[mdlug] Need advice on network authentication design

Jeff Hanson jhansonxi at gmail.com
Mon Dec 10 21:54:12 EST 2007 

Sorry about the late reply, I had a hardware failure.  You can read
about it here:
http://jhansonxi.blogspot.com/2007/12/keyboard-led-flashing-panic.html

On Dec 10, 2007 9:03 AM, Joseph C. Bender <jcbender at bendorius.com> wrote:
> Though, because I'm curious, why do you need a directory service?

First, I want to learn how to do centralized authentication and user
account control properly on Linux.  I would like to get a feel for it
and what it's limitations are as compared to M$AD so I can plan
deployments in small businesses and multi-system home networks.
Second, I want to eliminate having to manually change passwords and
keep UIDs and GIDs in sync on different systems and be able to easily
administer it remotely.

My current network consists of six networks connected through IPCop
with the Extra Interfaces add-on
(http://www.ban-solms.de/t/IPCop-xtiface.html).  In IPCop colors they
are:

Red (WAN) - cable modem
Green (personal) - my primary LAN.  There is also a VPN connection
through to my pseudo-employer's network (which is secured by blind
faith in M$ technology and nothing else).
Orange (public server) - Not currently used but I have plans for a web
server and/or game server (UT2004, Tremulous, etc.)
Blue (public wifi) - currently has minimal bandwidth control but I
want to set up traffic shaping and a Radius server with "terms of use"
agreement, etc.  I also want to set up a VPN to green for my laptop
and for household user laptops to the gray2 household network.
Gray1 (isolated) - for working on any suspect system, i.e. anything
that's not mine and has a M$ OS.  Can be accessed from green but can't
connect out to anything.
Gray2 (household) - shared with the family whose house my office is
in.  Can be accessed from green but not the reverse.  Multiple systems
(Ubuntu, XP), Xbox, PlayStation, guest systems, etc.

Currently all systems are peer-peer with manually duplicated accounts.
 My primary desktop system is effectively the current server on green
with a second hard drive for manual backups.  It's running out of
space.  I've got two 400GB drives and another PC available and want to
set it up as a dedicated server with RAID, archival data storage, and
BackupPC for backing up user data on client systems.

Archival data consists of M$ updates, Linux ISOs, Ubuntu repo mirror,
and multimedia files.  It would be nice if the Ubuntu repo mirror and
ISOs were available to wifi users without having to set up a separate
server on Orange.  Internally, links to the archive will be mapped to
a subdirectory in the user's home directory.  Archival data is not
critical so it doesn't matter if the server is offline.

For the household network users I want to set up a separate archive
for them to share their more static data and use rsync to provide
basic roaming profiles by mirroring dynamic and desktop configuration
data for each user.  I've thought about just doing /home mapping and
storing everything on the server but they play a lot of Windows games
on Wine and it's just too much application data that can be easily
replaced.  Using rsync to back up their documents and game saves is
more complicated but a lot more efficient.  I would also like to use
single sign-on with both their XP and Linux systems.  Of course they
will probably lose control of their accounts because XP malware will
get their password but as long as the root Linux account is safe it
doesn't matter.  Another concern is that in a few months I may be
moving out and would like to be able to migrate household to it's own
server.

I want this setup to give me access to everything via the server
across the VPN.  This is what I can do now with my employer's network
and my workstation there via RDC and Windows "offline files" syncing
to their server.  On both my laptop and desktop systems I am running
XP and Win98SE in VMware but joining them to my domain is not
critical.  Just using network file sharing is adequate as most of my
CAD data is handled by Perforce (a cross-platform version control
system).  I would like to be able to access the network via VPN from
anywhere using my laptop but I am sometimes in remote areas on
vacation for two weeks at a time where there is no Internet connection
and I can't have the laptop locking me out.  Of course, future clients
may also encounter this problem and I want a solution instead of an
excuse.

After I get this mess working I'm going to play around with setting up
VPNs to some of my friends' and family's networks for file sharing and
ssh access for remote administration.

More information about the mdlug mailing list