[K12OSN] LDAP auth for non-existent accounts & best way to add a K12LTSP server to university network
"Terrell Prudé, Jr."
microman at cmosnetworks.com
Wed Jul 27 03:10:25 UTC 2005
Jay Pfaffman wrote:
>I'm trying to set up a K12LTSP box for my university. I'd like to
>authenticate against the university's LDAP (or AD) server for logins
>and Samba. If I add a user, they can authenticate against ldap like I
>want (SMB works for Mac clients, but not Windoze clients, go figure).
>I don't know who my users will be and don't want to have to add them.
>Is there some (easy) way to make it so that if they log in and the
>account doesn't already exist it gets set up & stuff copied from
>/etc/skel and so on?
>Any ideas why Macs can mount Samba, but XP has a problem with
>authenticating? I read something about Samba trying blank passwords
>first or something to try to solve some problem with AD or something,
>but clearly, I didn't really understand it.
>I'm trying hard to convince folks that the teachers we're training
>need to be exposed to Linux and OSS in general. I "won" and got a
>pretty nice server. I lost because it looks like I'm going to be
>sysadmin, at least in the short term. (I'm a Doctor of Philosophy,
>Jim, not a sysadmin! Sysadmins make more money, or did when I started
>grad school.) Worst case I can punt & let our admin install XP on it
>and use it as a file server, but I'd rather not.
>The other thing that I'll need to figure out is the best way to have
>clients connect. I'm inclined to have folks use VNC. I don't control
>the network, which makes DCHP and thin clients troublesome & I'm not
>sure I trust letting random clients connect via NFS. Is there a
>better solution than VNC? What about that NX thing?
I don't know about automatically making home directories when
authenticating against the Craptive Directory, but I do know about XP
clients authenticating against Samba. Yes, you do have to turn on
encrypted passwords if you're using local authentication. This means
that you're using something like smbpasswd or TDBSAM.
What I would do is make your Samba server a member server in the
Craptive Directory. Then, your Samba server will check against the AD
whenever your Windows XP clients want to access files. I did this all
the time back in the Samba 2.2 days with Windows NT 4.0 domains; it
worked quite well with both NT Workstation 4.0 and Win 2K.
As for thin clients, you might want to talk to your DHCP server
administrator about adding the appropriate DHCP scope parameters for
your thin clients. Then, you could simply do a single-NIC K12LTSP
install, turn off dhcpd, and use your enterprise DHCP setup. This is
how I typically do it. The thick clients will simply ignore the
tftpboot and nfsmount stuff and act as they always have. Another option
is to simply put the thin clients' network drops in a VLAN and put your
K12LTSP server's eth0 NIC into that VLAN (I hope you're using Gig-E on
eth0!). You would also turn off the built-in firewall so your Win XP
clients can access the Samba server.
More information about the K12OSN