Ubuntu Wiki

• Launchpad Entry: https://launchpad.net/distros/ubuntu/+spec/network-authentication

• Created: Date(2005-10-27T19:33:18Z) by JaneWeideman

• Updated: Date(2005-10-31T22:08:00Z) by TollefFogHeen

• Contributors: JaneWeideman, ReinhardTartler, Ragnar Wisløff, Jim McQuillan,

• Packages affected:

Introduction

There are many different kinds of network authentication in use today. Ubuntu should be easily configured to use any of these out of the box, without asking any questions for the default local configuration. In order to accomplish this, there should be a single utility, similar to Fedora's authconfig, that interfaces with package-specific configuration scripts.

Rationale

Ubuntu should easily integrate into existing network infrastructure, including network authentication and authorization. There is a lot of demand for easy configuration of any of the many different authentication methods including LDAP, Active Directory, Kerberos and NIS.

Scope and Use Cases

The goal for Dapper should be limited to quickly configured client functionality. The landscape of possible options for authentication servers is likely to change drastically in the near future and presents a more challenging problem, but should be a goal for Dapper+1.

The initial implementation should support the following use cases:

• Enabling and disabling the nameservice caching daemon (nscd) to make network user information reasonably performant. Nscd is not used for authentication.
• Scriptability for system administrators who need to configure many machines for their setup.
• Configure both which authentication methods to use as well as method-specific information from the same tool.

Implementation Plan

Time estimates are that, estimates. They are based on a qualified guess on implementation difficulty, but not on code review.

• Use Fedora's authconfig for specific ideas and details of what files need to be changed for each method.
  • Most of the changes done by "authconfig" are distribution neutral as they modify upstream configuration files.
  • PAM configuration is the only Fedora-specific aspect and that is easily adaptable to /etc/pam.d/common-*
• Break down the 4700-line "authinfo.c" into package-specific configure scripts to fit with the Debian policy.
  • base-files needs a tool to modify nsswitch.conf and nsswitch.conf needs to be changed to be managed by maintainer scripts and not listed in conffiles. (1 day)
  • libpam-runtime needs a script for modifying /etc/pam.d/common-*. (1 week)
  • samba needs a script for setting up winbind authentication with /etc/samba/smb.conf. (unsure, probably half a week to a week)
  • libpam-smbpass needs a script for modifying /etc/pam_smb.conf (absolutely trivial, 2 hours)
  • krb5-config and krb4-config need a script for /etc/krb5.conf and /etc/krb.conf (similar to the script for samba, so if we have the samba script, 1 day)
  • hesiod or libhesiod0 needs a script for modifying /etc/hesiod.conf (trivial, 2 hours)
  • libnss-ldap needs a script for /etc/libnss-ldap.conf (similar to /etc/openldap/ldap.conf, fairly simple, 4 hours)
  • libldap2 needs a script for /etc/openldap/ldap.conf (fairly simple, 4 hours)
  • nis needs a script for /etc/yp.conf (trivial, 2 hours)
• Make sure the needed packages for an authentication method are installed on the system, either by having the high-level "authconfig" package depend on all supported authentication methods or checking for missing packages and notifying the user of the problem and how to fix it.
• All the necessary packages are already in main.
• No questions to configure the auth method should be asked when installing with Ubuntu's default priority.

Data Preservation and Migration

Some packages currently package their configuration as conffiles and those packages will need to be changed to use maintainer scripts. Obviously scripts should be written to conform to the Debian guidelines of not overwriting user modifications in configuration files; by restricting the scripts to simple and well-defined changes it should be possible to insert and remove the appropriate changes without losing user changes. "authconfig" currently manages this quite well and similar techniques can be used in scripts.

Packages Affected

• base-files
• libpam-runtime
• libpam-smbpass
• libnss-ldap
• samba
• krb5-config
• krb4-config
• hesiod or libhesiod0 (whichever currently owns /etc/hesiod.conf)
• libldap2
• nis

User Interface Requirements

• Client-side
  • The various pieces should be configurable through the usual dpkg-reconfigure, where appropriate, and a higher-level package should provide a unified place setting all the relevant authentication and user information settings. Fedora's "authconfig" provides a good example of a relatively usable user interface, but it might be reasonable for the high-level utility to provide all of its configuration through dpkg-reconfigure and simply invoke that.
• Server-side (Dapper+1)
  • There should be an authconfig analogue for server configuration which:
    • makes the simple easy: This auth-server tool should enable simple, straightforward configuration, with all the details being handled by underlying scripts.
    • makes the difficult possible: Administrators can still modify the underlying configuration files.

Outstanding Issues

UDU/UBZ BOF Agenda

* Client Config

• authconfig/libuser or equivalent?
  • Fedora tool, but the only Fedora-only pieces should be minimal and easily portable.
  • Fedora-specific parts should be restricted to pam_stack which is a relatively straightforward port to pam.d/common-*
  • Doesn't fit in well with Debian policy as it modifies config files from many, many packages. This isn't a problem unless it's invoked automatically.
  • Porting might be useful as a short-term solution
  • At the very least is useful as an implementation guide or roadmap for knowing which files need to be modified for each method
• start nscd
• Authentication
  • modify pam.d/common-*
  • modify backend-specific files
    • LDAP, AD, eDirectory: /etc/ldap.conf
    • NIS, NIS+
    • Kerberos
    • Winbind
• Authorization and user information
  • modify nsswitch.conf
  • backend-specifc config files should be the same as for authentication
    • LDAP, AD, eDirectory: /etc/ldap.conf
    • NIS, NIS+
    • Winbind
    • Hesiod
      • Fedora has this, but it's an ugly DNS hack and can probably be dropped.

* Server Config

• some scripts
• existing graphical front ends
  • directory-administrator
  • luma
• Not implementable in Dapper timeframe, possibly Dapper+1
• Should be split into its own BOF
• NIS/YP, NIS+ are not interesting to devote resources to.
• Kerberos?
• Winbind/Samba are currently shipped but can be a configuration nightmare (but see below)
• LDAP: currently the only option is OpenLDAP which is ridiculously hard to configure.
  • The biggest problem is that it doesn't ship with sane defaults, or really any defaults. Adding good defaults to the slapd package is the low-hanging fruit for this.

  • RedHat will be releasing the Netscape Directory Server code as GPL? "Real Soon Now(tm)" which might be a better alternative.

    • (Links I think apply? Huge KUDOS to RH for sharing!!! -citizenDAK): http://www.redhat.com/en_us/USA/home/company/news/prarchive/2005/press_fedoradirectoryserver.html and http://linux.slashdot.org/article.pl?sid=05/06/06/1030248&tid=110&tid=120&tid=114&tid=106 ...which leads to http://directory.fedora.redhat.com/

  • Samba4 will also have their own LDAP server as it is required for the Active Directory stuff they want to do. This will likely make configuring both LDAP and Samba/Winbind significantly easier.
  • Both Netscape Directory Server and Samba4 "indefinite future releases".

CategoryUdu CategorySpec