From: Les M. <le...@fu...> - 2005-04-21 16:57:35
|
On Thu, 2005-04-21 at 09:56, Rob McDonald wrote: > My issues are as follows: > 1.) Has anyone had any luck setting apache up(whether on a winbox or > *nix box) to auth against AD in a manner that will work with BackupPC? Not quite, but I auth against a PDC in a way that might work for you. I run backuppc on a fedora Linux box set for smb authentication against a windows domain, and added mod_auth_pam to httpd by compiling the module and installing it. This does the password check only. Since the users don't have accounts on the box, the /etc/pam.d/httpd file looks like: #%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_permit.so (The Redhat/fedora 'authconfig' program lets you select an assortment of authentication methods and builds the system-auth list). This way people who do have accounts on the box can log in with ssh etc. using their domain password, and anyone with either a Linux or domain account can authenticate for web services. > 2.) I would like to use rsyncd, but I don't see an effecient way to > deploy the package to users and ensure the permissions of the secrets > file is set properly to disallow modification? Am I being too > security conscious here? I suppose I could document that users must > not schedule backups, but instead initiate the backup when they want > to backup...and start rsyncd before the backup, and stoppign it after > the backup. I just don't like the idea of it sitting out there, > listening for requests and the only auth is a static file sitting on > the local machine. If the users have Admin rights on their own machines they can change just about anything themselves. If they don't, you can keep them from changing that file as easily as anything else. I can't think of anything magically in between. I'm not a windows expert though - can you set up firewalling so connections on the rsyncd port are only accepted if they come through the VPN from your backuppc box? -- Les Mikesell le...@fu... |