Author Topic: Qube + Linux + Authentication + Active Directory  (Read 4132 times)

jason

  • Jr. Member
  • **
  • Posts: 6
Qube + Linux + Authentication + Active Directory
« on: March 21, 2006, 08:27:01 PM »
I'm currently testing Qube with a farm of Linux servers.

Farm configuration:
  Dual AMD Opterons
  Suse Linux 9.3
  Samba + Winbind + Pam authentication against a Win2000 AD domain
Supervisor configuration:
  Dual AMD Athlons
  Suse Linux 9.3
  Samba + Winbind + Pam authentication against a Win2000 AD domain

Upon submission of a job from either Windows or Linux client, I get the error: "Account doesn't exist." I am able to login to the Linux workers using my AD domain account and "getent passswd" reveals all the domain users as well.

Am I attacking this the wrong way? How should I setup the farm if I want to use Linux on them?

Thanks,
Jason

anthony

  • Senior Software Engineer
  • Hero Member
  • *****
  • Posts: 183
Re: Qube + Linux + Authentication + Active Directory
« Reply #1 on: March 21, 2006, 08:53:02 PM »
Hey Jason,

    You're probably getting the error because of the way qube! is installed by default.  qube!'s normal installation assumes you are not running any kind of authentication service.  This however is not how we recommend you use qube if you have an established network authentication scheme.

    These are things to keep in mind when setting up qube!

          qube!'s workers can be configured to either use a single account to run all jobs, or to use the job's owner's account to run each job.   This setting is controlled by modifying the qb.conf file or by using the "Configuration" gui located in sbin on linux.  In your case I would recommend setting the worker to run the jobs using the real user account:

       Edit: /etc/qb.conf and modify the setting to this:

           proxy_execution_mode = user

     Restart the worker:  /etc/init.d/worker restart


          Authentication for qube! is based upon name matching.  So users on windows must have the exact same login (including case) as those on linux.  Since you're using samba + an AD, that makes life easier.  You can also do the same on windows workers as well.

          Please keep in mind that once you've set your hosts to user mode, qube! will need windows users to login either by running
qblogin or the Auth application found in sbin or in the windows start menu.  The authentication will ask for your windows password.  This is because windows doesn't support setuid and requires the plain text password of the user for authentication (don't worry... we don't store it as plain text. The password is encrypted using 512 RSA and is never transmitted over wire unencrypted) Users who have not logged in will find that their jobs are marked with "badlogin" they just need to login properly and these jobs will automatically move back to pending.

          If you have any other questions, please feel free to create a new topic.
   
         Thanks,
              Anthony



jason

  • Jr. Member
  • **
  • Posts: 6
Re: Qube + Linux + Authentication + Active Directory
« Reply #2 on: March 22, 2006, 03:05:01 AM »
...
Authentication for qube! is based upon name matching.  So users on windows must have the exact same login (including case) as those on linux.  Since you're using samba + an AD, that makes life easier.  You can also do the same on windows workers as well.
...

Actually, that's what's making it difficult. When I login to windows, I use only my username (i.e. jason). When I login to linux, I need to specify the domain (i.e. IE\jason). I'm not certain if there's a samba configuration setting that I can switch so that it doesn't append the domain name as part of the actual username. Any thoughts?

anthony

  • Senior Software Engineer
  • Hero Member
  • *****
  • Posts: 183
Re: Qube + Linux + Authentication + Active Directory
« Reply #3 on: March 22, 2006, 11:35:30 PM »
Hey Jason,

     Yhea it took a little research on my part to see if there was a viable work-around with qube!'s current implementation or with changing winbind's settings.  I can't find one so we're going to implement the fix into qube! to make it compatible with winbind.  I'll be seeking approval for you to receive a copy of 4.0-6 and will let you know when it's available for you to download.

     In the mean time, the method we use here is to run both a samba and an AD server and to clone the users between them.  However I personally think the winbind method is better (which is why we are integrating it into qube!)  If you don't mind waiting a little we'll try to accomidate your setup.  The only reason we use the former method is to simulate single host environments since most linux/unix admins normally run either an ldap or an nis server.

     Thanks,
           Anthony

anthony

  • Senior Software Engineer
  • Hero Member
  • *****
  • Posts: 183
Re: Qube + Linux + Authentication + Active Directory
« Reply #4 on: May 02, 2006, 09:14:23 PM »
Hey Jason,

    As a follow up to this post, qube 4.0-6 now supports the samba winbind authentication scheme.  Jobs submitted from windows use the domain\login format to allow for winbind to properly authenticate the user.  You must turn on the feature either using the "config" gui or by editing the qb.conf file and adding:

enable_winbind to the flags list.

worker_flags = enable_winbind,remove_logs.... etc...

Thanks,
      Anthony