[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] LDAP auth for non-existent accounts & best way to add a K12LTSP server to university network



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jay Pfaffman wrote:
| I'm trying to set up a K12LTSP box for my university.  I'd like to
| authenticate against the university's LDAP (or AD) server for logins
| and Samba.  If I add a user, they can authenticate against ldap like I
| want (SMB works for Mac clients, but not Windoze clients, go figure).
| I don't know who my users will be and don't want to have to add them.
| Is there some (easy) way to make it so that if they log in and the
| account doesn't already exist it gets set up & stuff copied from
| /etc/skel and so on?

There are two parts to this:
1) Making the local machine aware of the user (having an "account")
2) Creating a home directory

The first is accomplished by adding the requisite "NIS" information to
the LDAP (or AD) server and changing /etc/nsswitch.conf to use LDAP for
the user, group and shadow databases.

The second can be done with pam_mkhomedir which is documented in:
/usr/share/doc/pam-0.79/txts/README.pam_mkhomedir

(On my machine, it may have a different version number for you).

If you are unable or unwilling to add the extra fields to the user
accounts, it should also be relatively easy to write a short script that
~ will create accounts in the local /etc/passwd /etc/shadow and
/etc/group for every user in the LDAP directory and still use
pam_mkhomedir to only create home directories for those that actually
login.  It's not pretty, but it should work.  In fact, I'm pretty sure
Eric has some scripts that do exactly that. I *know* they aren't pretty,
but do work ;-P

- --
Shahms E. King <shahms shahms com>
Multnomah ESD

Public Key:
http://shahms.mesd.k12.or.us/~sking/shahms.asc
Fingerprint:
1612 054B CE92 8770 F1EA  AB1B FEAB 3636 45B2 D75B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFC56eb/qs2NkWy11sRAvepAKC9yFodvtUMLqEEUoa40rtBMeaHUACgr2A7
5YcFzwxnRgzv/GA3kbucoX4=
=K1Gy
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]