Subtitles of the Movie

Now that we've looked at how to manage our users and groups in both the GUI and the command-line methods, it's time to look at configuring authentication methods. Now, all the methods we've talked about previously, uh, involved managing local user and group accounts and then we need to emphasize that. The accounts we've learned to manage are present only on the system that we're working on, that particular system. They really, although they can be used across a network, it's not the best way to do it. It is the most common method of system authentication using local user accounts, especially in a standalone environment; however, when you introduce a network in the equation, modern network systems require more advanced methods, uh, and these usually involve a distributed database method, such as active directory of RLDAT or a central accounts database of some sort and we're going to look very briefly at those methods. Now, I don't expect you to become an expert on these, uh, particular methods, but you need to be familiar with them and kind of know how to configure them if you're ever asked to for your particular system when you're joining a network. In a lot of cases you're going to need to get information from your network administrator to help configure these settings, but we're going to briefly talk about them. Some of the common network-based authentication methods that we can use to authenticate, uh, network accounts are NIS, N-I-S, LDAP, Kerberos or Samba. Now, let's take a quick look at each one. NIS, or network information services, is basically a set where a central server or it could be several servers have a centralized database of user accounts and the computer relies on that centralized database of user accounts to authenticate to several computers on the network. LDAP is a similar kind of setup, except that these, uh, it uses a, uh, lightweight directory access protocol, or an LDAP, which is an offshoot of the X500, uh, standard, um, directory access protocol. A good example of an LDAP database is active directory. Another good example is edirectory. These are LDAP-based databases, distributed databases that could be distributed across several servers. But again, just like NIS, they're centrally located databases of user accounts and the user accounts don't have to be on the individual system you're logging into. You can use the accounts on those servers. Kerberos is more of a protocol than anything else and it can be used in, in conjunction with, uh, LDAP system for example. That's the way that Windows active directory works. It's an authentication protocol per se and it's very secure, um, and you can configure your Linux system, your openSUSE system to use Kerberos as well. The last system that we'll mention briefly is Samba. Now, Samba server basically is a way of connecting Linux boxes to Windows file shares and Windows workgroups. So you could have a Samba setup so that your Linux box could actually authenticate to a Windows type of SAM or workgroup-based accounts database and authenticate with it. And you might use that particular setup if you're doing file sharing with Windows boxes and those Windows boxes require authentication. So you have those four methods that you can configure for network user accounts. Now, like everything else you configure with user and groups, you can configure those in YaST as well either the command-line version that we saw or the GUI version and we need to remind you once again; these authentication methods apply only to network accounts, not to local accounts. We don't use local accounts, uh, uh, with the, these methods. Let's do a quick demonstration and look at how these authentication methods are configured in YaST. Now we're back in openSUSE and we're looking at the user and group administration console that we looked at previously. This should look familiar to you because this is where we manage users and groups. Now, down here in the expert options, we see one other thing that we didn't talk about previously and that's authentication user sources. Now remember that we said that most of the settings in this particular console are for local users. This is the one set of settings that are not. These apply to network users. So let's take a look. If we had any servers that we were using, such as NIS servers or LDAP, Kerberos or Samba, they would show up here. Any configured servers that we have would show up in this screen and as we can see, there are none configured. If we hit the configure button, we can select which one we want, such as NIS and we would have to get information from the, uh, network administrator and we would set up this particular service, the configuration of this box as an NIS client so it could use NIS. As with the other services, the same thing applies. If we want to set up an LDAP authentication source, we would need to know certain information from our network administrator, such as the IP address of the LDAP servers, for example, the distinguish name, some security settings for LDAP and so forth and there's some advanced settings we could look at as well. For the Kerberos servers, we might need to know the Kerberos realm, the default domain, Kerberos realm. Usually, especially if you're connecting to a Windows active directory domain, this would be the domain name. The KDC server address, which is the key distribution center for Kerberos. Again, your network administrator is going to be able to supply you with those, with those settings and that information. If you're configuring a Samba server, which is essentially a small Windows workgroup, you'd need to know things like the workgroup name. You'd have to have Samba configured and maybe a few other things you'd need configured. But this is the information you would use. And there are some expert settings as well that you might, uh, you might need to know when configuring Samba. Some of these settings I'll tell you, require a little bit more advanced knowledge so unless you've had some experience with these things, you might want to find out, uh, what the settings are and how they work. I wouldn't necessarily mess with the settings unless you knew what you were doing. For your standalone machine, if you have one at home or have on in a lab, go to a local account authentication, uh, probably works best. When you're in a network, then let your network administrator help you configure these settings. And that's essentially all there is to, uh, configuring, uh, authentication methods in openSUSE.