Re: [BackupPC-users] Active Directory Authentication / Rsync worries

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Thu, 2005-04-21 at 09:56, Rob McDonald wrote:

> My issues are as follows:
> 1.) Has anyone had any luck setting apache up(whether on a winbox or
> *nix box) to auth against AD in a manner that will work with BackupPC?

Not quite, but I auth against a PDC in a way that might work for you.
I run backuppc on a fedora Linux box set for smb authentication against
a windows domain, and added mod_auth_pam to httpd by compiling the
module and installing it.  This does the password check only.  Since
the users don't have accounts on the box, the /etc/pam.d/httpd file
looks like:
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
account    required     pam_permit.so
(The Redhat/fedora 'authconfig' program lets you select an assortment
of authentication methods and builds the system-auth list).  This way
people who do have accounts on the box can log in with ssh etc. using
their domain password, and anyone with either a Linux or domain account
can authenticate for web services.

> 2.) I would like to use rsyncd, but I don't see an effecient way to
> deploy the package to users and ensure the permissions of the secrets
> file is set properly to disallow modification?  Am I being too
> security conscious here?  I suppose I could document that users must
> not schedule backups, but instead initiate the backup when they want
> to backup...and start rsyncd before the backup, and stoppign it after
> the backup.  I just don't like the idea of it sitting out there,
> listening for requests and the only auth is a static file sitting on
> the local machine.

If the users have Admin rights on their own machines they can change
just about anything themselves.  If they don't, you can keep them from
changing that file as easily as anything else.  I can't think of
anything magically in between.  I'm not a windows expert though - can
you set up firewalling so connections on the rsyncd port are only
accepted if they come through the VPN from your backuppc box?

-- 
  Les Mikesell
   le...@fu...