Bug 5448 - drakxtools needs to be properly configured for various Domains.
: drakxtools needs to be properly configured for various Domains.
Status: CONFIRMED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: -Enter Bugs Here-
: Fresh
: All Linux
: Normal normal
: ---
Assigned To: Alexey Ivanov
: Desktop Triage Team
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-04-27 12:38 MSD by Zombie Ryushu
Modified: 2015-07-11 02:05 MSD (History)
1 user (show)

See Also:
RPM Package: drakxtools
ISO-related:
Bad POT generating:
Upstream:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zombie Ryushu 2015-04-27 12:38:33 MSD
This is somewhat of a Place Holder bug, as it will be used as the basis to resolve a complex subbject of issues with how various Domain Topologies are configured by DrakAuth, libuser and the Name Service Switch (NSS)

The Goals are: 

Configure the NSS to each Domain structure correctly.
Configure libuser.conf to refect that change.

Included are the following types of Domains and configuration cases:

Active Directory Domains with Winbind.
Active Directory Domains with RFC 2037 Support. (Samba 4 normally.)
Classic NT Domains (Samba 3 without LDAP usually.)
Open Directory Domains (OpenLDAP, Kerberos, and Samba 3/4 working together without AD)
NIS Domains.

Users should be able to: 

Log in Securely (NSS and PAM).
Change Passwords (libuser)
Cache Credentials for offline authentication (nss_db and pam_ccreds)
Comment 1 Zombie Ryushu 2015-06-04 20:25:21 MSD
Okay I'm still having issues with Drakauth configuring PAM in such a way that even root can't log in.
Comment 2 Zombie Ryushu 2015-07-09 10:38:05 MSD
I've been using sssd for some time, I can say with certainty it works, but the Rosa login screen is horrendous with it. Every user is displayed.
Comment 3 Alexey Ivanov 2015-07-10 10:19:52 MSD
Try current build of drakxtools please.

Command to add i586 container:

urpmi.addmedia 2520025 http://abf-downloads.rosalinux.ru/rosa2014.1/container/2520025/i586/main/release/

Command to add x86_64 container:

urpmi.addmedia 2520026 http://abf-downloads.rosalinux.ru/rosa2014.1/container/2520026/x86_64/main/release/

Improvements are pretty modest. It generates configurations for Windows AD,  LDAP and Kerberos 5 which do work (reboot might be required). Other aspects haven't been addressed yet. Feedback is highly appreciated.
Comment 4 Zombie Ryushu 2015-07-10 16:43:33 MSD
Does it use pam_sssd or nslcd and pam_krb5?
Comment 5 Alexey Ivanov 2015-07-10 16:50:21 MSD
There is no sssd support yet. It's use is being considered however.
As for existing caching solution I am not sure it works actually. If not, I personally think it should be replaced with sssd rather then fixed as is.
Comment 6 Zombie Ryushu 2015-07-11 02:05:44 MSD
If you are referring to the way things used to work, you are absolutely
right. The way it used to work, nslcd would handle LDAP, and and if you
wanted to cache credentials from LDAP, you needed a command line utility
called nss_updatedb, this had to be installed along side pam_ccreds. To
cache LDAP Credentials, you had to run as root, nss_updatedb passwd ldap
and that would copy EVERY user name from LDAP to nss_db... the NOTFOUND
Directive would cause nslcd's module to be bypassed and use nss_db instead.

pam_ccreds actually worked as advertised with Kerberos, but it relied on
nss_db working.

Prior to the release of nslcd, you had nss_ldap which could render your
machine unable to Login even as root. The only way to fix that was to
disable nss_ldap and getent LDAP acccounts into /etc/passwd.

See, nss_db is technically a different service unrelated to LDAP. It's a local service from a populated nss_updatedb utility. You have to run this from root.