Subject: Re: Authorization en masse
To: Louis Guillaume <lguillaume@berklee.edu>
From: Luke Mewburn <lukem@NetBSD.org>
List: netbsd-users
Date: 11/08/2004 19:08:56
--Pk6IbRAofICFmK5e
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Nov 06, 2004 at 03:18:01PM -0500, Louis Guillaume wrote:
  | I have a situation where there is a NetBSD file server running AFP=20
  | services via Netatalk, but all the users for whom this service must be=
=20
  | available are stored in an Open Directory (OD) database.
  |
  | The questions are: On NetBSD...

Without knowing much of the specifics of OD, I'll try answering based
on my experience of integrating a NetBSD based file server running
Samba 3 into an Active Directory (ADS) environment.  ADS runs
over LDAP and Kerberos5.

OD appears to use LDAPv3, based on a quick perusal of:
	http://developer.apple.com/darwin/projects/opendirectory/


  | 1. Must I create a local user account for each user (for authorization=
=20
  | purposes) if the authentication is to be done via Kerberos? (OD can be =
a=20
  | KDC).

Generally, yes at this time.
If there's a way to get access to OD via a NIS(YP) emulation, then=20
you could use "nis" in nsswitch.conf(4).

Samba3+ADS uses either winbindd(8) via a dynamic nsswitch nss_winbind.so
module (which I've ported to NetBSD and will contribute back to Samba.)
I suppose it could use an nss_ldap.so, but PADL's hasn't been ported to
NetBSD yet.


  | 2. If the answer to "1" is "yes": is there software out there that will=
=20
  | automatically import the user accounts to the local user database? Or=
=20
  | will we have to do a script with "useradd"?

My gut feel is that for now you'll need to write a script.
Then you'll have to manage updates when users are added or removed
from OpenDirectory.


  | 3. Has anyone had any success with such a scheme (involving a NetBSD=20
  | fileserver) that would be willing to help out?
  |=20
  | ... The idea is that the Netatalk/NetBSD server will share up the Mac O=
S=20
  | X users' home directories. As they log in at the login window they=20
  | retrieve a tgt and a service ticket for the afp service on NetBSD,=20
  | allowing them to mount their home directory.

No idea about the MacOS X client side requirements; I'm skivvy-challenged.
Various collegues (who are fellow NetBSD developers) do use MacOS X
and may have more insight.

Cheers,
Luke.

--Pk6IbRAofICFmK5e
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iD8DBQFBjymXpBhtmn8zJHIRAh7CAJoC/R58Ua/GiXr6LQ//MImLYk80WgCgtLoH
PY8DnGoFgbcpuFCxy/QIyfw=
=gDyI
-----END PGP SIGNATURE-----

--Pk6IbRAofICFmK5e--