LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices



Reply
 
Search this Thread
Old 05-04-2012, 02:58 AM   #1
Manuel-H
Member
 
Registered: Apr 2003
Location: Singapore
Distribution: Slackware32/64, Ubuntu, Fedora, RHEL
Posts: 130

Rep: Reputation: 15
Fedora 16 Authenticate using RHEL


Appreciate some advice here.

Objectives:
- Fedora 16 Desktop to authenticate using RHEL5 (control user access to the desktop)
- Upon successful logon, user will have a home drive to store his/her own files.
- Many different users will be using this Fedora 16 Desktop but only authorize user can login

What do I need to do on both Fedora and RHEL?

Fedora 16 Desktop
- Run "system-config-authentication"? (using what options? LDAP, FreeIPA, NIS, Winbind)

RHEL5
- Configure Samba (ADS/user/etc)? Kerberos? LDAP?

My experience so far was configured Samba and Windows desktop authenticate to the samba as if it's a Windows Server. Windows Desktop -> Linux Server

I have never try Linux Desktop -> Linux Server.

Appreciate pointers for me to explore to the right direction.
 
Old 05-04-2012, 03:37 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
I would recommend LDAP & NFS all the way. No samba, no kerberos.

I would also veeeerrrrryyy strongly suggest you take the time out to appreciate the independent parts of a solution like this. It's lots of small things that just happen to coincidence with each other, not one large thing...

- setup and test openldap on rhel (slapd / ldapsearch)
- setup nfs on rhel
- obtain user information from ldap (nsswitch.conf / nslcd.conf / getent passwd)
- authenticate users against ldap (pam_ldap.conf / pam)
- mount network drives (nfs / maybe automount too)
- login

they build up to provide a user experience, but LDAP would never have anything to do with NFS, they just happen to both be there at the same time.

both the stages of ldap config can be started with the system-config-authentication tool if you wish, but it's very seldom up to the task of fully completing the job, so I'd recommend going direct to the pretty well commented config files.

Last edited by acid_kewpie; 05-04-2012 at 03:38 AM.
 
Old 05-04-2012, 05:36 AM   #3
Manuel-H
Member
 
Registered: Apr 2003
Location: Singapore
Distribution: Slackware32/64, Ubuntu, Fedora, RHEL
Posts: 130

Original Poster
Rep: Reputation: 15
Thanks acid_kewpie.

I will look into the directions that you pointed out.

I have limited knowledge on OpenLDAP, only got the basic configuration working, adding, modifying and deleting user.
Will explore more on this OpenLDAP and NFS.
See how it goes. I will re-post here if I encounter any specific problems.

Thanks and have a good weekend.
 
Old 05-07-2012, 04:59 AM   #4
Manuel-H
Member
 
Registered: Apr 2003
Location: Singapore
Distribution: Slackware32/64, Ubuntu, Fedora, RHEL
Posts: 130

Original Poster
Rep: Reputation: 15
LATEST UPDATE:

- setup and test openldap on rhel (slapd / ldapsearch) (Done )
- setup nfs on rhel ( Done )
- mount network drives (nfs / maybe automount too) ( Done - but automount single line on fstab)
- obtain user information from ldap (nsswitch.conf / nslcd.conf / getent passwd)( Done - From Fedora, I am able to view the users on RHEL (using 'ldapsearch' or 'getent passwd' from Fedora))
- authenticate users against ldap (pam_ldap.conf / pam)
- login

I am having a minor issue on the auto mounting, it only mounted whichever the last line in the /etc/fstab.
No issue with manual mounting. Why doesn't it mount both?

I created two shares, /nfs-share and /nfs-ro

On FEDORA machine (RHEL on 192.168.229.134)
Code:
#showmount -e 192.168.229.134
/nfs-ro         *
/nfs-share      *
Code:
/etc/fstab
192.168.229.134:/nfs-share  /nfs-share nfs defaults 0 0
192.168.229.134:/nfs-ro  /nfs-ro nfs defaults 0 0
Only auto mount /nfs-ro (for the above)

Code:
/etc/fstab
192.168.229.134:/nfs-ro  /nfs-ro nfs defaults 0 0
192.168.229.134:/nfs-share  /nfs-share nfs defaults 0 0
Only auto mount /nfs-share (for the above)

Manual mount both are okay
Code:
mount -t nfs 192.168.229.134:/nfs-share /nfs-share
mount -t nfs 192.168.229.134:/nfs-ro /nfs-ro
Help Needed
-----------
I am stucked with authenticate user on ldap and login.
On my Fedora, when I tried to login using 'pc01' (a user on RHEL), I always get "Authentication failure".

Thanks.

Last edited by Manuel-H; 05-10-2012 at 01:14 AM.
 
Old 05-09-2012, 03:12 AM   #5
Manuel-H
Member
 
Registered: Apr 2003
Location: Singapore
Distribution: Slackware32/64, Ubuntu, Fedora, RHEL
Posts: 130

Original Poster
Rep: Reputation: 15
Help Needed
------------
I am stucked with authenticate user on ldap and login.

On my Fedora, when I tried to login using 'pc01' (a user on RHEL).
I am able to use 'ldapsearch' or 'getent passwd' and view this 'pc01' user from Fedora.

My reference - Fedora 16 - Configure LDAP Client

Fedora: Login as 'pc01'
Result: "Authentication failure".

On Fedora - When I tried 'passwd pc01', the screen just hang there until I break it.

Hope to have some guidance here.

Thanks.

Last edited by Manuel-H; 05-10-2012 at 01:15 AM.
 
Old 05-09-2012, 03:30 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Red + Bold + Capitals + Stars = Really annoying.
 
Old 05-09-2012, 03:32 AM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
So what is logged in /var/log/messages / /var/log/secure ? Is there an LDAP query happening here? tcpdump can be useful to ensure your ldap server is actually being hit, as well as loking at the ldap server logs of course.
 
Old 05-09-2012, 10:42 PM   #8
Manuel-H
Member
 
Registered: Apr 2003
Location: Singapore
Distribution: Slackware32/64, Ubuntu, Fedora, RHEL
Posts: 130

Original Poster
Rep: Reputation: 15
I am truthfully sorry if I offended/annoyed anyone with these. (Removed Red Text and * and CAPS)

I was trying to be make it clear with red text of my reply in the jungle of black text, no other meaning.
---------------------------------------------------------------------------------------------
I have since install a brand new Fedora client and re-try, I thought I messed up the 1st one.

Strange, I am able to do a ldapsearch from Fedora to RHEL but got ldaps bind error on Fedora machine.

Code:
ldapsearch  -h 192.168.229.134 -x -b "cn=pc01,dc=localdomain,dc=com" "(objectclass=*)"
My slapd.log on RHEL.
Code:
May 10 12:48:02 ds slapd[3834]: conn=30 fd=27 ACCEPT from IP=192.168.229.137:51943 (IP=0.0.0.0:389) 
May 10 12:48:02 ds slapd[3834]: conn=30 op=0 BIND dn="" method=128 
May 10 12:48:02 ds slapd[3834]: conn=30 op=0 RESULT tag=97 err=0 text= 
May 10 12:48:02 ds slapd[3834]: conn=30 op=1 SRCH base="cn=pc01,dc=localdomain,dc=com" scope=2 deref=0 filter="(objectClass=*)" 
May 10 12:48:02 ds slapd[3834]: conn=30 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 
May 10 12:48:02 ds slapd[3834]: conn=30 op=2 UNBIND 
May 10 12:48:02 ds slapd[3834]: conn=30 fd=27 closed
But on my Fedora /var/log/messages, I got the following.
On both Fedora and RHEL, I opened both TCP/UDP for ldap(389) and ldaps(636)
Code:
May 10 12:45:00 localhost getent: nss_ldap: failed to bind to LDAP server ldaps://192.168.229.134: Can't contact LDAP server
May 10 12:45:00 localhost getent: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Thanks.

Last edited by Manuel-H; 05-10-2012 at 01:15 AM.
 
Old 05-10-2012, 02:56 AM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
well the first log shows LDAP, the second shows LDAPS, so there's clearly a significant difference there, which could mean things like iptables not being open, or slapd not listening on 636. Generally STARTTLS is preferred over LDAPS these days, so you should only really need port 389 for plain and encrypted binds.
 
Old 05-10-2012, 03:42 AM   #10
Manuel-H
Member
 
Registered: Apr 2003
Location: Singapore
Distribution: Slackware32/64, Ubuntu, Fedora, RHEL
Posts: 130

Original Poster
Rep: Reputation: 15
Thanks acid_kewpie for pointing me to the right direction to look into.

Appreciate it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
RHEL Authenticate to Active Directory wilslm Red Hat 5 05-03-2011 12:59 AM
AIX authenticate against Fedora DS pete83 AIX 11 09-10-2009 10:46 AM
can not authenticate user with fedora 9 on login here Linux - Newbie 1 08-25-2008 03:49 AM
Using Fedora Directory to authenticate windoze users strong.s Fedora 0 07-20-2006 12:16 PM
RHEL 4 authenticate to NT domain? pgrimes Linux - Networking 5 04-11-2006 12:48 PM


All times are GMT -5. The time now is 06:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration