MXLinux Desktop as an SSO-Provider.Are you kidding me???

[alamahant]

Hi Guys,
Expanding om my previouss thread viewtopic.php?f=23&t=55007&p=549125#p549125 about installing a Bind DNS name server on MXLinux,
I wrote a script that installs and configures the following:
Bind
Openldap server over SSL
Kerberos KDC, Kerberos Admin Server and
Kerberized Nfs-server.

If anyone feels geeky enough to try this in A VM and give me their feedback I would be much obliged.

As always FIRST you need to assign an FQDN and Static IP to your machine.
Please look the above thread about DNS.
This step is CRITICAL and the script will NOT WORK without this prerequisite.
Before you run the script these commands should work:
hostname
hostname -d OR dnsdomainname and
and the /etc/hosts file only contain "127.0.0.1 localhost"
Else the script will refuse to run.

The script first installs and configures a BIND Dns server,creating forward and reverse lookup zones for you.
Then It will install and configure an Openldap server and it will add the OUs People Group and sudoers.
Then It will install self-signed certificates for your machine and also add ldaps(ldap over SSL) functionality to your server.
Next it will install Kerberos (both KDC and Kadmin), initialize your REALM and add two principals:
host/FQDN
nfs/FQDN
and their respective keys in /etc/krb5.keytab.
Next it will install an Nfs-Server, create the "/srv/nfs/private directory" and export it with sec=krb5p option.
It works perfectly for me both in MXLinux and Debian.
The script contains 4 functions:
dnsinstall
openldapinstall
krb5install
and nfsinstall
Currently they are all commented out.
You can choose what to uncomment and install.
NOTE for nfsinstall you need also krb5install
You can rerun it as many times as you like either with all oprtons or parts of it.

ONE CAVEAT:If you rerun dnsinstall after you have modified your machine to listen only to 127.0.0.1 as the sole DNS nameserver,you WILL temporarily loose name resolution because this script FIRST PURGES all config and then REINSTALLs it each time you run it.
SOLUTION in "/etc/resolv.conf" temporarily add a clause "nameserver <your router-ip>" and then feel free to RERUN it.
I am a little proud of this script.
Took me a long time to tune.
It needs a lot of work and additional functionality to move towards SSO but its a start..

You know the drill:rename it "ssoinstall" make it executable and run it by "sudo bash ssoinstall"

Please have a look,play around, enjoy and let me know...

[fehlix]

Cool, that we now also can setup MX Linux as SSO-provider. I order to broaden your audience, would you mind to give to a typical Joe Average, like me, some simple use cases/examples or explanations, where and why this might be useful to setup and compare this setup without a SSO. What are the limitations and what is not covered?

[manyroads]

[...]

You know the drill:rename it "ssoinstall" make it executable and run it by "sudo bash ssoinstall"

Please have a look,play around, enjoy and let me know...

Even if I wanted to help... I'm not that smart. I love your enthusiasm though!

[alamahant]

@fehlix
Since you seem very experienced I will assume that this was a rhetorical question....

Wlell its all about central network authenrication.
The user accounts are stored centrally in this openldap server and the passwords likewise in the kdc server.
A properly configured client(maybe with sssd or libnss-pam-ldapd can then authenticate users NOT found locally with password also the same, login them and automount or create home dirs accordingly.
Then centrally shared folders being shared by nfs or samba can be mounted by the client and users with valid kerberos credentials ca access them.
I want to add HTTP functionality maybe also install ntp etc.
Something like windows ad or fedora's freeipa but home made with care and love.
Now the client scripts will come later.
Now for an average joe ......? maybe no.
But for a geeky and enthusiastic average joe?
Oh yes.maybe.

[fehlix]

Wlell its all about central network authenrication.
The user accounts are stored centrally in this openldap server and the passwords likewise in the kdc server.
A properly configured client(maybe with sssd or libnss-pam-ldapd can then authenticate users NOT found locally with password also the same, login them and automount or create home dirs accordingly.
Then centrally shared folders being shared by nfs or samba can be mounted by the client and users with valid kerberos credentials ca access them.

Ok, now as you guess, how can we the transform this into something a user with his home network, or a small business, can installe with some simple clicks or minimum easy to follow setup steps.
Free translated from German: It has to be simple else it wont simply work.