1 / 33

One User, One Password: Integrating Unix Accounts and Computer Labs

One User, One Password: Integrating Unix Accounts and Computer Labs. David J. Blezard & Jerry Marceau University of New Hampshire. UNH Student Clusters. 13,000+ Students plus Faculty & Staff 3 Main Locations and 5 Satellite Locations Both Macintosh and Windows 200 Total Computers

helenbaker
Download Presentation

One User, One Password: Integrating Unix Accounts and Computer Labs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. One User, One Password:Integrating Unix Accounts and Computer Labs David J. Blezard & Jerry Marceau University of New Hampshire

  2. UNH Student Clusters • 13,000+ Students plus Faculty & Staff • 3 Main Locations and 5 Satellite Locations • Both Macintosh and Windows • 200 Total Computers • Student Consultants Staff • 2 Locations Open 24 Hours a Day

  3. Old Authentication Scheme #1Student ID’s • Staffing Required • Cannot Have 24-Hour Authenticated Access • No ID = No Access • Users Lose ID’s • Ugh!

  4. Old Authentication Scheme #2SS#/DOB • Nightly Dump of Student Names, SS#’s, and Dates of Birth from Registrar Office • Custom Programs to Check Identity • Requires Daily Download of Database • Lots of Problems with Students not Registered at Start of Semester • Need to Manually Enter Faculty & Staff

  5. Old Authentication Scheme #2SS#/DOB • Security Problem:-(

  6. Gee, Wouldn’t It Be Great If... • …We Could Use Users Existing Accounts • Users Already Know Username and Password (Mostly) • Little to No Maintenance • Provides Authentication 24 Hours a Day

  7. CIS Unix Accounts • All Students and Most Faculty and Staff have Accounts on the Central Unix Systems (CIS Unix) • All UNH Members Eligible for Accounts • Provides E-mail Services and Web Hosting • Accounts are Maintained by Help Desk

  8. Can Macs/Windows Talk to Unix? • Yes! • Macintosh - Netatalk & CAP, NFS, Kerberos • Windows - Samba, NFS, NIS, Kerberos

  9. Netatalk • Provides AppleShare File Services and Apple Print Services on Unix • Can Also Provide AppleTalk Protocol Support in addition to TCP/IP • Details at netatalk.sourceforge.net

  10. Netatalk Setup TCP/IP AppleTalk Unix Server AppleShare File Sharing Mac Clients

  11. Netatalk Client Use • User Uses Chooser or Network Browser to Access the Netatalk Server • Select Zone and Server for AppleTalk • Enter Host Name for TCP/IP • Enter Unix Username and Password to Authenticate • Select Available Volumes

  12. Samba • Provides SMB-based Windows File Sharing and Print Services on Unix • Runs over TCP/IP • Details at www.samba.org

  13. Samba Setup TCP/IP Unix Server Windows File Sharing Wintel Clients

  14. Samba Client Use • User Uses Network Neighborhood to Access the Samba Server • Select or Find the Server • Enter Unix Username and Password to Authenticate • Select Available Shared Folders

  15. How to Make It Work • Machine Boots with Limited Access • User Enters CIS Unix Username and Password • Authenticate (...then a miracle happens...) • User is Allowed Access to OS and/or Machine is Connected to File Server with Applications as the Machine’s Name

  16. Macintosh Issues • No Initial Login or Authentication System (before Mac OS 9) • Can Have Multiple Network Identities (Good!) • Can Attach to or Detach from Network Volumes at Any Time (So-So)

  17. Macintosh Solutions • No Initial Login or Authentication System • All Applications Stored on Mac OS X or AppleShare IP File Servers • Machines Boot to an OS-only Setup • Custom AppleScript (“Log On”) Requests Username and Password, Handles Authentication, Logs, and Mounts Apps • “Log Off” to Handle Disconnects & Logs

  18. “Log On” AppleScript • Uses “Dialog Director” to Provide a Professional Interface and Modal Dialogs • www.hylight.demon.co.uk • Historically Used 3rd Party OSAX to Mount Volumes (Mount Vol & MountIP) • “Mount Volume” now a Standard Addition with TCP/IP and AppleTalk support

  19. “Log On” AppleScript

  20. UNH Netatalk Authentication Try to Mount NIS Volume Mounts Netatalkon Linux Mac Client Try toMount Mounts Apps Volume Mounts Apps Volume NIS VolumeMounts CIS Unix Netatalk on Linux Mac Apps Server

  21. Windows Issues • Windows 95/98/ME • One Network Identity (Bad!) • Entered at Initial Logon Screen (Good) • Can Authenticate against a NT Domain (Good) • Windows NT • Initial Login Screen for “Main” ID and Authentication against a Domain (Good) • Can Have Multiple Identities (Good) • Requires Machine Accounts (So-So)

  22. Windows Solutions • One Network Identity • Actually Not a Problem for UNH • Applications on a Netware Server • Allows Separate Authentication • Need an NT Domain for Authentication • Samba Can Create NT-style Domains • Does Not Support Trusts

  23. UNH Samba Authentication Samba Password Server Domain Login Access Allowed Samba Domain on Linux Win 98 Client Map AppsDrive CIS Unixw/ Samba Netware Server

  24. Samba Password Issues • SMB Passwords are Transmitted as Lowercase • CIS Unix Passwords Require 1 or more Uppercase Characters • “Password Level” Setting Allows Multiple Attempts with n Uppercase characters • Encrypted Passwords - Separate Password Database

  25. “Sambasync” • Encrypted Passwords Required • Unix Password Changer Modified to Change passwd and smbpasswd • New Accounts Require Password Change = Creates smbpasswd Entry • Existing Users Allows to Use sambasync, a Custom Utility to Request Passwords and Create smbpasswd Entries

  26. Getting Disk Space Access • Only 1 More Step!

  27. CIS Unix Disk Space • User’s Home Directory under Unix • 10 MB of Storage • Backed up Nightly plus Snapshots every 4 Hours • Unix Security

  28. Macintosh Disk Space Access Try to Mount NIS Volume Mounts Netatalkon Linux Mac Client Try toMount Mount Apps Volume Mount Apps Volume NIS Mount Home DirectoryVolume VolumeMounts CIS Unix NFS Netatalk on Linux Mac Apps Server

  29. Windows Disk Space Access Samba Password Server Domain Login Access Allowed Samba Domain on Linux Win 98 Client Map AppsDrive Map Home Directory Drive CIS Unixw/ Samba Netware Server

  30. Advantages for Users • Secure and Backed Up File Storage • Follows Users to All Locations • Cross-Platform • Easy Access to Attachments and Web Hosting • Can Be Accessed from Non-Cluster Machines and via FTP • Storage on Floppy-less Systems

  31. Future Challenges - Macintosh • Mac OS X and Mac OS X Server • Mac OS X - 3/24/2001 • Mac OS X Server 2 - Soon • Unix-based (Probably a good thing!) • Mac OS X Server 1.0 Provided Limited NIS Support • Mac OS X Server 2 Supposed to Support NIS and LDAP for Authentication

  32. Future Challenges - Win2000 • Samba Cannot Create an Active Directory • Like NT, Can Have Multiple Network ID’s (This is a good thing!) • Kerberos Support - Not Standard • LDAP Support? • Services for Unix 2.0 - Allows Import of Unix Accounts to AD and Password Sync

  33. Development Team • Bryan Scovill - Windows & Netware Guru • Jerry Marceau - Linux and Samba Setup • David Blezard - AppleScript Development • Paul Sand - High god of Unix

More Related