options.
| |
| Jay Zach 2006-01-16, 6:05 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mauro Condarelli wrote:
>
>
>
> Thanks.
> Advise would be welcome.
> Either in the form of Your current config files or, better, in the
> form of a "roadmap", so I can avoid false starts and remain on track.
> The sheer size of the pertinent manuals/howtos is discouraging.
>
>
>
> I Know I'll need that!
>
> TiA
> Mauro
>
I pretty much already outlined my 'roadmap' as I would recommend it
1. Get LDAP directory implemented
a) add a few people to it as test
b) use it as an address book first ( I think this is easiest), get email
clients to query it for addresses
c) learn what you need to do to add a few user accounts to it, and do that (I
recommend phpldap for this - I used the custom version in egroupware, mostly)
2. Get Linux to authenticate to the LDAP directory.
a) I had a lot of trouble with this, be careful because it's easy to lock
yourself out of your computer - have a knoppix handy
b) this is done mostly with PAM, Nsswitch, pam_ldap, and probably others. It's
hard to remember it exactly, b/c once I got it, it just
worked, and all I've done since is copy those files from /etc/ to my other
workstations
3. Get Samba working using LDAP directory as it's database, and get Windows
Domain working.
a) I think I had the most trouble with this one, mainly because I kept going at
it too soon I think. Once I got it, it just went
b) I think part of my troubles were that the smbldap package was key to getting
this to work, and I couldn't get it to run, because of
perl package dependencies. For some reason a PERL module it needed to run
wasn't a requirement of the smbldap package, so
whenever I'd try to run smbldap-useradd, for example, I'd get a big long perl
error. Finally, after studying the error for long enough,
I figured out what PERL module it needed, and installed the debian package for
it. After that, things went smooth. I'm still working
through a couple little niggly issues, but for the most part that did it.
- --
- --------------------------------------------------------------------------------
Chicken Soup:
An ancient miracle drug containing equal parts of aureomycin,
cocaine, interferon, and TLC. The only ailment chicken soup
can't cure is neurotic dependence on one's mother.
-- Arthur Naiman, "Every Goy's Guide to Yiddish"
Monday Jan 16, 2006
- --------------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQEVAwUBQ8vDg63rZxntQpytAQLTZwgAoTJsrMyj
2mbPW//eD/iDahThvRGiUu/+
W4jxORozivDOKKMw6tmgysPRTQO7QxUyQWckBI6u
MudD3h+T6WjeY8aG+t3GMQlA
uzXJiHmosZZf6ZfgX/ d24qI+Dx9Lnkndlg9p+GMZyZvftatOW7BvW5Gf5o
ykiLSR
lVVg3GGt6bbmV/ Dk5rUm++flFYUYybrv2ZVqZWIBSh4F+pJnsacV3y
6nFilGzmH6
mZ0q9ZUqg4ERMfTFa4as0lb2pyrtuxGIudlh7M3D
LHOJKDcxRFAFGqHMizbn2Wsg
iUL17uLzCqEQb3WxlIV9KfDqc8U2zA1DtCKYHOqf
MCTWxRaYgNMcQw==
=GL4S
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|
|
|
|
|