Blog

Baby steps on centralized authentication

I’ve had a small project churning along in the background for the past couple weeks. The goal is to come up with a way to have Active Directory like services for an all Linux environment without going through a major yak-shaving exercise of setting up all the individual components.

My first glimmer of hope in this idea was finding Zeroshell, a Linux live CD application designed to run all the major components for a network from one simple install. It includes LDAP, Kerberos, DNS, and a well put together web interface, making setting up the server side of things quite simple.

The goals of the project are pretty straightforward. Mimic the single-point authentication / authorization services that Active Directory has, and configure all clients in the network to use a centralized server for these functions. Adding a user to all machines should be as simple as adding said user to the central server.

Here’s where I am so far…

  • Build a central server with all the services enabled and accessble. Status: Done – Zeroshell is the answer there. Booyah.
  • Learn enough about how central authentication and authorization works. Status Done – These sorts of functions require LDAP, DNS, and Kerberos services.
  • Set up a single client machine that can retrieve credentials from the central server. Status: Done – Enabling Kerberos on Zeroshell and installing the krb5 suite on Linux and KFW – Kerberos for Windows allow single login and ticket generation.
  • Configure a host computer to act within the realm and accept credentials from the zeroshell server. Status: Done – My media server, ‘yawl’ is acting as my guinea pig. It’s now a part of my internal realm, and accepts Kerberos credentials from the zeroshell server when requested.
  • Configure a host computer to use LDAP for extended GECOS information. Status: Done – ‘yawl’ now allows me to look up users that are being served from LDAP as if they were local users. I can use ‘finger’ ‘getent’ ‘id’, etc – and as far as ‘yawl’ is concerned, they’re local users.
  • Configure PAM to accept Kerberos authorization for ssh logins. Status: Done, dammit. This was the trickiest bit, because it requires the correct fiddling between PAM, Kerberos, LDAP, and ssh. But this afternoon, I was able to log into ‘yawl’ via kerberos-backed authentication from both my Windows box and my Linux laptop, without needing to provide a local password. Score!
  • Allow Samba shares to be mounted / authenticated via Kerberos. Status: Not working yet. I’ve only just started this side of things, but I want to be able to browse shares on ‘yawl’ as if they were natural Windows CIFS volumes, while authenticating via Kerberos, as managed by the zeroshell machine. This’ll take some time.

99% of the work for this process has been learning the terminology of Kerberos, LDAP, and PAM. Once all the pieces are in place, it actually makes an awful lot of sense. But there is one well shaved yak behind me. I’m documenting each and every step of this process, so that when I upgrade my colo’ed servers, I can implement a similar setup.

Feel free to catch me online if you have questions, but stay tuned – I’ll be writing a pretty in depth HowTo on this entire process once I’m able to repeat the configuration end to end from scratch.

KnetworkManager equivelent for Gnome?

Am I totally bonkers, or is there no Gnome equivelent of knetworkmanager for Gnome? This seems like a huge missing piece. (Knetworkmanager is a wireless network browse and configuration tool – a standard component of any modern OS).
I’m currently experimenting with using Gnome as my primary OS, and so far it’s doing quite well, but not being able to browse and connect to wireless networks graphically seems pretty glaring.
Or am I just missing something?

A beautiful view, a grumpy situation.




20081214 maine 020

Originally uploaded by eidolon

Today I made an unexpected trip up to our Maine house after a friend of ours (who has an all season house just down-lake from us) let us know he saw some damage 2 of our sheds.

When I got there, I found all 3 of our outbuildings had been broken into sometime, I’m guessing, in the last month or so. It looks like the only thing that was stolen was a toolbox from the tool shed, but the damage to the door of the shed will require replacing the door (and frame). Blah!

At one point working around the house I turned around and saw this view out across the lake, so I had to take a picture. It’s on my iphone, so what I could do with the image was limited, but it’s a beautiful view of the frozen lake and the ice on the trees.

OLPC – Why we’re doing it.

For anyone who has asked “Is it working?” or “So these things are for kids in developing countries. What happens when they get there?”, there is a fantastic article up on OLPC News called OLE Nepal Notes from an OLPC Deployment. It details a six month old deployment of 135 XO laptops to children in Nepal.

Some choice bits:

0 laptops stolen, lost, or otherwise missing. One laptop has been seriously damaged when the child who owned it cleaned it carefully with soap and water. Otherwise no laptops have been seriously damaged as a result of use.

We conducted four days of teacher training off-site and five days on-site in the classroom with both the students and teachers. A large portion of our teachers had never used a computer before but they learned very quickly. Their enthusiasm was amazing. Training during the off-site sessions formally ended at 5:30 pm but the teachers stayed in our training room each night until 11 pm, pounding away on the XO’s and asking endless questions.

I am continuing to contribute to the program whenever possible by helping out with the support queues and other discussions on the mailing lists. But there is also a need for software to be written. Most of the XO runs on Python, a language I very much want to learn, and seeing this list of ‘most requested applications’ just tickles that interest further:

  • Easier way to play music and video
  • A better E-Book reader
  • A lot more activities for learning English
  • All the Nepali textbooks in digital format
  • A comprehensive digital library with lots of Nepali-language reading materials
  • A Typing Tutor program for learning English and Nepali
  • Interactive learning activities that match the Nepali curriculum
  • A car racing game (the kids)

This naturally during my copious spare time… But what a noble cause.

How to Repair a Herman Miller Aeron Chair

As most of my readers know, I have a very nice Aeron chair that I got when I was working at home full time. The decision to invest $600 in a single piece of furniture I was going to use day in and day out wasn’t lightly taken, but I needed something comfortable, durable, and designed for my size and weight. An Aeron size C from ebay fit the bill nicely.

I’ve had my share of problems with it, including a broken ‘pan’ seat and a damaged lifter. The seat was covered under warranty, and I was able to replace it myself, but the lifter needed a trip to a local repair shop.

The last couple weeks, the chair has refused to recline. The levers on the left side that allow forward and backward motion were ‘locked’ in position, and I couldn’t undo them. It was making me not want to sit at my desk – and even though I’m not working fulltime at home, I know that if there’s something that makes an experience less than enjoyable, I’ll avoid it. So I was sitting on the couch with my laptop or working downstairs.

Last night, I decided to haul out the toolbox and see what could be done…

Continue reading “How to Repair a Herman Miller Aeron Chair”

Yearly BOINC Reminder

About once a year I toss out a reminder that I have a BOINC team actively chewing away on a variety of projects (SETI@Home, Rosetta, Folding, ClimatePrediction, etc).


Out of 78,000 teams worldwide, we are currently at position 1197 – at our best, we were at 662. I’m guessing a lot of this has been attrition. People replace computers, and don’t restart the client, or shut it down for various reasons.

I’ve recently restarted my processes, and also added a couple machines from my work pool. The new machines have definately shown a spike in average credit being reported into BOINC, but I could use a couple more CPU’s online!

If you have some spare machines, or desktops with screensavers, please consider joining my BOINC team and putting those machines to good use. The projects that BOINC works with are all for good causes – cancer research, global climate predication, searches for aliens. Cmon!

CONGO – And so we go to alpha testing

On Sunday night I released CONGO v2 into alpha testing. The first client to be using the new platform wants to be up and running on January 1st, and this is on-schedule. The last couple weeks haven’t quite been a death march, but there has been a helluva lot of code written, checked in, and tested. The log of messages posted to congo-dev tells the tale. While November wasn’t as intense as October, we still did over 105 commits against the server. The CONGO v2 codebase is rivalling the original system in size, though now it is entirely java based (the old system was part PHP, part Java).
I’m pleased with how the system is coming along. An entirely new payment interface, refactored contact information, and a new Events module for managing activities at conventions is worked into the new model (though not all of it is complete yet). I’m satisfied with the choice to move to using Struts2 as my web framework, but my dissatisfaction with OGNL grows daily. Why OGNL was necessary for the struts tag library, when the expression language (EL) was around is beyond me. For most of my code I’m replacing struts tags with JSTL and assorted libraries, and using EL for referencing action, stack, and session based content.
The next 2 weeks should see the last pieces of functionality falling into place, at which point we go into beta testing. All coding should be done, and we’ll be tuning the system for “go live” on January 1st.
After that? Well, due to the awesome new build structure, I’ll be able to release CONGO v2 for use by other folks. The system is now self-installing and configuring, so setting up a new host to run a convention is an order of magnitude easier than it was in the past. Stay tuned for details on how you can download CONGO and install it for your convention!

MPD Music Server – A followup

So a week or so ago I posted about setting up a music server based on MPD. The whole setup has been running along for a few days now, and so far I’m impressed.

There were still some loose ends from the original install. One was getting audio streaming working properly (the initial install was just playing through my Bose Lifestyle system via a patch cable). I wanted to be able to stream audio to laptops and other computers. This required setting up Icecast – a feat not as complex as I feared. Icecast is in the Ubuntu package archives, so installing it was just a matter of “aptitude install icecast2”.

(no subject)Configuring Icecast and MPD was pretty simple as well – I followed a few references on the net, and had it running in about 10 minutes.
One of the other changes I did was moved from using Sonata to using GMPC from Qalaxy. I found it has a much better interface and is more comprehensive in it’s functionality.

The other client I installed is called ‘Pitchfork’ – a PHP + Ajax based web client. Unfortunately, it appears to have gone into abandonware mode, and it’s website is down. I found someone on #mpd on Freenode that had a copy of it, and I installed that directly. It’s a handy, decent web front end that has the added bonus of having a built in audio streamer – so you can listen to the Icecast stream directly via the browser. Nifty.

The rest of my time has been taken up importing music. I had various music archives lying around, and of course my own fairly hefty CD collection. Ripping CD’s seems to go fairly well using Grip – even so, it’s a slow process. Fortunately I can do it while doing other things – I just haul down one of my cd books, and start feeding them to the laptop. When I finish a few gigs, I copy the entire directory over to the server, and tell MPD to update.

dbs@yawl:~$ mpc stats
Artists:   1459
Albums:    2066
Songs:    25235
Play Time:    2 days, 16:12:08
Uptime:       3 days, 12:05:52
DB Updated:   Fri Nov 28 22:15:14 2008
DB Play Time: 73 days, 7:11:13

I’ve introduced the roommates to the server, and pointed out how they can listen to music stored there. Having only one audio stream is going to be a problem as more folks are interested in listening to what is stored there, but for now, being able to save and update shared playlists and switching the current music around remotely is a big enough win, I’m not going to worry about the next stages until after we move.

Modernized Maxims

From a conversation on IRC today:

“Never underestimate the bandwidth of a backpack full of USB thumb drives and a bike messenger.” -Nathan Mehl

This arose after I remarked that copying files to a pen drive and walking it over to the server is a faster way of moving a couple gig of data than uploading it over the wire.