# [SOLVED] How to share credentials over several boxes?

## lobstar

We have several Gentoo boxes where I work. Right now they might as well not be on the same network: each one of us has to have a different account on each machine. That's kinda annoying but not that big a deal, since we all pretty much have our own box and don't really need to use anybody elses that often. But now we're getting a few more boxes which all of us are going to use so we decided now's a good time to move to some sort of credential sharing over the network.

At some point it would be cool for a user to have the same home directory on all the machines, but for now we just want to be able to get authentication information to be centrally stored.

So how is it possible to do somehting like that in Gentoo? (other than stupid hacks like rsyncing /etc/passwd)Last edited by lobstar on Fri Jun 27, 2008 12:24 am; edited 1 time in total

----------

## tarpman

My personal favorite method is Kerberos and sys-auth/pam_krb5.  You could also look into LDAP (with or without the Kerberos backend), but it's overkill for a small deployment.

----------

## MorpheuS.Ibis

i personally use LDAP at home, because I use it in a bigger network and so have some experience with it, and it has some pretty good howtos and good support for windows domain logins (for those who have to have windows for any reason)

----------

## jroo

For the home directory shares you could look NFS. It is pretty simple to set up. See http://gentoo-wiki.com/HOWTO_Share_Directories_via_NFS

----------

## keyson

Hi

I would also say LDAP. This is a smart way, as for now you only want authentication.

This is not so hard to setup. And you learn how to handle OpenLDAP.

Ref:http://www.gentoo.org/doc/en/ldap-howto.xml

Then when you need shares and home directory, you have already learn the basics.

It is also possible to grant access to other resources in the network by LDAP, and have

the mail programs using it for mail addresses and so on.... 

And as MorpheuS.Ibis say

 *Quote:*   

> 
> 
> and good support for windows domain logins (for those who have to have windows for any reason)
> 
> 

 

I have used LDAP for login from linux and windows sharing the home on a server. So when logged in

in windows it map it as H:\ and in linux you have it as your ordinary home directory.

Ref:http://www.linuxjournal.com/article/8119

Ref:http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html

----------

## lobstar

Thanks for all the help everyone. After people first mentionted LDAP I did some googling and actually found the guide that keyson mentioned so I will probably try it out today.

I have a couple of questions about LDAP. Since the server is just gonna be one of our workstations do I need to set up the server to be a client too? And when I migrate user account info from /etc/passwd to LDAP, should I do that for non-human accounts like cron, gdm, ntp?

----------

## MorpheuS.Ibis

 *lobstar wrote:*   

> Since the server is just gonna be one of our workstations do I need to set up the server to be a client too?

 

yes, LDAP is not primarily made for authentication, so having it installed doesn't automatically mean you use it for auth

 *lobstar wrote:*   

> And when I migrate user account info from /etc/passwd to LDAP, should I do that for non-human accounts like cron, gdm, ntp?

 

no, only accounts you want to be usable from the whole network. the most common setup allows you to use both local (/etc/passwd and such) and LDAP accounts (it all depends on your PAM setup)

and one more thing, you might find smbldap-tools handy even if you don't plan to use LDAP to authenticate samba/windows users (or you are lucky not to need windows and samba)

----------

## lobstar

Thanks, Morpheus. I've successuflly configured the server for the most part. Soon I wll configure the clients. I will not be adding any of the non-human users to the directory, but should I add root? If possible it would be nice to make it so that there is no root password and people with proper priveledges just sudo.

And what about info in /etc/group? Should I include system groups in the directory or no? Is it a problem if I do? For example, there are normal users who are in the portage group so it's hard to say which groups are system anyway. I'm using the scripts from http://www.padl.com/OSS/MigrationTools.html and it's more work to not include something.

----------

## keyson

OK, you move fast  :Smile: 

Yes you should have a root account in ldap. (Se the gentoo howto 'Code Listing 3.6: Testing LDAP Auth')

The groups should be migrated also. As it look in LDAP first it maps the users group belonging.

(Depending on your nsswitch.conf, but normaly you set passwd shadow and group to LDAP.)

This is handy. If you have one that's always annoying people by playing music, just take this user

out of the audio group in LDAP. And all stations he/she log into would not let them play anything  :Smile: 

(I happen to take myself out of the audio group on my ldap server   :Embarassed:  )

The same goes for the sudo group and portage group. It is handy to only have to change things in one place.

----------

## lobstar

Thanks everybody, I managed to get a basic setup running. Will probably have more questions soon but I mark this thread as SOLVED, because my initial question was answered. Thanks again.

----------

