Users are presented with several possible login screens including GDM, console login or SSH login, all of which are controlled by the PAM (Pluggable Authentication Module) authentication mechanism. A module controls a specific type of authentication, it can be local, or network based. PAM modules can be written to do pretty much anything. For more information on PAM see the man page, look here
and for information on types of modules look here
Keeping in mind one of the goals of the Linxus project is to use as much of the current infrastructure as possible, our Linxus user's will try to be authenticated against the Windows ADS (Active Directory Services). Active Directory Services is a collection of services combined to make a administrator's life easier (Ask RayWhite
how great it is?). Essentially it has domain controllers with built in kerberos and LDAP components. So authentication of Linxus users could potentially use one of three PAM modules:
- pam_smb_auth this does PDC (primary domain controller) authentication
- pam_krb5 this authenticates against kerberos 5 based servers
- pam_ldap this authenticates against ldap servers
After testing all three modules it was concluded that pam_krb5 was the best choice for authenticating against Windows ADS. AdsAuth
describes further experimentation with different software.
- 05 Jul 2007
It is important that the clock of the client matches the clock of the Kerberos ticket server. If there is too much of a difference the server will not issue a ticket. Therefore, it is important that all clients have a program, such as ntpdate, that will periodically synchronize the clock with a time server. For clients residing on the University network ns1.uwaterloo.ca can be used as a time server.
Note: ntpd is running on Linxus. However log-ins began to fail due to clock mismatch with the Kerberos server. It turns out ntpd fails to update the time if the system clock is out by more than 180 seconds, which it was. I had to set the date manually with "date", then I set the default in /etc/defaults/ntpd so that the daemon will get and set the time once when it starts up (e.g. after a reboot or restart of daemon).
- 22 Feb 2006
It may be possible to directly retrieve and map Posix user account information from Active Directory using the openldap client. At this time a method has not been found to do this. Currently, cfengine is used to create password files in a staging area and then clients can pull them down using cfengine. Note these files are only necessary to resolve userids and such. The actual authentication is done via Kerberos except for local accounts.
- 09 Sep 2005