Single sign-on suggestions?

Eamonn Sullivan eamonn.sullivan at gmail.com
Tue Jul 18 09:42:55 UTC 2006


On 7/18/06, Kim Briggs <patiodragon at gmail.com> wrote:
> I really don't mean this as some kind of jab or joke, but if this is a
> family setup, would it be possible to just have a "wide open" samba setup
> that doesn't require a sign on?  The linux account "housing" the files would
> still have the same kind of protection from outside of your network, and it
> seems very common nowadays to have some kind of "blue box" router protecting
> your home network.  (I use fixed IP's and can allow access from only local
> machines).
>
> So, I give this as a point of reference for a home with only 3 users who are
> old enough not to interfere with each other's "home" accounts.  Here is a
> link to the samba configuration settings that we use to avoid logins in a
> home network.
>

Thanks for replying. I don't have trouble with any of the pieces,
individually. The Samba setup we use now shares "homes", which
automatically serves the user's home directory, depending on who signs
in. This works fine right now on both the main Dapper PC and Mac OS X
10.4 (both as server and client). I also have a "Shared" directory
that anyone can use to dump stuff in and share with anyone. That also
works fine.

The problem is that nothing's connected. If the kids change their
password on Dapper, they also have to do a smbpasswd to change their
Samba password. I think that's true on the Mac, as well, but I don't
remember. (With seven people in the house, my chances of getting to
use the Mac approaches zero). What I want to avoid is creating another
*two* sets on the new Linux box (local system and samba).

I went through the wiki and a number of How Tos that I found on Google
and I was able to get the new PC configured as an LDAP client and to
migrate the system users to the slapd database. I was able to log in
using the username/password stored in the database on the other pc, a
new home directory was created automatically the first time, and I was
off and running.

I'm glossing over some complexity here. For example, I needed to
manually add the users to local groups like 'audio' to get sound to
work. (They were already in the audio group on the LDAP server, but
that piece doesn't seem to get to the client.) But, in general, not
too bad. And only a few small, furry animals needed to lose their
lives.

I then pointed Samba to that same database (instead of the tdbsam),
following some examples on Google, and it just didn't work. It
wouldn't accept any of the usernames/passwords. So I backed off,
started again from scratch, this time using How Tos to get Samba to
use LDAP, plus the aforementioned steps to get the system users
migrated.

The complexity mounted exponentially and I ended up with a domain
controller, winbind, lots of weird new groups ("Domain Users"), etc.
It appeared to work, until you tried to connect to anything.
NT_STATUS_LOGON_FAILURE  was the result. And when I tried to log in
using one of the accounts through GDM, the system would hang after
accepting the passwords.

So I've backed off a second time and am contemplating my next move.
Since I was able to get the unix accounts migrated, I may just do
that. At least I'd have reduced the number of account databases by
one.

The whole process seems awfully complicated for two PCs. It would be
worth it if I had dozens or hundreds in a corporate environment. I
think there's an itch here that needs scratching. My programming
skills are limited (python, c and lisp), and I have even less time.
Perhaps I should come up with a spec and see if I can get someone
interested.

-Eamonn




More information about the ubuntu-users mailing list