Border Manager Authentication with Linux
Printer-friendly version
7. If you have a firewall running you will need to open port 3024 for UDP traffic.
For SuSE edit edit /etc/sysconfig/SuSEfirewall2 and add an entry:
You should be able to access websites now through the Border Manager proxy with any of the Linux accounts.
10 .Test it by downloading an html file:
Getting a Linux server or workstation to work nicely with Novell's Border Manager can be very difficult. Novell have recently brought out a Linux version of their clntrust.exe application for Linux workstations (available in Border Manager 3.8 SP4) but this requires Gnome and the Novell Linux Client. If you are running a server (or use a non-Novell supported Linux distro) meeting these requirements can be difficult. Fortunately there is cl4others which authenticates to the Border Manager through simple command line instructions in a far more flexible manner. Documentation for cl4others is pretty sparse so I have written this little tutorial on how to get it set up and running.
This solution is really intended for servers where shell access by normal users is limited as Border Manager authentication is not handled on a per user basis. For web and file servers such a setup is fine but if you require per user authentication to the Border Manager you should probably look at the Gnome/Netware Linux Client/clntrust stack from Novell.
NOTE: For instructions 1-9 you will need to have root privileges.
1. Install ncp for your distribution.
The easiest way to find the rpm is through rpmfind or if you are running SuSE you will find ftp.suse.com has an rpm for your specific version.
2. Extract the cl4others x86 binary and copy it to /usr/bin.
Make sure its permissions are set so that it can be executed by non-root users.
chmod a+x /usr/bin/cl4others
3. Make a directory in /mnt called bordermanager so that you can mount the volume to it.
4. Edit /etc/fstab and add the following entry: (all on one line)
NW_SERVER/NW_USER /mnt/bordermanager ncp defaults,ro,mode=400,uid=root,gid=root,owner=root,ipserver=NW_SERVERIP,
passwdfile=/root/.ncppasswd,multiple 0 0
Replace the following with your network details:
NW_SERVER = Netware BorderManager server name
NW_SERVERIP = Netware BorderManager IP/DNS name
NW_USER = Netware user you will be accessing the proxy as
This mounts the Border Manager volume read-only with all files owned by root with read access to the files only granted to root. This means if one of your server accounts gets compromised (other than root) your Border Manager files will be safe and away from prying eyes.
NOTE: In order for cl4others to work you must have read access to the BorderManager SYS volume. Remember to set a Border Manager access rule for the user you are connecting attempting to access the Internet as.
5. Now create a file for storing the login password to the server:
pico /root/.ncppasswd
Add the following entry:NW_SERVER/NW_USER:Your Password
Change the file so that it can only be read by root:chmod og-rwx /root/.ncppasswd
6. Mount the Border Manager volume:mount /mnt/bordermanager
(This should mount the SYS volume of the BM server7. If you have a firewall running you will need to open port 3024 for UDP traffic.
For SuSE edit edit /etc/sysconfig/SuSEfirewall2 and add an entry:
FW_SERVICES_EXT_UDP="3024"
Restart the firewall, for SuSE:rcSuSEfirewall2 restart
8. Now as root start cl4others (I have had mixed results starting it as any other user).cl4others /mnt/bordermanager &
9. With Yast setup the proxy. You don't need to specify any user just point the proxy to the url of the proxy server. Save the changes. In order for them to take effect you will need to logout of the console and log back in again.You should be able to access websites now through the Border Manager proxy with any of the Linux accounts.
10 .Test it by downloading an html file:
wget http://www.stress-free.co.nz/files/images/whichdoctor.jpg
Hopefully if everything works correctly you should be authenticating and using your Border Manager proxy with Linux.
Problem
Check if NCP is working
If 897E is referring to an NCP error code (http://www.winterklee.org/nwerror.pdf) then you may want to confirm you NCP subsystem is working correctly. Try mounting an NCP volume and copying files backwards and forwards to check that everything is working. Also check your read permissions on the Border Manager volume to ensure you are not being denied access. Beyond that are cannot be of any further assistance.
Thanks
No Authentication... with Novell Linux Client for SuSE 10.2
Thank you David for the tutorial!
I'm very new to Linux and will appreciate if you hint me on where to dig:
I've got openSuSE 10.2 connected to Netware 6 server via Novell Client 2.0 for OpenSUSE 10.2. That client was recently posted at http://download.novell.com/protected/Summary.jsp?buildid=aMa3aFbODfQ~
I've also found out that Novell included CLNTRUST for Linux in BorderManager 3.8 SP4 but I've got BM3.6 and cannot upgrade it for now due to policy of my company. So, I have to find an alternative solution on how to authenticate my SuSE with BM3.6
I understand that Novell Client brings up NCP but I have also made sure NCP installed through YaST.
It is also possible to connect to my BM server using Novell Client. So I can see two servers I connected to in "Novell Connections" of the Novell Client.
I can normally MAP the SYS volume of the BM using MAP option of the Novell Client and can browse BM's SYS volume with KDE's browser.
Before trying to browse the Internet I've stopped the SuSE firewall and configured my browser with correct proxy IP address, which is a network card of my BM facing to my private network.
But when I try to reach any http host, the BM returns 403: Access has been denied because you are not logged in! Well, of course, I wasn't authenticated!
Could you please advise, if possible, what would be the next step of mine to solve the problem. Thank you!
Roman
Check your mount points
If you can successfully mount the Border Manager volume then the access denied error is probably due to cl4others not looking in the correct place for the mounted volume.
Ensure the command 'cl4others /mnt/bordermanager &' points to the actual directory where the Novell client has mounted the Border Manager volume. I have not used the Novell Client but my guess would be that the true mount point is buried in a subdirectory somewhere so even if the BM volume is on your desktop check that it is not just a symlink to another location on your disk.
From the perspective of getting something working I would ignore the Novell Client and focus on the instructions given in the tutorial. Following those instructions will ensure that you know exactly where the mount point is rather than trying to hunt it down. Also running the cl4others command without an & symbol at the end will make it run in the foreground. This is useful for troubleshooting as it will let you see what is going on and where.
Once you know cl4others is working without the Novell Client you can then begin to factor it into the equation and see how it goes.
Still no authentication
Hello David,
I’ve tried to follow your tutorial on a fresh openSuSE10.2 installation without Novell Client. Could you please look through it and possibly give me an advice. Thank you!
1. I downloaded ncpfs-2.2.6 and extracted the archive into a directory on my hard drive
2. Then I followed to instructions of the ncp package readme file: run ‘./configure’, ‘make’, as root, ‘make install’
3. Well, I’ve got C+ compiler, gcc and make installed and then I run ‘./configure’, ‘make’ and ‘make install’
4. Then I checked whether ncp was installed: YaST2 -- Software Management -- typed ncpfs in Search. It had shown the checked ncp box in the main Yast window; Under Technical data – Installed version 2.2.6-43; Dependencies and Files were full of ncp stuff listed.
I have also typed in terminal: ncpmount –v, which returned the following: ncpfs version 2.2.6
Well, the ncp part seems ok to me. Though it may only seem :) I assume it also should include some ipx support. In fact, it was said in the ncp readme file that before starting the ncp installation it was necessary to make sure if kernel has IPX support compiled in.
As I mentioned above, to install ncp I run in succession ‘./configure’, ‘make’, as root, ‘make install’ but during the installation process I wasn’t asked about IPX. May be the installation didn’t go smooth and something wasn’t installed?
5. Anyways, I proceeded with you tutorial:
Copied cl4others file from cl4other-0.9.1_x86.tar.gz archive to /usr/bin
6. chmod a+x /usr/bin/cl4others
7. created /mnt/bordermanager
8. the following line was added to /etc/fstab
KGZBIC46/roman /mnt/bordermanager ncp defaults,ro,mode=400,uid=root,gid=root,owner=root,ipserver=10.68.1.1,
passwdfile=/root/.ncppasswd,multiple 0 0
KGZBIC06 – my Border Manager’s name in my Novell’s eDirectory (Netware BorderManager server name)
roman – a username that I usually use to login into me Novell’s network (Netware user you will be accessing the proxy as)
10.68.1.1 – this IP address is bound to the private network card of my Border Manager server and used as the proxy server setting in users’ web browsers.
May be instead KGZBIC46 I should type the whole context name of the Border Manager server?
9. Created .ncppasswd file in /root/ directory with the following entry:
KGZBIC46/roman:mypassword
mypassword – what I usually use to authenticate in eDirectory (both the Novell6 and Border Manager 3.6 servers are in the same tree of eDirectory)
10. chmod og-rwx /root/.ncppasswd
11. When I type ‘mount /mnt/bordermanager’ and hit return, I get the following:
mount.ncp: No such entry (-601) in nds login
Logn denied.
12. I entered FW_SERVICES_EXT_UDP="3024" in /etc/sysconfig/SuSEfirewall2
13. Now, If I have rcSuSEfirewall2 stop-ed and I type ‘cl4others /mnt/bordermanager &’ it returns:
[1] 5071
linux:~ # cl4othersL cannot bind port number 3024
14. If I bring rcSuSEfirewall2 start-ed, the command ‘cl4others /mnt/bordermanager &’ returns the same:
linux:~ # cl4othersL cannot bind port number 3024
David, can you guess what can be wrong in my configuration?
Thank you,
Roman
Step 11 is where it fails
The ncp mount process at step 11 is failing which is causing the problem:
mount.ncp: No such entry (-601) in nds login
Login denied.
You do not need to worry with the ncpfs file sources as the binary version that ships with OpenSUSE via Yast works fine.
I would check that the user that you are trying to log into the Border Manager with has log-in access rights to the Border Manager itself. You may find that whilst your Netware identity has access to the network it doesn't have the rights to log into the Border Manager server.
I would also test logging into a server that you know for sure you can on log on with using ncpfs and mount. If you can prove to yourself that ncpfs is working to a server you know for sure you can log into approaching a network administrator with the problem becomes a lot easier.
You'll need to include your
Re: Check your mount points
Thank you David,
Will try what you're suggesting as I was confused if it was the Novell Client or cl4others working with ncp.
Appreciate your attention.
Roman
Linux Client Trust
You don't have NCP support enabled/installed
For the mount command to work you need to have NCP installed and active on your system. Acheiving this depends on your distribution so if you tell me that I'll be able to help a bit more. The short answer is you need to have the 'ncpfs' kernel module loaded so if you do a Google search for your distribution and 'ncpfs' you should get some pointers.
For SUSE Linux the Yast package is called 'ncpfs' and it is typically installed and enabled by default on the system.
NCP problems
Ensuring you have NCP
Open Yast via the Gnome/KDE menu system or just type yast at a console. From the menu select Software -> Software Management. Once Yast has loaded do a search for 'ncpfs' and if it is not installed select it and install it.
Once installed exit out of Yast and bring up a console (if one is not already open). Run the command 'lsmod | grep ncp' to list all the active kernel modules that have anything to do with NCP. If nothing is shown then as root run the command 'modprobe ncpfs' to load the module into the kernel. Once the ncpfs module is loaded in the kernel then you should be able to run the mount command successfully.
At this point it will probably pay to reboot the system to check whether the module is automatically loaded at start up. If it is not then edit the /etc/sysconfig/kernel file and on the line that reads MODULES_LOADED_ON_BOOT="" add ncpfs between the quotations and save the file. Reboot the system again and you should see that the required module is loaded automatically into the kernel.
Dude! This is sooo sweet!