InterOperability:NovellAuthenticationforK12LTSP
From K12LTSP Wiki
Describe InterOperability:NovellAuthenticationforK12LTSP here.
Netware Authentication for Linux Howto
<verbatim>Guy Lessard, glessard@coll-outao.qc.ca. Professor at College de l'Outaouais, Quebec, Canada. Co-founder of Club Linux Outaouais, www.linux-gatineau.org.
Version 0.2, November 15, 2003 The most recent version will be available in english and french at www.linux-gatineau.org
This document aims to describe how to obtain, install and configure ncpfs so as to authenticate to Netware 6 (TCP/IP and IPX) from a Linux operating system and more specifically the K12LTSP distribution. ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Table of Contents
1. Introduction 1.1 Acknowledgement 1.2 Software used
2. Disclaimer.
3. Related Documentation. 3.1 Feedback.
4. Some of the terms used in this document.
5. A brief discussion of authentication
6. Ncpfs and pam related files.
7. Ncpfs Netware Core Protocol FileSystem 7.1 Obtaining ncpfs. 7.2 Building and installing from source. 7.3 Installing from rpm. 7.4 Modifying startup scripts
8. Configuring your K12LTSP as to authenticate to Netware 8.1 Installation for IPX protocol on a Linux host 8.2 Installation for TCP/IP protocol on a K12LTSP. 8.3 Options information
9. Configuring your Linux box to print to Netware.
10. An overview of some ncpfs user commands 10.1 User commands
11. Problems i need to solve
12. Miscellaneous. 13. Must read. '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''_
1. Introduction.
As i was in a Netware centric college and had implemented a K12LTSP in a laboratory, it became troublesome for the students to save there work to the Netware server. I wanted to eliminate the dual login (once onto the K12 Terminal Server and then onto the Netware server). I also wanted to mount the students Netware home directory in there respective /home directory on the terminal server. Then came a post from Daniel Hedblom on the K12OSN list stating they succeeded this task on a IPX network using a recent ncpfs package. This was all i needed to get me going.
Advantages of using Netware authentication:
- No account creation on Linux if the account exists on Netware.
-Automounting of Netware home directories on Linux /home/$USER directories.
- Can be implemented on Linux Hosts and Terminal Servers.
1.1 Acknowledgements
Daniel Hedblom (daniel.hedblom@skola.solleftea.se / penguin_roar@gentoo.se) for getting
me started and proofreading this howto.
Mikael Göransson for his implementation of this authentication onto the IPX protocol.
To David, Patrick and the rest of the people involved in ncpfs developpement.
To Petr Vandrove (ncpfs maintainer) for his support in debugging.
Version of this document: See the third line of this document.
1.2 Software used in this document.
Netware 6 with Support Pack 2
K12LTSP Version 3.1.1
ncpfs version 2.2.3 (source package)
Installed ncpfs man pages.
2. Disclaimer.
I do not and cannot know everything there is to know about the Linux network software. Please accept and be warned that this document probably does contain errors. Please read any README files that are included with any of the various pieces of software described in this document for more detailed and accurate information. I will attempt to keep this document as error-free and up-to-date as possible. Versions of software are current as at time of writing.
In no way do I or the authors of the software in this document offer protection against your own actions. If you configure this software, even as described in this document and it causes problems on your network then you alone must carry the responsibility. I include this warning because IPX and TCP/IP network design and configuration is not always a simple matter and sometimes undesirable interaction with other routers and fileservers can result if you do not design or configure your network carefully.
3. Related Documentation.
Useful documents are:
*IPX-HOWTO.html which explaines how basic ncpfs works.
*GCC-Howto on compiling source code.
*User authentication HOWTO which explains how PAM works.
*Netware documentation available from www.novell.com.
*The ncpfs source code documentation.
*And of course the K12LTSP distribution information at www.k12ltsp.org.
3.1 Feedback.
Please send any comments, updates, or suggestions to me, <glessard@coll-outao.qc.ca>. The sooner I get feedback, the sooner I can update and correct this document. If you find any problems with it, please mail me directly as I can miss info posted to the K12OSN list.
4. Some of the terms used in this document.
Terminal server or K12LTSP or K12 server. The machine or program that accepts incoming connections from multiple diskless remote machines and provides all services and/or data to those. K12LTSP is a RedHat centric distribution with the latest and greatest LTSP (Linux Terminal Server Project, www.ltsp.org) scripts and all the software needed for Kindergarden to Grade 12 schools. I even use it at college==== ====
Host Any host running Linux.
PAM Pam is a acronym for Pluggable Authentication Module. A mechanism for authentication either by itself (passwd/shadow/md5) or through other authentication services (NIS, Microsoft) and now Netware. Quoting from the Linux-PAM System Administrator's Guide: "It is the purpose of the Linux-PAM project to separate the development of privilege granting software from the development of secure and appropriate authentication schemes. This is accomplished by providing a library of functions that an application may use to request that a user be authenticated." With PAM, it doesn't matter whether your password is stored in /etc/passwd or on a server in Hong Kong. When a program needs to authenticate a user, PAM provides a library containing the functions for the proper authentication scheme. Because this library is loaded dynamically, changing authentication schemes can be done by simply editing a configuration file.
IPX Internet Packet eXchange is a protocol used by the Novell corporation to provide internetworking support for their NetWare(tm) product. IPX is similar in functionality to the IP protocol used by the tcp/ip community.
NCP NetWare Core Protocol is a networked filesystem protocol designed by the Novell Corporation for their NetWare(tm) product. NCP is functionally similar to the NFS used in the tcp/ip community.
5. A brief discussion of authentication
So as to use PAM, ncpfs supplies a library (module) called pamncpauth.so to which we refer to in the different PAM files (files contained in the /etc/pam.d directory). All we need is install this and other related files onto the Linux host and configure the appropriate PAM files.
6. Ncpfs and pam related files. This is just a small list of related files:
*pamncpauth.so, the pam library for ncpfs.
*The pam files to modify are in /etc/pam.d directory.
7. Ncpfs, Netware Core Protocol FileSystem
7.1 Obtaining ncpfs. The most up-to-date version of ncpfs can be found at:
[[1]]
Other sources are:
www.rpmfind.net [2] .
Whether your using pre-compiled (rpm) or source code, skip to sections 7.2 and 7.3 respectively.
7.2 Building and installing from source.
Make a directory to store the source code.
mkdir /opt/.pkg cd /opt/.pkg
Download the ncpfs-2.2.3.tar.gz: Unpack the source with tar to current dir.
tar zxvf ncpfs-2.2.3.tar.gz
The code is now stored in the /opt/.pkg/ncpfs-2.2.3 directory.
Compile the source code.
./configure make make install
7.3 Installing from rpm.
Even easier, download le ncpfs-x.x.x.rpm file in some directory and install the software:
rpm -vih ncpfs-x.x.x.rpm
7.4 Modifying startup scripts You also need to add some lines in your startup script (rc.local) and to the file containing the paths.
echo "/usr/local/lib" >> /etc/ld.so.conf ldconfig ipx-configure -p on -l on echo "/usr/local/bin/ipx_configure -p on -i on" >> /etc/rc.local
Note: If you are using a TCP/IP only Netware network, disregard the last two lines as they pertain to the IPX protocol.
8.Configuring your host or terminal server as to authenticate to Netware
8.1 Installation for IPX protocol on a Linux host Now that we have the module installed, we need to make the modular PAM system aware of it and decide how and what should authenticate the user. The files you will change are found in /etc/pam.d. Every file is a service and you should change the one that you use for login. In this example, I will show you how gdm is configured on a Linux host. Gdm is gnomes graphical login manager but kde, login and others should work just fine too. We edit /etc/pam.d/gdm.
REMEMBER==== ==== Change SERVER to the name of the netware server you want to authenticate against.
%PAM-1.0
auth requisite pam_nologin.so
auth sufficient pam_unix.so nullok
auth sufficient pamncpauth.so nullok usefirstpass
ndsserverSERVER:ouOrganisationalunit.oOrganization,ounextou.o=next_o -d -L -u2000,4000,pn,gcds -g2000,4000,pn
auth required pam_deny.so
account required pam_unix.so
session required pam_unix.so
session optional pamncpauth.so
password required pam_unix.so nullok obscure min=4
BEWARE: The first pamncpauth.so line or others may be wordwrapped, be sure that all lines starting with auth, session, account and password are all on a single line. The same for the other pam files below.
The section with ndsserver should be done like this.
ndsserverSERVER:ou1.o2,ou3.o=4
Where:
1 is the organizational unit you want to try first in the tree.
2 is the organization you want to try out first.
3 is the organizational unit you want to try second.
4 is the organization you want to try second.
This way you can have a somewhat contextless login but only if you are sure that there aren't two users in the tree with the same name. If there are, trouble will surely ensue. Once you are done with this and have changed SERVER to your Netware servers name you can login with Novell Netware accounts==== ====
Problems If you experience problems logging in, just use tail on the server to see what is happening. Ncpfs has very nice logging and most problems are obvious. What to tail can vary depending on what distribution you use. With Redhat you tail secure.
tail -f /var/log/secure
To find out if your Linux box finds the Netware server just type:
slist
This lists all netware servers ncpfs can see.
If you still don't see your Netware server try the following:
cat /proc/net/ipx_interface if you are using The IPX protocol.
This shows what frame type you have on your linux server, if it isn't 802.2 then change it with:
ipx_interface add ethx 802.2
Where x in ethx is your network device with a connection to the netware server. Most often eth0.
Try slist again to see if you have a connection to the server.
8.2 Installation for TCP/IP protocol on a K12LTSP.
Here is the /etc/pam.d/kde file from the K12LTSP server %PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_nologin.so auth sufficient pam_timestamp.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_timestamp.so session optional pam_console.so
Notice the string "service=system-auth", this string states that these services are transferred to another file called system-auth in the same directory. You will find similar redirection for the /etc/pam.d/gdm file. So lets modify system-auth file so that all logins (whether kde, gdm, xdm, login) work the same.
The modified system-auth file looks like this:
%PAM-1.0
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/pamncpauth.so nullok usefirstpass ndsservercegep:ouetu.ocollege,ouprof.o=college -d -L -u2000,4000,pn,gcds -g2000,4000,pn -A
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry3 type
password sufficient /lib/security/$ISA/pamunix.so nullok useauthtok md5
shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional pamncpauth.so
Notice the -A argument pending at the end of first pamncpauth.so line, this is necessary for TCP/IP operation and you do not have to load the IPX protocol. Only two lines where added to the above file, the lines with the pamncpauth.so strings.
Try a login using KDE or Gnome login. Since you specified one or more contexts to check out, you only need to type in the Username and Netware password.
Problems Verify that the Netware server is reachable by your Terminal server. Under TCP/IP, try pinging your Netware server first by using it's IP address then it's name (the servers DNS name should be resolved by the local DNS server or by the host/Terminal servers hosts file). Unfortunately, slist doesn't work under TCP/IP.
8.3 Argument information
Quoting from the ncpfs source code .../contrib/README:
The pamncpauth module recognises one option, which is required (and may be repeated):
"server<ServerName>" or "server<ServerName>/<GroupName>"
Other options are:
-d : turn on debugging output
-v : display reasons login failures on terminal (default)
-q : do not display login failures
-s : disallow SUPERVISOR from logging-in
-S : disallow SUPERVISOR equivalent from logging-in (NYI)
-uMIN,MAX,CFLAGS,MFLAGS : parameters for user creation
-gMIN,MAX,CFLAGS : parameters for group creation
If you are using variant "server=<ServerName>/<GroupName>", <GroupName> must be fully distinguished name of Group and <ServerName> must have at least read-only replica of logging-in user (to be fixed...).
Users and groups creation
User creation is enabled by non-empty CFLAGS option in -u parameter. CFLAGS can consist of one or more following letters:
r : When creating user, it must take uid from UNIX:UID property. If uid
is already used, or object does not have UNIX:UID property, user is
not allowed to login.
p : When creating user, preffer uid from UNIX:UID property.
n : When inventing uid for new user, take one which is one greater than
highest used uid in MIN,MAX range.
f : When inventing uid for new user, take first unused in MIN,MAX range.
If you specify both 'r' and 'p', or both 'n' and 'f', behavior is undefined.
User modification is enabled by non-empty MFLAGS option in -u parameter. MFLAGS can consist of one or more following letters:
g : Update user's primary gid according to NDS database. c : Update user's gecos (comment, full name) according to NDS database. d : Update user's home directory according to NDS database. s : Update user's shell according to NDS database.
NDS background
If -g,,r or -g,,p is specified, group's UNIX:GID attribute is read from NDS. If attribute does not exist, and 'r' was not used, new gid is invented according to min, max and n/f values in -g option.
If -u,,r or -u,,p is specified, user's UNIX:UID attribute is read from NDS. If attribute does not exist, and 'r' was not used, new uid is invented according to min, max and n/f values in -g option.
During user creation, home directory is retrieved from UNIX:Home Directory, login shell from UNIX:Login Shell. If UNIX:Home Directory does not exist, /home/$cn is used as home directory for user. If UNIX:Login Shell does not exist, /bin/bash is used.
9. Configuring your K12LTSP to print to Netware. This all depends if you really want to print to a Netware print queue or not. If you really do want to print to Netware print queue, see below, otherwise you can print directly to LPD/LPR or HPJetdirect printers, just configure CUPS or LPRng accordingly.
To use a Netware coupled printer you now have all you need to make it work. Just go to a client or the server and record:
What server is the printer on?
What is the name of the print queue?
What is the printers make and model?
Also you should fire up NWADMIN and make a special user in NDS that is the printer user. You can use any user with sufficient rights in NDS but to have a designated user is a good idea. Imagine if the user you have assigned to the printer quits and you delete his account? Also be sure to alter the password expiry date in NDS. We don't want that printer to just die every month do we?
We need to make symlinks for nprint to work.
ln -s /usr/local/bin/nprint /bin/nprint
ln -s /usr/local/bin/nprint /usr/bin/print
10. An overview of the ncpfs user commands
Recent versions of ncpfs package include a range of user and administration commands that you might want to use. The tools are built and installed as part of the ncpfs installation process. Detailed information is available in the supplied man pages but a brief summary of the commands is as follows;
10.1. User commands.
ncopy Network Copy - allows efficient file copies to be performed by using a Netware function rather than a copy across the network.
nprint Network Print - allows you to print a file to a Netware print queue on a Netware server.
nwfsinfo Fileserver Information - prints some summary information about a Netware server.
nwpasswd Netware Password - allows you to change a Netware users password.
nwrights Netware Rights - displays the rights associated with a particular file or directory.
nwuserlist Userlist - lists the users currently logged into a Netware fileserver.
pqlist Print Queue List - displays the contents of a Netware print queue.
slist Server List - displays a list of know Netware fileserver.
11. Problems i need to solve.
Why MY Netware account can't be mounted? Needless to say Murphy's law hit me hard here because i was trying to debug ncpmounting when i accidentally realized that it worked with all other accounts except MINE==== AARRGGHH! ==== I will keep you up to date as soon as this is solved.
May, 2004 The problem was that the account existed on the server before Netware authentication was implemented. The UID and GID did not match with Netware authentication thus failing to mount home directory. Problem solved by deleting the account (user and group), the home directory under /home, the mail directory (think it's under /var/mail ) and KDE desktop temporary file ( look under
/tmp/mcop...).
12. Miscellaneous.
TODO List
-Find info on ndsserver argument. Is it synonymous of server?
- Find info on nullok argument.
-Find info on usefirstpass argument.
- Find info on -L argument.
13. Must read. http://prope.insa-lyon.fr/~ppollet/netware/ncpfs/pamncp/auth/ </verbatim>
