[K12OSN] How-tos on configuring K12LTSP logons to Active Directory

[Tom Wolfe]

OK so here is a simple how-to on getting K12LTSP 5.0 (fresh install before
ANY mucking around with pam.d etc.) logons to Active Directory.

I can't understand why I couldn't find anything out there in LTSP
lalaland, so here is my humble and non-authoritative offering after
beating my head over it for a couple of hours.

1. Getting Authentication with Active Directory to work.

This is incredibly EASY. You just need to know what to do. Yes, you can
fart around with the pam.d, nsswitch.conf, and krb5.conf settings at great
peril but why waste your time. Here's a step by step using Fedora's gui
authconfig tool.

a) Make sure you have a functioning ntp daemon. I won't describe this as
   it's well documented elsewhere. Kerberos needs to have good time
   synchronisation to work.
b) From Gnome desktop go to System > Administration > Authentication. This
   starts up the gui authconfig tool (after entering your root password).
c) Check "Enable Winbind Support" and click "Configure Winbind". Enter
   the following in the requested fields:
   * Winbind Domain: your domain, that is the first part of your domain
        before the first period, all in caps e.g. "DOMAIN"
   * Security Model: select "ads" from the menu
   * Winbind ADS Realm: type in your entire domain name. e.g. all in
        caps e.g. "DOMAIN.COM"
   * Winbind Domain Controllers: the address of a W2K or W2K3 Active
        Directory Domain Controller, e.g. "dc1.domain.com"
   * Template shell: CHANGE THIS to "/bin/bash" or whatever, just don't
        leave it as the default or your users will get "Sys Admin has
        disabled your account" errors when they try to log on.
   * Click OK
d) Change to the "Authentication" tab.
e) Check "Enable Kerberos" Support and click "Configure Kerberos".
Enter the following in the requested fields:
   * Realm:
   * KDC's (Kerberos Domain Controller, on a small network probably the
	same as your AD DC/PDC) e.g. dc1.domain.com
   * Admin Servers (ditto to what I said about KDCs above) e.g.
	dc1.domain.com
   * If you have a well-functioning DNS you can check the boxes below.
	Maybe do this after a manual setup is up and running.
   * Click OK
f) Under "Options" check "Local authorization is sufficient for local
   users" if you have any non-domain/K12LTSP/local users that you want to
   be able to log on. I checked this, it makes life easier.
g) Click OK
h) Start up a console/terminal. Enter the following command, substituting
   "administrator" for a domain admin name if "administrator" is not what
   you use. (this assumes that the user is a member of the sudoers group;
   if not, log on to a console on the server as root):

	[k12 at lalauser ~]$ sudo net ads join -U administrator

   You should see a bunch of stuff flash before you but the most important
   is a message indicating that you have joined successfully. This comes
   in the last two lines. If you were unsuccessful then, alas, my how-to
   was of no avail and I'm afraid I won't be able to help you as my
   expertise is very limited.

2. Getting home directories to be automagically created using
pam_mkhomedir.

*** PLEASE ADD A SIMPLE HOW-TO ON THIS AS FOR THE LIFE OF ME NOTHING I
HAVE TRIED HAS WORKED YET... AND I'VE TRIED A MUCKLOAD OF THINGS TOO ***

- BUT for now I'm happy, my little starter lab of 25 ca 1996-1999 $#itbox
computers is ticking away with Fedora/Gnome desktops and ready for beta
testing on some unsuspecting class next week -- because I wrote a script
to manually create about 700 user home directories and everything is
working... Woohoo!

- while I'm at it I might as well explain how I made the 700 user home
directories in case someone else wishes to do the same because they're as
dumb as me and can't get pam_mkhomedir to work either (this is really
hackish so bear with me or at least forgive me):

	a) Create a list of users via winbind. Here's an easy way:
		$ wbinfo -u > userlist.txt
	b) Import this list with a spreadsheet program and use it to
	   create a batch file. For example, duplicate this formula, which
	   makes use of the much-abused concatenate function, in column B:
	    =concatenate("mkdir /home/DOMAIN/";A1;" & chown ";A1;" /home/DOMAIN/";A1)
 	   ...where the A column contains a list of all users to create a
	   bunch of one-liners that create the user's directory and change
	   ownership to the user.
	c) Save the output of this into a file in your /home/DOMAIN
	   directory e.g. /home/DOMAIN/mkhomedirs.sh then from the command
	   line:
		$ cd /home/DOMAIN
		$ chmod 700
		$ mkhomedirs.sh
		$ ./mkhomedirs.sh
	d) Then make sure that all of the file names in /home/DOMAIN are
	   lower case. Here's a simple script that will do that:
		#!/bin/sh
		for i in *
		do
		j=`echo $i | tr '[A-Z]' '[a-z]'`
		mv $i $j
		done

- but I want to save myself hassles in the future and get the
pam_mkhomedir up and running, so please set me straight.

3. Getting a nice little shortcut to your user's home directory to
automagically appear on their desktop once they've logged on.

*** OK, I HAVEN'T GIVEN THIS HALF AS MUCH EFFOR AS EITHER STEPS 1 OR 2 BUT
STILL NO LUCK WITH THIS EITHER. PLEASE ADD YOUR HOW-TO AND MAKE MY LIFE
HAPPY ***


---

So as you can see I still have a ways to go. I tried John's ideas below
but none of it seemed to work out despite many efforts and copying my
backup /etc files to rescue grim outcomes. The effort did give me some
insight into the whole process, including a few questions:

Why is it that samba does not appear to be installed from the Yum gui
tool, and yet when I try to install it it says that there are conflicts
with an existing samba installation....? And I can find a bunch of samba
utilities, e.g. smbclient and so on. And... "service samba" start doesn't
do anything, I can't find the smbd or nmbd executables anywhere, and how
do I get the smbd and nmbd daemons running? And finally webmin shows that
samba is not installed... until of course I uninstall it with Yum (which
seems to want to uninstall half of everything including KDE and
Gnome...???) and reinstall samba again afterwards...

Forgive my ignorance, I come from FreeBSD lalaland which is a vastly
different place when it comes to installing and updating.

Thanks to everyone for your continued help on pointing me right.

Regards,
Tom Wolfe



On Fri, 17 Nov 2006, john  wrote:

> Hi Tom,
>
> Take a look at this doc. It uses ubuntu, but for the most part it's agnostic
> in terms of flavor. The pam.d section is very good.
>
> https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
>
> After your users can authenticate with their Windows domain credentials
> Basically:
>
> 1) install pam_mount
>
> 2) Leave all of the stuff at the top alone and at the bottom of the file
> configure /etc/security/pam_mount.conf to look something like:
>
>
> volume * smbfs FILE_SERVER DIRECTORY_W-STND_SHARES
> /home/WINDOWS/&/.windowsShare
> uid=&,gid=&,dmask=750,workgroup=YOUR_WIN_DOMAIN - -
>
> This file will:
>
> a) look for the fileserver by name or ip (i added to file server to my
> /etc/hosts file just to be sure).
> b) mount the shared directory
> c) mount the share whereever you want it to be in this case in
> /home/WINDOWS/domain_user/.hiddenfile (pam_mount will auto-magically create
> this if it doesn't exist, I believe)
>
> d) Then I use a little script to in /etc/gdm/PostLogin/Default to create a
> shortcut on the desktop which points to the hidden windows share. It's not
> quite right yet, but you can try it out:
>
> #!/bin/sh
> zd=/home/WINDOWS/$USER/Desktop/ZDrive
> if [ ! -L $zd ]
> then
>     rm -f /home/VANGUARD/$USER/Desktop/ZDrive
>     ln -s $HOME/.windowsShare/*/$USER $zd
> fi
>
> Hope this helps.
>
> John
>
> On 11/17/06, Tom Wolfe <twolfe at sawback.com> wrote:
> >
> > Good news: I've got a functioning lab of 20 ancient machines composed of
> > 1996 IBM 350s and a bunch of custom PIII machines from the late 1990s. The
> > principal is psyched and the teachers are psyched. It's quite the sight,
> > all of that ancient hardware spitting out a KDE desktop. I'm planning on
> > adding another 15-workstation lab on the other side of the school powered
> > by the same server, we'll see how that works.
> >
> > No sound yet, I gave up the fight last week and am hoping for divine
> > intervention on that one. Teachers seem far less discouraged by that than
> > I though.
> >
> > Now I just have to get things moving with domain logons and home
> > directories.
> >
> > Can anyone suggest a helpful how-to on configuring K12LTSP logons to
> > Active Directory...? Or should I just hit the samba docs? I've already got
> > authentication working, and I think I just need to configure the pam.d
> > configs.
> >
> > Regards,
> > Tom Wolfe
> >
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN at redhat.com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>
> >
>