SSO

Goal is to have single signon (SSO) with open source software for as much services as possible. Since SSO for windows services needs a windows domain controller and Samba provides one, this seems to be the only way to go.

In the end, I want all services to be run on the low power QNAP NAS. This is not possible yet, because QNAP as PDC will only be available on the next QNAP OS 4.1. In the meantime I'll implement this part on the opensuse server.

SSO Services

• login on all linux and windows devices, including servers, NAS and notebooks
• windows shares
• samba shares on linux servers and qnap NAS
• wiki
• bugtracker (trac)
• databases (mysql, db2)
• more webservices

Subprojects

Samba needs some backend technology to work. Right now, I know of user management and domain name service. User management could be handled by samba internally, but not all sso services support samba users as identity provider. A common user id management that is supported by many services directly or indirectly is LDAP. Samba, openSUSE linux and e.g. DB2 support it natively, others via PAM or other services.

Open LDAP

Open ldap provides user management, but can also be used for many other things, like certificate store or address management. For secure communication between LDAP server and client, an SSL connection can be used. This means we also need a key/certificate management. The same can be used for other services that use SSL, like HTTPS for webservers, remote mysql connections or openvpn.

OpenLDAP can be run on the same host as samba or on a different host. I want to use the QNAP NAS since I expect it to have more uptime and I want to run the samba AD there too as soon as it is available. OpenLDAP is available as a QPKG on the NAS. But as a first step it is running on job4 now.

Configuration with yast ldap client was easy once I discovered I had to use enumerate option in /etc/sssd/sssd.conf to enable getent for ldap users

/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss,pam
domains = default

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/default]
ldap_uri = ldap://ldap.banzhaf.chickenkiller.com
ldap_search_base = dc=job2
ldap_schema = rfc2307bis
id_provider = ldap
ldap_user_uuid = entryuuid
ldap_group_uuid = entryuuid
ldap_id_use_start_tls = True
enumerate = True
cache_credentials = True
ldap_tls_cacert = /etc/ssl/certs/jba-pki-v2-ca.crt
ldap_user_search_base = ou=people,dc=job2
ldap_group_search_base = ou=group,dc=job2
chpass_provider = ldap
auth_provider = ldap

/etc/nsswitch.conf

passwd:  compat sss
group:   compat sss
...

LDAP Schemas

The qnap device and openSUSE need different (incompatible?) schemas. Since I could not manage users with yast with the qnap schemas, I copied the suse schemas over and used them.

phpLdapAdmin

Config in /share/MD0_DATA/.qpkg/OpenLDAP/phpldapadmin/config/config.php Can create samba user with samba3 schema. The user needs to change pwd beforee use: job4:~ # smbpasswd -r qnap -U ldaptest It may be required to add the user to share sections in /etc/smb.conf. @"everyone" only includes local users, not ldap

read list = @"everyone"
write list = "admin","joachim","julian","caro"
valid users = "root",@"everyone","admin","joachim","julian","caro","ldaptest"

Then this works

smbclient -c ls -W job -U ldaptest //qnap/Download

The homedirectory is not created (try useradd@job4).

Certificate Management (PKI)

see Projekt_PKI

DNS

Samba 4 needs a domain name service. I have no idea why, but it has an internal dns activated by default, so I'll use that. Implication: change used dns at least on the windows pc's from my router to the samba server. The samba server then forwards to the router, if necessary.

How will the dhcp/dns handshake work?