I've decided to start looking at how i can setup a small network with linux clients. Im an Ex-Windows IT guy.. so maybe im thinking to MS in trying to come up with a solution.. if i am.. smeone shoot me please

What I would like to have...

A Server (slackware ) that holds all the users of this network... For the clients to log in.. they have to have an account setup on this server.

I want all the clients to be setup to log onto this accounts machine. Now these will all be linux clients.. none of this Windows crap.

I wwould like for the clients home directories to map to the server, so basically the clients cannot write anything to their local harddrive at all. client-wise lets say there is 15-20 clients??

These are the basics I am looking for... can someone point me in the right direction, is there a website out there that explains this??


thanks:trey

This is what you're after ...

NIS+



Cheers,
Tink

LOL thanks trey, that just made my whole entire week! haha

And, what network file system u r considering to use ? Well NFS is trivial, but I heard it is not that elegance, one of the vulnerability of older version of NFS is that it doesn't check back about the hostname trying to connect.

The vulnerability is that the hostname can be spoofed. If the network File Server is fooled, we can create every user we want it to be on our local system, login as that user, so then we ll have access to exported data on nfs of that user. But this should be long fixed. Am not that deep on that, but I think NIS should handels that authentication of the spoofing ..

I just interested to know, wut is the better Network File System currently ? Coda, Samba + any comment ?

TIA

That what you have
/etc/hosts.allow
and
/etc/hosts.deny

And if you setup (as I learnt the other day) static
arp-tables on the server there's no spoofing, either,
because the MAC address can't be forged easily.


Cheers,
Tink

it makes my day everyday.. to get to sit in front of a linux machine when i get home from work...

I hope so, as said that vulnerability should be fixed. Although I'm just a little bit untrusting as in my mind, I can setup my dns to answer the "back reference query of the NFS-server " to be the hostname as I want it to be. Though whether my dns is that, that the NFS server queries for is another question .

Afaik NFS worked over udp (connection less, other network FS maybe also), that mean the exported data is streamed to the network segment barely through the udport (at least in the early manifestation of nfs). I bet only authenticated host:user can force nfs-server to stream certain demanded data, say when we do "cd /nfs1/user1data, then /nfs1/user1 will be mounted on certain point on user1 FS-tree, what he access will be streamed through segment later (encripted ?)" Although not authenticated the data is subjected for scanning/mapping from any one who is physically (or through someway) connected to the network segment (isn't it ? sorry if my estimation wrong am still noobist on nfs).

Yeah that static arp-tables sound promising, still curious whether any gonna say something about coda or maybe other network file system just being popular

So I have to ask - how could I use LDAP as my user database? Can I replace the standard linux auth system with an ldap based directory?

Ultimately I'd like ldap to hold my user info, sendmail info. apache authentication info and tikiwiki account. But lets start with login...references??

Please do not rely on MAC addresses for security, the MAC address can be reset (on all but a few NIC's) with the command "ifconfig hw ether [MAC address]". Not to hard to spoof, in other words. Also, you can easily sniff out valid MAC addresses using common network inspection tools.

I haven't used LDAP myself, so the following information might not be entirely accurate. If I'm not mistaken, LDAP authentication requires Pluggable Authentication Modules (PAM), which is left out of Slackware due to it's shaky security track record, and from what I've seen of the source, it's a good call. PAM is however standard on many GNU/Linux distributions, so obviously a lot of people think it's safe enough.

To install PAM in Slackware, you need to first install PAM, and then recompile all packages that do authentication (at least shadow, perhaps some others as well) to make them PAM-enabled.

The quick and dirty approach is of course to write a script which periodically updates the local authentication files against LDAP, but that isn't necessarily any more secure than the alternatives.

I personally think the poor implementation of PAM is a major shortcoming of the GNU/Linux platform. It should be rewritten by someone who really understands secure programming.