Need to share on the defunct admin User

Yes, we already do it! The nsdc container is actually a “remote” account provider. In the future I’d like to provide an additional DC to an existing AD domain. Here we talk about “replacing” (i guess there are limitations on what can be replaced) but should be similar to “add”:

@davidep: In previous discussions it has been mentioned: currently it is not possible to add a NS7 server as a DC in an existing AD domain. IMO this means that NS is supporting a 'cripled’Samba4 implementation, since samba4 allows this. And what I understood from the previous discussion is that the main reason is that there is no anonymous bind to the Samba4 directory.
Without the intention of doing that whole discussion again, I still don’t get exactly why the choice of limiting access to authenticated users to the directory has been done. Maybe I overlooked the statement or (more likely) just didn’t understand the statement when I read it, but I sure would like to know (and understand)

Right, it is a (still) unsupported scenario. We’re working on it.

No, this is not related with the scenario above.

No such choice was made, AFAIK it’s the default behavior of Samba (and MS AD, too).

You hit the bell, I got it now. Indeed if I modify locally I can not do the sync on the remote authenticator.

Well this option is nice but it is not the one I choose. I do prefer to get one ‘admin’ for every webapp…let’s things simple…the name is ‘admin’. I just need it to authenticate in apache, for other purposes like for mysql DB, each database gets its user.

Yeah one way, for now I store all users in one property from a textArea box in Nethgui…the cons is that the separation between user name is not a comma but a line break and therefore you cannot modify manually the property by the command line. the pro is that the content is easily readable.

and the template

Thanks a lot all, it seems clear now

2 Likes

I like it! We could define a simple convention. Just a couple of props in config DB…

sysconfig=configuration
    ...
    adminUser=administrator
    adminGroup=administrators

…and the @domain suffix added by templates. Individual packages that need an administrative identity can read those props and use them in their configurations.

The default values proposed above would fit 90% of our account providers. AD has them, our OpenLDAP can be provisioned in the same way. For remote LDAP directories where we cannot make any kind of assumption (the 10%), the two props can be fixed and a system-adjust event issued at the end.

4 Likes

Indeed the Idea to have a generic user created from base with a default password is great for me. It will avoid to create it manually like I ask it now for my modules. Of course all Module authors could in the future rely on it also.

Obviously only the rpm nethserver-directory needs to be modified, some idea on how to do it ?

Can you give a list of modules that would benefit from this convention?

When the LDAP tree is provisioned for the first time we could run luseradd and lgroupadd to create the administrator user and administrators group.

Are you going to open a PR? :wink:

1 Like

Honestly, near quite all web applications I did for NS6

nethserver-BackupPC-1.0.1-2.ns6.src.rpm
nethserver-linux-dash-1.0.0-1.ns6.src.rpm
nethserver-shellinabox-0.0.8-1.ns6.sdl.src.rpm
nethserver-tt-rss-1.0.0-5.ns6.sdl.src.rpm
nethserver-urbackup-0.0.2-1.ns6.sdl.src.rpm

For NS7, some module are done (shellinabox, tt-rss) but my dream would be to use a token in the server-manager like it is possible in Formagick and get rid of the password authentication…it could be so cool

{
    $OUT .= "LoadModule auth_tkt_module modules/mod_auth_tkt.so\n";

    my $secret = ${'httpd-admin'}{TKTAuthSecret} || "34322500-7330-4400-423A-3A00434F5245";
    $OUT .= "TKTAuthSecret \"$secret\"\n";
}

Like this you can display the web application and restrict it if you are authenticated in the server-manager…the solution of the random url is nice also, but not enough secured

1 Like

2 posts were merged into an existing topic: Apache TKTAuth for modules proposal

Ok, I will try a go next week, this wk is like a mini fossdem for me…good time, meet people, share on code!!!

What else :slight_smile:

the action /etc/e-smith/events/actions/nethserver-directory-init-admin in NS6 is probably a good starting point

Caution! getent calls would not work before nethserver-sssd-save event!

1 Like

Sorry but …I couldn’t resist! :blush:

This is my idea:

https://github.com/NethServer/nethserver-directory/compare/master...DavidePrincipi:admin

(TODO: don’t know how to set executable permissions on GitHub web interface)

1 Like

thanks :slight_smile:

Opened issue

1 Like

Let’s think about the admin user name for a while. What should be the default value we put in the config DB?

Candidates are:

  • administrator, the default in the Microsoft world
  • admin, the default in ns6 and many other software projects out there

Initially I was thinking about the first, to keep things consistent between AD and LDAP providers. I was talking about this with @filippo_carletti, @giacomo and @nrauso and came to the following conclusion:

…well, maybe @stephdl is laughing at me but… I prefer admin. At the end of the day, let’s get it back!

If we go with admin, we should create it in our Samba Active Directory when the domain is configured the first time. This can be done automatically. Also (as @nrauso suggests) the default administrator AD account could be disabled, as happens in the latest Windows versions.

For an existing Active Directory where we cannot write, as for any other LDAP DB where we don’t have write access, the last resort is a manual procedure, like:

config setprop admins user SOMEUSER group SOMEGROUP
signal-event ...

For the last scenario, our LDAP configuration in nethserver-directory, the admin user and administrators group can be created automatically.

In any case, the default admin user and group is created only on brand new installations. Existing account databases are never touched!

3 Likes

:))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

1 Like

That happens when developers don’t live in Ivory towers! :european_castle:

https://blog.codinghorror.com/ivory-tower-development/

1 Like

Seuls les idiots ne changent pas d’avis…only idiots don’t change their mind.

NS7 is still in RC and not so much installed, it is still time to add/change things… @davidep merci

2 Likes

It has been a long journey: since March a lot of things has been developed. As it often happens, the initial assumptions must be considered again and again. Now we are approaching real-world issues. I’m sure this is not the last thing we’re facing!

Thank you @stephdl for you inputs!

This is a further UI enhancement:

2 Likes