There are times when I need to use my Common Access Card at home. Being a Linux user, I figured this would be challenging to configure. It took a few hours of trying different packages and directions, but I finally have it working. Considering the process isn’t entirely straightforward, I thought it’d be good to document the steps here.
Tag: Linux
Well, it’s official… I’m a geek. A few weeks ago I started writing an extension for the PHP runtime that provides bindings to libfuse. Back up a few months— I wrote a PHP script to screen-scrape the Trac web interface and allow me to grab source code to a project I’m working on.
My solution worked but it was pretty ugly. So I wondered if it would be better to implement a FUSE file system to do the same task. Unfortunately PHP didn’t have bindings for libfuse at the time. After several failed attempts at using SWIG to automagically generate an extension, I came to the harsh realization that if I wanted FUSE bindings I’d have to do it myself. I mean… how hard could it be?
It actually wasn’t too bad. I read a bunch of non-existent documentation on the Zend API and went to work on a prototype. It took me about a week, but I now have a working PHP extension. I’ve also since implemented TracFS to replace my ugly script.
TracFS is a mountable POSIX virtual file system that allows you to read a Subversion repository through the Trac web interface. Why is this useful? It’s not… unless you can’t access the repository directly, but can see the files in the source browser. Using rsync (or a similar tool), you can maintain a local copy of the repository contents.
TracFS uses FUSE for VFS operations and is written in PHP. It also supports authenticating with a Shibboleth SSO gateway. Other authentication mechanisms can be easily added in the future.
There are probably a million and one articles about how to make Samba 3 an Active Directory domain member. But with all of that, this process still seems to require hours of research. So I’ve decided to compile my latest experiences here.
The domain member box is running Gentoo Linux. So you may need to adjust the steps to fit your flavor. Make sure the USE flags kerberos, ldap, samba, ssl, and winbind are set. Start by installing an NTP client.
# emerge ntp
I maintain several client and server machines that, up until recently, all authenticated users locally. I wanted a more centralized mechanism that could handle the various users and systems on the network. The big catch is that a few key system run Linux while others run Windows. So after doing some research, I turned to Active Directory.
My first chore was to install Windows Server 2003 and configure it to be a domain controller. This part was fairly easy, although a little time-consuming. Once that was working I was able to quickly join the Windows machines to the domain. Now to deal with Linux… for that I chose Windows Services for Unix. This software alters the AD schema to allow for Unix account attributes. On the Linux machines, I installed OpenLDAP, a Kerberos client, configured PAM… and voila! Now AD users can authenticate on the Linux machines.
My home-made DHCP/DNS configuration tool, however, was a little trickier. The data for this tool is stored in a MySQL database and accessed via a PHP script. If I wanted to grant someone access to the tool, I needed to first give them a MySQL account. Since Active Directory is basically an LDAP server, I rewrote the authentication mechanism to query AD.
With very little work, I was able to simplify authentication and account management. While this is not new technology, I still feel all warm and fuzzy with a sense of accomplishment.