[PLUG] Linux centralized authentication

Tyrell Jentink tyrell at jentink.net
Thu May 3 14:23:52 UTC 2018


OK, first off... A google search for 'site:linuxschools.com oswego' and for
'karoshi server "Oswego"' brought up nothing... So my crude guess is that "
What happened" was that they had nothing to do with it? On the other hand,
maybe they were successful in ridding any reference from the internet?

Second off... The product that is promoted at linuxschools.com is called
Karoshi Server and Karoshi Client. It also seems to be actively maintained,
with the latest github commit 18 hours ago. So... Nothing "happened" to it?

Third... LOSD uses Blackboard for their CMS, grade books, and school
management... And they use Google Apps for Education for email and
colaberation... and most (All?) of the staff uses PCs... While its fully
within the realm of possibility that they could use an open source
authentication system, they don't seem too afraid of using expensive
proprietary providers in general, and I really don't see the IT director
sacrificing Group Policy on Windows workstations...

My pessimism and criticism of simple words aside, it looks promising. A
shortcoming of FreeIPA when compared to Active Directory is the lack of
Group Policy; The limitation really comes from the fact that Linux clients
have never been asked to follow a centralized policy, so there isn't a
standard. FreeIPA approximates some of it with Sudo lists and Host Based
Access Control, but a real solution would require a REAL client. Maybe
Karoshi provides that? But its not on the feature list, so maybe not...

On Thu, May 3, 2018, 06:49 Ken Stephens <kennethgstephens at gmail.com> wrote:

> What ever happened to the Lake Oswego Linux School System.  Wasn't that a
> Server/Workstation distribution?
>
> https://www.linuxschools.com/forum/index-main.php
>
>
> Ken
>
> On Wed, May 2, 2018 at 8:25 PM, Tyrell Jentink <tyrell at jentink.net> wrote:
>
> > I'm using FreeIPA here at home; As a product, it's really just a bunch of
> > scripts and a web interface for LDAP+Kerberos+Certificate
> management+Samba;
> > It aims to be a complete identity management system, a product designed
> to
> > compete with (Or at the very least, perform an analogous set of tasks to)
> > ActiveDirectory. It is completely open source, developed by Red Hat, for
> > Fedora, and I use it on CentOS, but it is available for a number of other
> > distros.
> >
> > (Full disclosure: I do happen to use ActiveDirectory to store my user
> > accounts, and FreeIPA authenticates through an AD Interforest Trust, but
> > that's far from a requirement, and it probably causes me more grief than
> > many admins would tolerate)
> >
> > As for reading, I learned everything I know from their documentation:
> > https://www.freeipa.org/page/Documentation
> >
> >
> > On Wed, May 2, 2018, 20:01 Thomas Groman <tgrom.automail at nuegia.net>
> > wrote:
> >
> > > Do you have any book or other resource recommendations for setting
> these
> > > up? I already do sysadmin work, just never done centralized auth
> before.
> > >
> > >
> > > On 05/02/2018 07:53 PM, Tomas Kuchta wrote:
> > > > The easiest is to pick LDAP or NIS, both work very well on Linux.
> With
> > or
> > > > without Kerberos for local small setup.
> > > >
> > > > NIS with NFS for file sharing would be probably the simplest setup,
> but
> > > you
> > > > will eventually wish you had LDAP for integration with various other
> > > > services.
> > > >
> > > > LDAP + Kerberos + NFS is probably the most common and extensible
> > > solution.
> > > > You will absolutely need local DNS and NTP to get it going, but it is
> > > well
> > > > integrated extensible solution.
> > > >
> > > > Another option would be to uses Samba - it combines LDAP + Kerberos,
> so
> > > it
> > > > has less moving parts and can accept Windows hosts without much
> > headache,
> > > > compared to LDAP and Kerberos.
> > > >
> > > > For both solution, you might need some enterprise admin to help
> setting
> > > it
> > > > up. If well and simply setup, it is not difficult to maintain and
> > manage.
> > > > IMHO
> > > >
> > > > Tomas
> > > >
> > > > On Wed, May 2, 2018, 5:36 PM Smith, Cathy <Cathy.Smith at pnnl.gov>
> > wrote:
> > > >
> > > >> There used to be dns, ldap, kerberos, nis.  These are open source
> > > >> protocols and not restricted to Microsoft.
> > > >>
> > > >>
> > > >> --
> > > >> Cathy L. Smith
> > > >> IT Engineer
> > > >>
> > > >> Pacific Northwest National Laboratory
> > > >> Operated by Battelle for the
> > > >> U.S. Department of Energy
> > > >>
> > > >> Phone: 509.375.2687
> > > >> Fax:       509.375.4399
> > > >> Email: cathy.smith at pnnl.gov
> > > >>
> > > >>
> > > >>
> > > >> -----Original Message-----
> > > >> From: plug-bounces at pdxlinux.org [mailto:plug-bounces at pdxlinux.org]
> On
> > > >> Behalf Of Thomas Groman
> > > >> Sent: Wednesday, May 02, 2018 5:16 PM
> > > >> To: plug at pdxlinux.org
> > > >> Subject: [PLUG] Linux centralized authentication
> > > >>
> > > >> Has anyone ever made a 100% UNIX/BSD/Linux network with centralized
> > > >> authentication? Using native protocols not some sort of strange
> > > Microsoft
> > > >> AD mesh thing.
> > > >> I wanted to build a hacker-space for a school and since it would be
> > > >> starting from scratch there's no reason to get locked in to a
> > Microsoft
> > > >> product from the start. Also the Microsoft's protocols are not open
> > > source
> > > >> and hard to debug. They never really work well with UNIX like
> > operating
> > > >> systems requiring id/group mapping and such.
> > > >> _______________________________________________
> > > >> PLUG mailing list
> > > >> PLUG at pdxlinux.org
> > > >> http://lists.pdxlinux.org/mailman/listinfo/plug
> > > >> _______________________________________________
> > > >> PLUG mailing list
> > > >> PLUG at pdxlinux.org
> > > >> http://lists.pdxlinux.org/mailman/listinfo/plug
> > > >>
> > > > _______________________________________________
> > > > PLUG mailing list
> > > > PLUG at pdxlinux.org
> > > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > >
> > > _______________________________________________
> > > PLUG mailing list
> > > PLUG at pdxlinux.org
> > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > >
> > _______________________________________________
> > PLUG mailing list
> > PLUG at pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>



More information about the PLUG mailing list