# Using one Linux machine to logon many Linux clients

## TobiWan

Hi there,

I would like to setup the following but I have no idea what to look for or how to do it:

 :Exclamation:  I have one hell of a server running Gentoo. Additionally there are many Debian clients. I want to centralise user administration.

 :Question:  Is it possible to make the Debian clients use the user database on the Gentoo server? Or in other words, when a user does a KDE, Gnome or whatever login on one of the Debian clients his ID and password will be compared against the users of the Gentoo machine.

I want to have users and data on the Gentoo machine, possibly serving everything as NFS shares (good idea/bad idea?) to the individual machines. The client machines should not be dumb terminals in a sense that they use CPU time of the server because the server has to serve X-sessions and the likes.

Can anybody offer suggestions?

In a way I'd like it to be a bit like the Windows Domain Logons only for Linux. What kind of solutions are there for this problem?

Thanks in advance,

Tobias

----------

## Lozzer

Unix offers Network Information Service (NIS) for this kind of task. I don't know of any Gentoo specific documentation, but The Linux Documentation Project has a HOWTO: http://www.tldp.org/HOWTO/NIS-HOWTO/index.html. Gentoo has ebuilds for yp-tools, ypbind and ypserv, which will be needed.

Sharing directories over nfs is a fairly common thing. If you wanted gentoo everywhere, you could share /usr. Other people just put /home on the network, to make backing up user's work easier.

----------

## TobiWan

... now I know what I have to look for. NIS seems to satisfy my needs.

Are there by any chance any Gentoo specific howtos or perhaps caveats I have to look out for?

Thanks a lot so far, I will continue the research,

Tobias

----------

## ctford0

nfs mounting the /home partition is always an option, however i have had some experience with it in the past.  it works very well in the sense of keeping everything in one location, however when it comes to performance, it is lacking.  when in kde, even starting up konqueror gives a slight pause before it actually loads.  For a desktop type setting things run much better off the local drive.

grant it i didnt have my nfs partitions "optimized", however im not sure you still wouldnt see the network lag to some extent.

chris

----------

## TobiWan

 :Question:  I have done some forum browsing and discovered alternatives to NIS in the form of authenticating against OpenLDAP.

Does this still meet my requirements of transparent user logons throughout the network ("roaming profile" alike)?

The ideal setup would be a platform independant (to some extend) logon procedure because I have some Windows 2000 and some Debian clients. I would want to be able to offer every user one user/password combination with which he can logon using any machine and still work with the same data and in the case of using a Linux client the same user settings.

 :Question:  I have found lots of howtos regarding LDAP which seems to be some kind of hype nowaddays opposed to NIS. Can someone shed some light on the differences and advantages/disadvantages between the two systems?

 :Question:  Also, users in the network work with Outlook 2000 on Windows and Evolution on Linux. I'd like to have one single, central addressbook for all clients to access. I know Outlook as well as Evolution can handle LDAP though I am not sure how such a LDAP "addressbook" would look like in Outlook or Evolution. Any references?

 :Question:  I want mail users to be seperated from system users, so that when I delete a system user this does not influence anything mail account related. The user database is probably changing a lot and does contain more elements as there are static mail accounts bound to a valid TLD in the real world. I am planning to follow the mail server howto which is provided here on gentoo.org, using an IMAP server. I assume that doing it that way will make it easy to logon for users at a Linux/Evolution or a Windows/Outlook machine and still make use of the same IMAP box (not at the same time though)? Does following the howto (http://www.gentoo.org/doc/en/virt-mail-howto.xml) and using OpenLDAP as address book in the mail clients collide with setting up LDAP as authentication base?

 :Exclamation:  Please be brutally honest with me as this is the first time I am involved in these things and I pretty much am guessing what's possible and what's just plain n00b rubbish.

Thanks for sharing your ideas,

Tobias

----------

## professorn

Why would KDE and other programs be slov if you only mount the /home and run them local? Couldn't you make some rsync logoff script? Just read some devs here used it to have access to files on diffrent computers, so Im not an expert. But it may be problems if the user log of incorrectly, power goes off etc.

And it depends on who is going to use it, if its some public in school ect or just at home or where the users know how to handle certain errors

----------

## gdjohn

The general term for what you are looking at is Single Sign On, where users have a single username and password that authenticates them against a single system.

NIS is considered bad as it is all plain text, and I believe it is rather full of security holes.  OpenLDAP is better as it can use encryption between clients/servers and has a better security model overall.  With security comes complexity though.

There is also a difference between authentication and authorisation - something like Kerberos is ideally suited to authentication, i.e. proving that a user is who they say they are.  OpenLDAP can then be used to authorise that user to do various different things (or not).  

All of this stuff does integrate, but it takes a bit of work.  The main thing that I've had trouble with was creating the OpenLDAP user database.  Look at the padl migration_tools tools to help you with this though (emerge -s migration).

As all of this integrates with PAM quite nicely, you can easily authenticate users to your central auth. system like this:

Outlook -> IMAP -> PAM -> Kerberos

or

Evolution -> IMAP -> PAM -> Kerberos

Windows 2000 also uses a Kerberos derived authentication mechanism and I believe that you can authenticate Windows 2000 users against a Kerberos server.

If you've any other questions let me know and I may be able to help.

Cheers,

Gareth

----------

## ctford0

 *professorn wrote:*   

> Why would KDE and other programs be slov if you only mount the /home and run them local? Couldn't you make some rsync logoff script? Just read some devs here used it to have access to files on diffrent computers, so Im not an expert. But it may be problems if the user log of incorrectly, power goes off etc.
> 
> And it depends on who is going to use it, if its some public in school ect or just at home or where the users know how to handle certain errors

 

The reason is that kde and just about all other linux programs write preference files to .program_name into your home dir, for me /home/ctford0.  So if I have my local home dir on this machine actually residing on another machine and mounting it through nfs then every time a new program opens then you have data transfer to the other machine reading your preferences.  That adds network lag into your startup time for basically any program that you run (konqueror, mozilla, OO.org, etc.).

As far as relability, yes your desktop machine will depend on you server system, however there are ways around that as well.  when i was using this method (in a small office setting) it worked fairly well until we lost the server system for a couple of months.  we were lucky enought that we backed up the server's /home dir to a free partition on the desktop machine's hd daily so we could just make some changes to fstab and reboot and all was good again.

chris

----------

## gdjohn

 *ctford0 wrote:*   

> The reason is that kde and just about all other linux programs write preference files to .program_name into your home dir, for me /home/ctford0.  So if I have my local home dir on this machine actually residing on another machine and mounting it through nfs then every time a new program opens then you have data transfer to the other machine reading your preferences.  That adds network lag into your startup time for basically any program that you run (konqueror, mozilla, OO.org, etc.).

 

You could avoid what is probably a very small delay in start up time by using one of the advanced network file systems that caches data locally - I believe that Coda (among others) does this.  Personally I haven't ever noticed the increased delay in starting apps with my home dir mounted via NFS over the network though.  I guess a fast disk in the server and gigabit ethernet might help to allevaite any additional delay there might be, although I'm only using a crappy IDE drive and 100Mbit eth currently.

Cheers,

Gareth.

----------

## ctford0

 *gdjohn wrote:*   

> 
> 
> You could avoid what is probably a very small delay in start up time by using one of the advanced network file systems that caches data locally - I believe that Coda (among others) does this.  Personally I haven't ever noticed the increased delay in starting apps with my home dir mounted via NFS over the network though.  I guess a fast disk in the server and gigabit ethernet might help to allevaite any additional delay there might be, although I'm only using a crappy IDE drive and 100Mbit eth currently.
> 
> 

 

not sure what i was doing wrong then...

my nfs server was running raid0 and each machine had an extra nic with a crossover cable to allow full duplex.  like i said i didnt ever get around to optimizing the size of the packets, so that might have been my problem, however, im not sure that was it at all.  im not so sure that it would would have changed if i had optimized the nfs share.

chris

----------

