Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OT: Which Linux Works Best With OS X Server?

I run Debian and Ubuntu Servers and Clients respectively with some Gentoo mixed in. They both play fine with OD. With Ubuntu, make sure you have universe and multiverse availiable in your sources.list file. With Debian I am using the testing tree, although stable should work if the krb5 packages are there, krb4 will be there I just haven't tried them with my XServe yet.

deb http://ca.archive.ubuntu.com/ubuntu hoary universe multiverse
deb-src http://ca.archive.ubuntu.com/ubuntu hoary universe multiverse

Here's what I needed to do

LDAP:
*******************************

install the nss ldap package
debian = apt-get install libnss-ldap
gentoo = emerge nss_ldap

configure the conf file,
on gentoo = vi /etc/ldap.conf
on debian = vi /etc/libnss-ldap.conf
add the lines
#######################################################
host 192.168.0.4 #obviously this is your OD servers IP

base dc=ldap,dc=domain,dc=com

nss_base_passwd      cn=users,dc=ldap,dc=domain,dc=com?one
nss_base_shadow      cn=users,dc=ldap,dc=domain,dc=com?one
nss_base_group       cn=groups,dc=ldap,dc=domain,dc=com?one

ldap_version 3
#######################################################
and make sure the file is readable by everyone or usernames will not get mapped. chmod 644 (or 444) the file.

modify /etc/nsswitch.conf by changing the following lines so they match below.

passwd:      files ldap
shadow:      files ldap
group:       files ldap

A quick test at this point is to run the command getend passwd (or getent group) to see if it is looking in ldap for users and groups. This assumes that users and groups exist in ldap.

In gentoo add "ldap" to the USE variable in the /etc/make.conf file and then you will need to recompile any application that can take advantage of ldap.


Kerberos:
***********************
install the kerberos pam modules
gentoo = emerge -p pam_krb5
debian = apt-get install libpam-krb5

configure /etc/krb5.conf by adding the following lines inside the [realms] section

REALM.DOMAIN.COM = {
         kdc = kerberos-1.domain.com
         admin_server = kadmin.domain.com
         }

#kadmin and kerberos-1 both point (via DNS) to my single xserve, designed this way for future growth. kadmin = master OD server

And in the [libdefaults] section changing the default_realm to be
default_realm = REALM.DOMAIN.COM

Then the pam modules need to be adjusted as such:

In Debian
###########/etc/pam.d/common-account############
account  sufficient   pam_krb5.so
account  required     pam_unix.so
################################################
###########/etc/pam.d/common-auth###############
auth     requisite    pam_securetty.so
auth     requisite    pam_nologin.so
auth     requisite    pam_env.so
auth     sufficient   pam_krb5.so
auth     required     pam_unix.so try_first_pass
################################################
###########/etc/pam.d/common-password###########
password  sufficient  pam_krb5.so
password  required    pam_unix.so obscure md5 use_first_pass
################################################
###########/etc/pam.d/common-session############
session  sufficient   pam_krb5.so
session  required     pam_unix.so
session  optional     pam_lastlog.so
session  optional     pam_motd.so
session  optional     pam_mail.so standard noenv
################################################

gentoo
###########/etc/pam.d/system-auth###############
account  sufficient pam_krb5.so
account  required   pam_unix.so

auth     requisite  pam_securetty.so
auth     requisite  pam_nologin.so
auth     requisite  pam_env.so
auth     sufficient pam_krb5.so
auth     required   pam_unix.so try_first_pass

password sufficient pam_krb5.so
password required   pam_unix.so obscure md5 use_first_pass

session  sufficient pam_krb5.so
session  required   pam_unix.so
session  optional   pam_lastlog.so
session  optional   pam_motd.so
session  optional   pam_mail.so standard noenv
################################################

In debian install "apt-get install ssh-krb5" to replace the standard ssh package
also "apt-get install krb5-clients krb5-user" replace a number of other tools with kerberized versions

In gentoo add "kerberos" to the USE variable in the /etc/make.conf file and then you will need to recompile any application that can take advantage of kerberos

*************

The other distro's should also work with instructions similar to these.

Jacob Bresciani

"Passwords are like bubble gum, strongest when fresh, should never be used by groups and create a sticky mess when left laying around"

-anon


On Sep 1, 2005, at 6:51 PM, Eric Paulsen wrote:

I have a NetServer TC3100 with hardware raid, 2GB of RAM, and dual PIII processors running NetWare6 for the 7 PC users I have to support. I would like to drop Netware from the mix. Our church and school site will be splitting, so I want them to be on their own box. I can get Windows Server very cheaply as a school, so that is an option. The other is going the Linux route.

Currently, my two internal dns boxes are running FreeBSD. I'm looking for input on any experiences you might have had integrating Linux into the Open Directory architecture. I would really like to maintain all users on my OD Master without futzing with the Netware- to-Mac stuff. Thoughts?
---
Eric _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/jacob% 40bresciani.ca

This email sent to email@hidden 

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >OT: Which Linux Works Best With OS X Server? (From: Eric Paulsen <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.