I’ve had a small project churning along in the background for the past couple weeks. The goal is to come up with a way to have Active Directory like services for an all Linux environment without going through a major yak-shaving exercise of setting up all the individual components.
My first glimmer of hope in this idea was finding Zeroshell, a Linux live CD application designed to run all the major components for a network from one simple install. It includes LDAP, Kerberos, DNS, and a well put together web interface, making setting up the server side of things quite simple.
The goals of the project are pretty straightforward. Mimic the single-point authentication / authorization services that Active Directory has, and configure all clients in the network to use a centralized server for these functions. Adding a user to all machines should be as simple as adding said user to the central server.
Here’s where I am so far…
- Build a central server with all the services enabled and accessble. Status: Done – Zeroshell is the answer there. Booyah.
- Learn enough about how central authentication and authorization works. Status Done – These sorts of functions require LDAP, DNS, and Kerberos services.
- Set up a single client machine that can retrieve credentials from the central server. Status: Done – Enabling Kerberos on Zeroshell and installing the krb5 suite on Linux and KFW – Kerberos for Windows allow single login and ticket generation.
- Configure a host computer to act within the realm and accept credentials from the zeroshell server. Status: Done – My media server, ‘yawl’ is acting as my guinea pig. It’s now a part of my internal realm, and accepts Kerberos credentials from the zeroshell server when requested.
- Configure a host computer to use LDAP for extended GECOS information. Status: Done – ‘yawl’ now allows me to look up users that are being served from LDAP as if they were local users. I can use ‘finger’ ‘getent’ ‘id’, etc – and as far as ‘yawl’ is concerned, they’re local users.
- Configure PAM to accept Kerberos authorization for ssh logins. Status: Done, dammit. This was the trickiest bit, because it requires the correct fiddling between PAM, Kerberos, LDAP, and ssh. But this afternoon, I was able to log into ‘yawl’ via kerberos-backed authentication from both my Windows box and my Linux laptop, without needing to provide a local password. Score!
- Allow Samba shares to be mounted / authenticated via Kerberos. Status: Not working yet. I’ve only just started this side of things, but I want to be able to browse shares on ‘yawl’ as if they were natural Windows CIFS volumes, while authenticating via Kerberos, as managed by the zeroshell machine. This’ll take some time.
99% of the work for this process has been learning the terminology of Kerberos, LDAP, and PAM. Once all the pieces are in place, it actually makes an awful lot of sense. But there is one well shaved yak behind me. I’m documenting each and every step of this process, so that when I upgrade my colo’ed servers, I can implement a similar setup.
Feel free to catch me online if you have questions, but stay tuned – I’ll be writing a pretty in depth HowTo on this entire process once I’m able to repeat the configuration end to end from scratch.