Login mask on OS 9 & UNIX/Linux - How ?

S

Stephan H

Registered
I have Mac OS X Server on a G4 and several clients, one of them running OS 9.
Does anybody know, how to have a logon window at each time your Mac boots up (like in Windows, where you define username, pass and domain/workgroup) so you can log on OS X Server ? I did already create some users on the server.
This information is needed urgently because I'm doing a final work about a networking environment composed by a OS X Server and as clients : NetBSD, RedHat, Win2K and Mac OS9.

It would be nice if someone would be able to help me (also to do it with the *nixes), that would be faboulous !!

Thx in advance,

Stephan
 
there are four ways to log onto a network server at boot up: LDAP, NIS, NetInfo, windows domain server. OSX can do LDAP, NetInfo (of course), and NIS.

i have experience setting up NIS clients on traditional unices. you use the ypmaster, yslave, ypbind commands. you have to tell each machine which domain it is going to be in, then just ypbind it.

you then go to /etc/nsswitch.conf, and tell it to look for passwd in nis, before files. on OSX this is done through netinfo rather than /etc/nsswitch.conf, but in principle it s the same. you just change the order for lookup. it can check first in NetInfo, then in NIS then in LDAP, and if they all fail, then it will check the files (ie /etc/passwd)

it is the same principle as when you log on to a domain server with windows.

LDAP might be a better option for you, because it is a more cross platform option, althugh NIS is also very common on most platforms. i have never used LDAP, so i cannot tell you how it s done, but i m sure there are lots of HOW-TOs on the internet. i would expect there to be an LDAP client for windows, and there might be a NIS client for windows as well.

i m really not sure what services your windows client can connect to. i know that active directory for windows is based on LDAP, so it might work, if you set up LDAP on your OSX server.

NetInfo would be the easiest option, because you can control it server side and client side through the GUI, but i don t think NetInfo is available for any platform except the mac.
 
also, i don t know that there are any clients for any of these protocols for OS9. maybe LDAP, but i ve never heard of one. also i didn t see anything on versiontracker.

the way it works on UNIX is this. when the system boots up, and decides it wants to let you login, it usually checks your login against the /etc/passwd file. it is quite easy to tell it to check NIS or LDAP first. OSX is mostly the same, except it uses the lookupd daemon rather that the files. i don t think you mentioned that you have an OSX client, so we won t worry too much about that.

the windows OS has two native technologies, the workgroup and the domain. you don t have to login to a workgroup. when you specify that you are part of a workgroup, then you just talk to everyone else in the network who is in your workgroup. you don t authenticate anyones login to their computer. what you want for windows is domain server (this only comes with NT server or 2000 server). if the windows machines are told that they are part of a domain, then when they log in, it gets authenticated against the server. same as LDAP and NIS.

windows domains are nice, except that they are only compatible with windows machines. you have non windows machines, so it s not a good option. can you get windows to speak NIS or LDAP? i ll bet you can, but i ll bet it s not easy.

OS9 does not have any concept of logging you into anything, so how can you tell it to check against the server, instead of the local machine? there are LDAP clients for OS9, but i suspect that they are only for minor services, like email and such, not for login authentification.

the thing is that OS9 doesn t really have a login manager, so there is no part of the OS that can query a login server. it would have to be some third party solution. it must be available somewhere right? there are probably also third party solutions for windows too, since it will probably not want to do NIS or LDAP either.

NetBSD and redhat will both do NIS and LDAP without a problem.

read here for information on OSX with NIS. it should get you started in the right direction

http://bresink.de/osx/nis.html
 
WOW ! Thank you very much, that was a FAST and COMPLETE answer :)

On OS 9 I found a possibility to logon even if it isn't a "correct" login mask : Go to the Apple Menu, choose Network Browser and select your OS X Server. It works even with the correct access rights for each user, GREAT :)

As for the Windows side I saw there is a service on OS X Server called Windows with which you can logon just as it would be a WinNT/Win2K Server.

I will try your suggestions and post my results.

Again, THX 4 all and I am glad to find a forum with "Fast Heads"
;-)

Stephan
 
that network browser will log you on to the server for file sharing. it is not providing any login authentification.

however, if that s all you want, then the situation is a little different:

with OS9, you can login to OSX server for file sharing, and you can even check the box so that it prompts you to log on every time you boot. this uses apples AFP protocol

windows will be able to do pretty much the exact same thing, except using windows native SMB protocol, which OSX also supports.

NetBSD and RedHat will be able to do also much the same thing, using NFS.

i think these are the only options. you will never find a usable AFP client for UNIX or windows, there is an SMB client for OS9, but that wouldn t make any sense here.

note again! this provides no login authentification on the client machines. this is only authenticates your clients to access files on the server. there is no central login control for the client machines. but anyway, that is probably OK for your needs, no?

setting up samba and nfs on OSX client requires a little bit of UNIX monkeying on the command line, but i believe that OSX server might have simple GUI frontends to both systems, making sharing files to UNIX systems, windows systems and apple systems as easy as anything. if not, we can certainly help you set up samba and nfs from the command line
 
No lethe, you're wrong ! On OS 9, it does user authentification ! It prompts you with a window with username and password. I configured the users on the OS X Server with their own homedir. Once you're logged in you can see all the others homedir, but you can't go inside ! However you can access your homedir, as it should be.

Thx anyway
 
that s good to know. i guess active directory is based on LDAP so it should be possible, i just didn t know it.

i guess i was really talking about plain windows domains, like you get with NT server, not active directory which only comes with 2000 server. active directory is more advanced and with more features, but i m only familiar with windows domains, which i believe is based on SMB and i don t think any non windows platforms can join domains, at least not for login authentification. but perhaps i m wrong about that.

of course this guy doesn t have a windows server, so it s not too important, but i am enjoying discussing what all the possibilities are for cross platform networking.


OSX must be the most compatible networking platform ever: ftp, ssh, NFS, SMB, NIS, Active Directory, LDAP, and apples own AFP, NetInfo.

i guess you can get all of that for linux, except there is no AFP client.
 
"...Aqua interface ?" were these your missing word, lethe ?

And by the way I know the difference between simple FileSharing and User Authentification ! But would you say that the fact that I can only access my homedir is due to File Sharing ? No, it is not !
Because it's the same with all other users I defined on the server. You just have R/W rights in your own homedir and the others are locked ! So please don't tell me I don't know the difference...

Stephan
 
i have finished the unfinished sentence in my previous post. sorry about that.

stephan, do you want me to explain the difference to you?

here goes:
 
i would like to describe three levels of network access.

1. command access and file I/O access
2. disk access/ mount access
3. login authentication access

note that these levels are not industry terms. these classifications are just the way i see things.

it is important to realize that all three types of access require you to identify and authenticate yourself with a password. any type of network access should have al least the minimal security of requiring a username and password.

so ...

1. to execute a command on a remote system, you can login via telnet, ssh, xdm. there may be others. these allow you command line access to the remote host. there is also ftp, sftp. this allows you to trade files with a host. all these protocols require you to have an account on the remote machine, and require you to login before use. your use on the remote machine is limited to the privileges you have on the remote machine. there are other command line protocols which are usually hidden by client software, like http. in a lot of respects, http is a lot like ftp. one main difference of http is that it does not require a login.

2. mount access. you can also treat a disk on a remote host as if it were a local disk. this is a much more convenient option for sharing files than ftp. it allows you to execute programs from remote hosts. it allows you to traverse directory hierarchies like you would on your local machine. it is one step closer to the goal of making the network invisible to the local user. NFS, AFP, and SMB are such technologies. of course, with these technologies, you have to have an account. your access to the remote machine is limited to the privileges allowed by your login.

3. authentification. this one is a little harder to understand. also known as directory services. this allows you to centralize all information databases. for example, you can centralize login information. this means that in order for anyone to use any machine on your network, she has to have a password on your network server. this adds to the ease of network administration, by letting you keep close control of all accounts, and it also adds to security, by only allowing access to any machine on the network if you have a network account. in other words, cracking one machines account does not give you access to the machine. on the other hand, if you crack the account server, then you have access to every machine on the network. but security is easier to maintain on a centralised server, so this is still a better option. examples of such technolgies include LDAP, NIS, NIS+, DNS, NetInfo, windows domains, Active Directory.

NOTE WELL: logging into a login server does not necessarily give you disk access to that servers disk. if you need disk access to a server, you need a level 2 access, as described here. level three is for information dBs, not for networked disks.

with this, you can create one set of accounts on the server, and have anyone on your network be able to log on to any machine on the network with the same account and be authenticated by the same account database. it is more convenient and more secure. these directory services can provide more than just account informations. they can also provide printer information, email information, any form of information you want, really.


note:
1. anyone on any machine anywhere on the internet can use level 1

2. you have to have root access on your machine to add entries to fstab, but any user can mount network drives over finder/AFP, or windows

3. only the admin of the computer can add it to a domain. she most also have a password to the domain server (this applies to NIS, i don t know the others so well)

the levels of access security are different
 
if your windows NT/2000 computer is part of a windows NT/2000 domain, then every time the computer boots up, and you are prompted for a login, you must provide a valid network login to be able to access network services. you can login to the local machine, if you have an account there, but you will have no network services (you will however still have internet). this is quite convenient, if you for example, run a school with 30 people. each person gets an account, and can login to any machine. you don t have to create an account on each machine for each 30 people.

NIS does the same thing. in fact, with NIS, you can disable local login entirely. if you don t have a network password, you can t access any machine on the network. it is even better than windows. if you tell NIS to load a fstab file, and specify that users home directory on the server, then you can have the users environment appear identical no matter where he logs in from. this combines levels 2 and 3 as i describe them.

NetInfo has similar capabilities, as does LDAP and active directory. the networks becomes completely transparent. the user sees the same computer, no matter where she logs in from. the window manager is managed by the localhost, so it might have a different look/feel from a different computer, but all the files and preferences are the same.

these directory services allow the users default web browser, default email address, default printer, and all manner of different preferences to be centrally located, in a way that mounting a remote disk does not.
 
directory services are a very nice feature to have for an advanced network. they are completely extraneous for a 4 computer network with 2 users, doing a final project.

when you said, login masking, i assumed that you meant that when the user enters his login, the system "masks" it, and instead of logging him into the local machine, logs him into a login server, like a NIS server.

at this point, it is pretty clear that this is not what you meant. you just wanted to be able to login to the server so each user can access her files. that can easily be accomplished by any client with telnet, or ftp. a more easy to use solution is using NFS, AFP or SMB, but it amounts to the same thing. you log in to the local machine with whatever account you can find (you need no account at all for OS 9), and you need a second account to get onto the server. the second account might be the same as the first, if the netadmin is particularly meticulous, or if noone has monkeyed with the settings of any of the client machines, but that is not going to last. each user needs two accounts to remember. on to access the disk of the local machine, and one to access the disk of the remote machine. there is no "masking", as you call it, going on in this situation.

now if what i describe (login authentication) is not what you re looking for, then you re done. just using the chooser to login to the remote server will be perfectly usable to access your files on the server, and that is easy to set up for the home user. authentication is nice when you have 1000 users on your network using 300 computers, and in that case, integrating multiple platforms can be a headache.

i am a little offended by you telling me "you re wrong". i do this shit for a living, and am well trained in it. i know what levels of security and network access are available, and you do not, or else you would not have posted this thread.

yes, you can login for file access to an OSX server and get R/W access to your home directory only, but so what? that is pretty much the same as logging into my email server when i am visiting my sister in san fransisco. there is a different concept that i am talking about that allows you to use a local machine after having been authenticated by only the server. this only works on the local network (or any machine that is part of the domain, more specifically), and it efffectively "masks" your local machine login, so to speak. i thought that was what you were asking about, forgive me for being wrong. if this is not what you wanted to know about, then i m sorry for having told you about it, but that is no reason to be rude.
 
in case anyone runs across this thread, jaguar (OSX 10.2?) is going to have built in support for joining MS active directories.
 
Can you provide more detail on this? What improvements are there over the current Active Directory support in 10.1?
 
in OSX 10.1, the available protocols for what is in this thread refered to as login masking are NIS, LDAP, and NetInfo.

with jaguar, Windows Active Directory support is added. i understand (earlier in this thread) that this protocol can be used with samba, in fact i assume that is what jaguar will use. presumably now, it will be included out of the box, with a nice aqua front end.

this is not an improvement of an existing feature. this is a new feature.

other windows networking features that are going to come: browsing SMB servers, VPN support, PPTP support, serving SMB shares, and exchange support.
 
You must log in or register to reply here.
Back
Top