Since it took me an embarrassingly long time to figure out why “use kerberos keytab” refused to work in Ubuntu 9.10, I’m posting here what my problem was.
It seems “use kerberos keytab” is deprecated (as noted in the release notes). The replacement is some variation of kerberos method =
If using the system keytab, that makes the option simply:
kerberos method = system keytab
Email via the Calypso Mail Installer is up and in production. And to get that working for me, I have finally moved my account into Calypso. Talk about eating your own dog good. Pre-alpha dog food at that!
It turns out gdm in Fedora looks at /etc/pam.d/password-auth for authentication rather than /etc/pam.d/system-auth. Installer updated, and should now allow client logins via the login screen.
After a night of hacking, the calypso client installer now works with Ubuntu (at least 9.10, but should work with others). In fact, I’m logged in as a Calypso user to Karmic right now.
One thing of note: nscd is required to use sudo with pam-ldap in Ubuntu… that wasn’t a fun bug to track down, lol.
and the PrivilegedAction!
The Calypso Admin application is progressing well. I’m now able to modify all of the LDAP data for users (except the picture, that can wait for later). This is all done via credentials provided at login and stored in a LoginContext. PrivelegedActions are then performed as the authenticated subject.
eg:
Subject currentSubject = CalypsoadminApp.userContext.getSubject();
PrivilegedAction currentGetUser = new getUser(currentuser.getUid());
NamingEnumeration neUser = (NamingEnumeration)Subject.doAsPrivileged(currentSubject, currentGetUser, null);
What’s even more amazing is how well the people at JCraft have implemented LoginContexts in their native java ssh client. This will let me create a new context as [user]/admin, and run ssh commands like kadmin as that kerberos user with nothing more than:
session.setConfig("userauth.gssapi-with-mic", "com.jcraft.jsch.UserAuthGSSAPIWithMIC");
when run as a PrivilegedAction!
The Shernet LAN is now running Calypso 0.1.4 for DHCP and DNS. Hopefully this week I will get authentication for clients setup (need to update the script to work with Ubuntu), and I’ll be on my way to some real testing!
You want DHCP with DDNS? Well, ya got it.
So far the fruits of the summer include:
calypso-client: registers a Linux client with the Calypso server
dhcp-installer: setups a calypso client server with DHCP with dynamic updating to PowerDNS with an LDAP backend.
Next up: Mail. Then I can move my network over to Calypso native 🙂
Over the weekend, the Calypso core services installer hit 0.1.0. I’m satisfied that it should work with any version of Centos, Fedora, or RHEL. It includes OpenLDAP, Kerberos, DNS, Samba, and NTP functionality. The next steps will be further testing of the installer, making it work on Debian/Ubuntu, and working on the installers for ancillary services.
Calypso authentication is working! LDAP meets Kerberos meets Samba meets can you believe I can log in have my ticket waiting for me and off I go?
Calypso aims to be the backbone of all software developed here. If all goes according to plan, it will use existing open source software, coupled with a yet-to-be developed management interface, to be an all-in-one authentication/network configuration server.