By setting the skel option to a directory that contains such files, the administrator can arrange for those files to be automatically copied to the home directory of a new user. That's fine for our purposes.
The umask option determines the initial permissions of the newly created home directory. Unfortunately, it doesn't accept the relatively friendly "symbolic" syntax we've been using to assign permissions with the chmod command.
This sets "All" users' "Read" and "Execute" permissions on the filename. This is very clear and shows "who" gets permission and "how" much permission they get. However, there's an alternate way of expressing the "who" and the "how. Most Linux administrators who choose to use this syntax with the chmod command just have a bunch of the umask s memorized. For instance, it's enough to know that a umask of means that the file or directory will be readable, writable, and executable for a directory, this means the directory can be descended into by the owner and by users who are members of the owner's default Unix group but not by "others.
For the geek in all of us, here's how the umask is calculated in octal where a digit cannot be larger than 7. The rightmost digit represents permissions for the owner.
The second digit counting from the right represents permissions for members of the group that owns the file. The third digit from the right represents permissions for everyone else.
Zero is the only practical value for the leftmost digit in this context. For more information about setting permissions in this "old school" numerical way, try reading the online documentation for the chmod command.
The man chmod command will show it to you. Each file controls policies for how clients log on to the Linux machine. Now you're ready to log on via NIS. To test the system, log out of your Linux client system via the "Actions" menu, then log in again using the username eastman1 and the password p ssw0rd.
You will be notified that a home directory has been created, and logon will then proceed as normal. The most common cause of failure is the firewall, so ensure port filtering is off.
For good measure, if you can, turn off SELinux. Double-check that you have followed the preceding instructions with regard to disabling the Fedora firewall and the SELinux subsystem on both the client system and the server. Be sure that you have actually started the ypserv service on the server. You can use the command ps -A grep yp grep -v grep as one line to show whether the ypserv process is running. The ps command lists currently running programs. The -A option makes sure that all programs are included.
The grep command searches its input for a particular string, and grep with the -v option searches for lines that don't contain a string. You do this to avoid confusion by not including the grep commands themselves in the final output. Be sure that you have started the ypbind service on the client. You can use the ps command in the previous point to check. There are, however, multiple add-ons that can do the job.
One option is a freebie called pGina. The other option is to leverage commercial software. There are other options available, but we'll only discuss these here. Windows has a way to inject additional or alternate methods of authentication via the pluggable "GINA" module. The Windows download of pGina and installation is very straightforward: just download it, run it while logged in as a local administrator to install it, and take all the defaults.
Once installed, you'll also need to download and install the required plug-in s. This particular plug-in will install a Windows service called ypbind that is needed to run the NIS client piece for pGina. The service provides a way for this Windows client to broadcast and find your NIS server. Once the plug-in is downloaded and installed, you're ready to configure pGina for NIS authentication. Once launched, locate the "Plugin" tab and click "Browse.
On the "Plugin" tab, click the "Configure" button. In the dialog box named, appropriately, "Dialog," enter the name of your NIS domain nis.
You'll also see a text box in which to enter the "Password Map" file. Enter passwd. This is the table in NIS that is used when you pass in a username at logon time. Once you pass in a valid username and password, NIS will return a password hash not the password itself. If the password hashes match, you're in! Now reboot your Windows machine to ensure the settings stick logging off isn't enough. The pGina documentation is pretty thin, but it does describe how to do this. Don't forget to actually join your XP client workstation to the Active Directory domain, however, or Active Directory authentication won't work.
In our opinion, pGina and the plug-ins have that "not quite ready for prime-time" feel. With that said, there are lots of installations universities, mostly currently running pGina the way it was intended. For example, nissvr. Select either Kerberos password or NIS password for authentication. Click Apply to save your changes. NIS authentication is deprecated as it has security issues, including a lack of protection of authentication data.
If DNS-based lookup of the KDC server and realm name is required, add the following two options to the preceding command:. Joining the Windows domain requires that your domain controller is reachable and you have an AD user account with permissions to add computers to the domain:. REALM is the Kerberos realm name in uppercase and user is a domain user who has permissions to add computers to the domain.
Replace ad. For more details, see the sssd-ad 5 - Linux man page. Use authconfig to enable SSSD. Install oddjob-mkhomedir to ensure that the home directory creation is compatible with SELinux:. For extra solutions in the ctxsetup. To ensure that Kerberos is configured correctly for use with the Linux VDA, check that the system keytab file has been created and contains valid keys:.
This command displays the list of keys available for the various combinations of principal names and cipher suites. Run the Kerberos kinit command to authenticate the machine with the domain controller using these keys:. The machine and realm names must be specified in uppercase. In some environments, the DNS domain name is different from the Kerberos realm name. Ensure that the realm name is used. If this command is successful, no output is displayed.
Use the getent command to verify that the logon format is supported and whether the NSS works:. If another logon format is needed, verify by using the getent command first. The domain user account has not been used before. Check that a corresponding Kerberos credential cache file was created for the uid returned by the command:. The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions. Linux Virtual Delivery Agent. View PDF. This content has been machine translated dynamically.
Give feedback here. In the Authentication pane, select Windows Authentication , and then click Enable in the Actions pane. In the Connections pane, expand the server name, expand Sites , and then the site, application, or Web service for which you want to enable Extended Protection for Windows authentication. Click Enable in the Actions pane. When the Advanced Settings dialog box appears, select one of the following options in the Extended Protection drop-down menu:.
It also defines the two Windows authentication providers for IIS 7. The following example enables Windows authentication and disables Anonymous authentication for a Web site named Contoso. The following examples disable Anonymous authentication for a site named Contoso, then enable Windows authentication for the site.
You must be sure to set the commit parameter to apphost when you use AppCmd. This commits the configuration settings to the appropriate location section in the ApplicationHost. Skip to main content. This browser is no longer supported.
0コメント