[Date Prev][Date Next] [Thread Prev][Thread Next]
Re: [K12OSN] How-tos on configuring K12LTSP logons to Active Directory
- From: Tom Wolfe <twolfe sawback com>
- To: Tom Wolfe <twolfe sawback com>
- Cc: "Support list for open source software in schools." <k12osn redhat com>
- Subject: Re: [K12OSN] How-tos on configuring K12LTSP logons to Active Directory
- Date: Fri, 1 Dec 2006 19:22:52 -0500 (EST)
OK, so I've figured it all out. Step 2 was so easy I felt like a real
dufus thinking about all I put myself through, but Step 3 was a little
trickier and it made me feel a little better after I figured it out. Is
there somewhere I can post this, i.e. is the wiki a good spot?
2. Getting home directories to be automagically created using
* edit /etc/pam.d/system-auth and add the following line to the session
session required pam_mkhomedir.so umask=0022
Step 3: Automagic shortcut to user's Windows document folder.
a) Set the mount executable.
Somewhere along the line I decided to use mount.cifs instead of mount -t
cifs. So I changed the following line in /etc/security/pam_mount.conf:
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o
to read as follows:
cifsmount /sbin/mount.cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o
...which just kind of tidies things up a bit. Note that this is ALL ONE
b) Set the appropriate permissions on the executable so that users can run
$ chmod u+s /sbin/mount.cifs
$ chmod u+s /bin/umount
c) Set up the mount point configuration.
To the file /etc/security/pam_mount.conf add the following line at the
volume * cifs srv02.morleyschool.ed StudentHome$
uid=&,gid=&,dmask=750,workgroup=MORLEYSCHOOL - -
...note that this is ALL ONE LINE with a single whitespace between the
.windowsShare and the uid, alternately you could try:
volume * cifs fileserver.domain.com StudentHome$ \
uid=&,gid=&,dmask=750,workgroup=DOMAIN - -
and see if that does it. This line follows the syntax described in the
pam_mount.conf default file to create a share at mount point
/home/DOMAIN/[user]/.windowsShare to the share called StudentHome$ on a
machine with a FQDN of fileserver.domain.com in the DOMAIN
On Fri, 1 Dec 2006, Tom Wolfe wrote:
> OK so here is a simple how-to on getting K12LTSP 5.0 (fresh install before
> ANY mucking around with pam.d etc.) logons to Active Directory.
> I can't understand why I couldn't find anything out there in LTSP
> lalaland, so here is my humble and non-authoritative offering after
> beating my head over it for a couple of hours.
> 1. Getting Authentication with Active Directory to work.
> This is incredibly EASY. You just need to know what to do. Yes, you can
> fart around with the pam.d, nsswitch.conf, and krb5.conf settings at great
> peril but why waste your time. Here's a step by step using Fedora's gui
> authconfig tool.
> a) Make sure you have a functioning ntp daemon. I won't describe this as
> it's well documented elsewhere. Kerberos needs to have good time
> synchronisation to work.
> b) From Gnome desktop go to System > Administration > Authentication. This
> starts up the gui authconfig tool (after entering your root password).
> c) Check "Enable Winbind Support" and click "Configure Winbind". Enter
> the following in the requested fields:
> * Winbind Domain: your domain, that is the first part of your domain
> before the first period, all in caps e.g. "DOMAIN"
> * Security Model: select "ads" from the menu
> * Winbind ADS Realm: type in your entire domain name. e.g. all in
> caps e.g. "DOMAIN.COM"
> * Winbind Domain Controllers: the address of a W2K or W2K3 Active
> Directory Domain Controller, e.g. "dc1.domain.com"
> * Template shell: CHANGE THIS to "/bin/bash" or whatever, just don't
> leave it as the default or your users will get "Sys Admin has
> disabled your account" errors when they try to log on.
> * Click OK
> d) Change to the "Authentication" tab.
> e) Check "Enable Kerberos" Support and click "Configure Kerberos".
> Enter the following in the requested fields:
> * Realm:
> * KDC's (Kerberos Domain Controller, on a small network probably the
> same as your AD DC/PDC) e.g. dc1.domain.com
> * Admin Servers (ditto to what I said about KDCs above) e.g.
> * If you have a well-functioning DNS you can check the boxes below.
> Maybe do this after a manual setup is up and running.
> * Click OK
> f) Under "Options" check "Local authorization is sufficient for local
> users" if you have any non-domain/K12LTSP/local users that you want to
> be able to log on. I checked this, it makes life easier.
> g) Click OK
> h) Start up a console/terminal. Enter the following command, substituting
> "administrator" for a domain admin name if "administrator" is not what
> you use. (this assumes that the user is a member of the sudoers group;
> if not, log on to a console on the server as root):
> [k12 lalauser ~]$ sudo net ads join -U administrator
> You should see a bunch of stuff flash before you but the most important
> is a message indicating that you have joined successfully. This comes
> in the last two lines. If you were unsuccessful then, alas, my how-to
> was of no avail and I'm afraid I won't be able to help you as my
> expertise is very limited.
> 2. Getting home directories to be automagically created using
> *** PLEASE ADD A SIMPLE HOW-TO ON THIS AS FOR THE LIFE OF ME NOTHING I
> HAVE TRIED HAS WORKED YET... AND I'VE TRIED A MUCKLOAD OF THINGS TOO ***
> - BUT for now I'm happy, my little starter lab of 25 ca 1996-1999 $#itbox
> computers is ticking away with Fedora/Gnome desktops and ready for beta
> testing on some unsuspecting class next week -- because I wrote a script
> to manually create about 700 user home directories and everything is
> working... Woohoo!
> - while I'm at it I might as well explain how I made the 700 user home
> directories in case someone else wishes to do the same because they're as
> dumb as me and can't get pam_mkhomedir to work either (this is really
> hackish so bear with me or at least forgive me):
> a) Create a list of users via winbind. Here's an easy way:
> $ wbinfo -u > userlist.txt
> b) Import this list with a spreadsheet program and use it to
> create a batch file. For example, duplicate this formula, which
> makes use of the much-abused concatenate function, in column B:
> =concatenate("mkdir /home/DOMAIN/";A1;" & chown ";A1;" /home/DOMAIN/";A1)
> ...where the A column contains a list of all users to create a
> bunch of one-liners that create the user's directory and change
> ownership to the user.
> c) Save the output of this into a file in your /home/DOMAIN
> directory e.g. /home/DOMAIN/mkhomedirs.sh then from the command
> $ cd /home/DOMAIN
> $ chmod 700
> $ mkhomedirs.sh
> $ ./mkhomedirs.sh
> d) Then make sure that all of the file names in /home/DOMAIN are
> lower case. Here's a simple script that will do that:
> for i in *
> j=`echo $i | tr '[A-Z]' '[a-z]'`
> mv $i $j
> - but I want to save myself hassles in the future and get the
> pam_mkhomedir up and running, so please set me straight.
> 3. Getting a nice little shortcut to your user's home directory to
> automagically appear on their desktop once they've logged on.
> *** OK, I HAVEN'T GIVEN THIS HALF AS MUCH EFFOR AS EITHER STEPS 1 OR 2 BUT
> STILL NO LUCK WITH THIS EITHER. PLEASE ADD YOUR HOW-TO AND MAKE MY LIFE
> HAPPY ***
> So as you can see I still have a ways to go. I tried John's ideas below
> but none of it seemed to work out despite many efforts and copying my
> backup /etc files to rescue grim outcomes. The effort did give me some
> insight into the whole process, including a few questions:
> Why is it that samba does not appear to be installed from the Yum gui
> tool, and yet when I try to install it it says that there are conflicts
> with an existing samba installation....? And I can find a bunch of samba
> utilities, e.g. smbclient and so on. And... "service samba" start doesn't
> do anything, I can't find the smbd or nmbd executables anywhere, and how
> do I get the smbd and nmbd daemons running? And finally webmin shows that
> samba is not installed... until of course I uninstall it with Yum (which
> seems to want to uninstall half of everything including KDE and
> Gnome...???) and reinstall samba again afterwards...
> Forgive my ignorance, I come from FreeBSD lalaland which is a vastly
> different place when it comes to installing and updating.
> Thanks to everyone for your continued help on pointing me right.
> Tom Wolfe
> On Fri, 17 Nov 2006, john wrote:
> > Hi Tom,
> > Take a look at this doc. It uses ubuntu, but for the most part it's agnostic
> > in terms of flavor. The pam.d section is very good.
> > https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
> > After your users can authenticate with their Windows domain credentials
> > Basically:
> > 1) install pam_mount
> > 2) Leave all of the stuff at the top alone and at the bottom of the file
> > configure /etc/security/pam_mount.conf to look something like:
> > volume * smbfs FILE_SERVER DIRECTORY_W-STND_SHARES
> > /home/WINDOWS/&/.windowsShare
> > uid=&,gid=&,dmask=750,workgroup=YOUR_WIN_DOMAIN - -
> > This file will:
> > a) look for the fileserver by name or ip (i added to file server to my
> > /etc/hosts file just to be sure).
> > b) mount the shared directory
> > c) mount the share whereever you want it to be in this case in
> > /home/WINDOWS/domain_user/.hiddenfile (pam_mount will auto-magically create
> > this if it doesn't exist, I believe)
> > d) Then I use a little script to in /etc/gdm/PostLogin/Default to create a
> > shortcut on the desktop which points to the hidden windows share. It's not
> > quite right yet, but you can try it out:
> > #!/bin/sh
> > zd=/home/WINDOWS/$USER/Desktop/ZDrive
> > if [ ! -L $zd ]
> > then
> > rm -f /home/VANGUARD/$USER/Desktop/ZDrive
> > ln -s $HOME/.windowsShare/*/$USER $zd
> > fi
> > Hope this helps.
> > John
> > On 11/17/06, Tom Wolfe <twolfe sawback com> wrote:
> > >
> > > Good news: I've got a functioning lab of 20 ancient machines composed of
> > > 1996 IBM 350s and a bunch of custom PIII machines from the late 1990s. The
> > > principal is psyched and the teachers are psyched. It's quite the sight,
> > > all of that ancient hardware spitting out a KDE desktop. I'm planning on
> > > adding another 15-workstation lab on the other side of the school powered
> > > by the same server, we'll see how that works.
> > >
> > > No sound yet, I gave up the fight last week and am hoping for divine
> > > intervention on that one. Teachers seem far less discouraged by that than
> > > I though.
> > >
> > > Now I just have to get things moving with domain logons and home
> > > directories.
> > >
> > > Can anyone suggest a helpful how-to on configuring K12LTSP logons to
> > > Active Directory...? Or should I just hit the samba docs? I've already got
> > > authentication working, and I think I just need to configure the pam.d
> > > configs.
> > >
> > > Regards,
> > > Tom Wolfe
> > >
> > > _______________________________________________
> > > K12OSN mailing list
> > > K12OSN redhat com
> > > https://www.redhat.com/mailman/listinfo/k12osn
> > > For more info see <http://www.k12os.org>
> > >
[Date Prev][Date Next] [Thread Prev][Thread Next]