On 7/17/06, gmu 2k6 <gmu2006@gmail.com> wrote:
> On 7/17/06, Les Mikesell <lesmikesell@gmail.com> wrote:
> > On Mon, 2006-07-17 at 09:53 +0000, gmu 2k6 wrote:
> > > On 7/16/06, Les Mikesell <lesmikesell@gmail.com> wrote:
> > > > On Sun, 2006-07-16 at 13:17, gmu 2k6 wrote:
> > > >
> > > > > as OpenSSH is already installed, I might give svn+ssh// with OpenSSH
> > > > > doing PAM with Winbind to let the users use their Windows Passwords to
> > > > > access the machine.
> > > > > I better read about winbind and whether I have to join the domain etc. then.
> > > >
> > > > With winbind you shouldn't have to add the users locally but the
> > > > machine does have to join the domain. An alternative is to use
> > > > smb authentication with PAM. Then you do have to add the users
> > > > (which gives you a place to control which ones can use the
> > > > service and put them in groups) but you don't have to maintain
> > > > a separate password.
> > >
> > > do you know any good guide for that? what's the name of the pam module
> > > you mentioned?
> >
> > On RH/fedora systems you would run authconfig, pick smb as one of the
> > authentication methods, and fill in the domain and controller name(s).
> > If you do it by hand the module is pam_smb_auth.so and it needs the
> > domain and PDC/BDC names in /etc/pam_smb.conf. For pure web services
> > where you don't need a home directory or group info you can also
> > use mod_pam_auth (not included with RH/fedora but you can build it)
> > with a /etc/pamd.d/httpd file like:
> >
> > #%PAM-1.0
> > auth required pam_stack.so service=system-auth
> > account required pam_permit.so
> >
> > This will allow anyone with a domain account to log in to the web server
> > as a valid-user without having a local Linux account. I'm not sure
> > how/if that will mesh with mod_authz_svn if you want finer-grained
> > access control. If you use a different 'account' line you can
> > restrict logins to those with local accounts like the other services.
>
> thanks, I was reading about pam_krb5, winbindd, etc. but not yet sure
> how everything fits together. I know about RedHat and SuSE offering
> configurators for that but it will work with Debian too, I'll just
> have to read and learn, which is important anyway in case it breaks.
I will still only use svnserve, so svn+shh may be the option but
possibly hard due to privilege seperationg and pam interactive auth
problems I've read about, but maybe not we'll see...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Jul 17 17:35:05 2006