[K12OSN] How-tos on configuring K12LTSP logons to Active Directory

Tom Wolfe twolfe at sawback.com
Sat Dec 2 00:22:52 UTC 2006

OK, so I've figured it all out. Step 2 was so easy I felt like a real
dufus thinking about all I put myself through, but Step 3 was a little
trickier and it made me feel a little better after I figured it out. Is
there somewhere I can post this, i.e. is the wiki a good spot?

2. Getting home directories to be automagically created using

   * edit /etc/pam.d/system-auth and add the following line to the session

        session    required     pam_mkhomedir.so umask=0022

Step 3: Automagic shortcut to user's Windows document folder.

a) Set the mount executable.

Somewhere along the line I decided to use mount.cifs instead of mount -t
cifs. So I changed the following line in /etc/security/pam_mount.conf:

cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o
"username=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)"

to read as follows:

cifsmount /sbin/mount.cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o
"username=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)"

...which just kind of tidies things up a bit. Note that this is ALL ONE

b) Set the appropriate permissions on the executable so that users can run

	$ chmod u+s /sbin/mount.cifs
	$ chmod u+s /bin/umount

c) Set up the mount point configuration.

To the file  /etc/security/pam_mount.conf add the following line at the
very bottom:

volume * cifs srv02.morleyschool.ed StudentHome$
uid=&,gid=&,dmask=750,workgroup=MORLEYSCHOOL - -

...note that this is ALL ONE LINE with a single whitespace between the
.windowsShare and the uid, alternately you could try:

volume * cifs fileserver.domain.com StudentHome$ \
  /home/MORLEYSCHOOL/&/.windowsShare \
  uid=&,gid=&,dmask=750,workgroup=DOMAIN - -

and see if that does it. This line follows the syntax described in the
pam_mount.conf default file to create a share at mount point
/home/DOMAIN/[user]/.windowsShare to the share called StudentHome$ on a
machine with a FQDN of fileserver.domain.com in the DOMAIN

Tom Wolfe

On Fri, 1 Dec 2006, Tom Wolfe wrote:

> OK so here is a simple how-to on getting K12LTSP 5.0 (fresh install before
> ANY mucking around with pam.d etc.) logons to Active Directory.
> I can't understand why I couldn't find anything out there in LTSP
> lalaland, so here is my humble and non-authoritative offering after
> beating my head over it for a couple of hours.
> 1. Getting Authentication with Active Directory to work.
> This is incredibly EASY. You just need to know what to do. Yes, you can
> fart around with the pam.d, nsswitch.conf, and krb5.conf settings at great
> peril but why waste your time. Here's a step by step using Fedora's gui
> authconfig tool.
> a) Make sure you have a functioning ntp daemon. I won't describe this as
>    it's well documented elsewhere. Kerberos needs to have good time
>    synchronisation to work.
> b) From Gnome desktop go to System > Administration > Authentication. This
>    starts up the gui authconfig tool (after entering your root password).
> c) Check "Enable Winbind Support" and click "Configure Winbind". Enter
>    the following in the requested fields:
>    * Winbind Domain: your domain, that is the first part of your domain
>         before the first period, all in caps e.g. "DOMAIN"
>    * Security Model: select "ads" from the menu
>    * Winbind ADS Realm: type in your entire domain name. e.g. all in
>         caps e.g. "DOMAIN.COM"
>    * Winbind Domain Controllers: the address of a W2K or W2K3 Active
>         Directory Domain Controller, e.g. "dc1.domain.com"
>    * Template shell: CHANGE THIS to "/bin/bash" or whatever, just don't
>         leave it as the default or your users will get "Sys Admin has
>         disabled your account" errors when they try to log on.
>    * Click OK
> d) Change to the "Authentication" tab.
> e) Check "Enable Kerberos" Support and click "Configure Kerberos".
> Enter the following in the requested fields:
>    * Realm:
>    * KDC's (Kerberos Domain Controller, on a small network probably the
> 	same as your AD DC/PDC) e.g. dc1.domain.com
>    * Admin Servers (ditto to what I said about KDCs above) e.g.
> 	dc1.domain.com
>    * If you have a well-functioning DNS you can check the boxes below.
> 	Maybe do this after a manual setup is up and running.
>    * Click OK
> f) Under "Options" check "Local authorization is sufficient for local
>    users" if you have any non-domain/K12LTSP/local users that you want to
>    be able to log on. I checked this, it makes life easier.
> g) Click OK
> h) Start up a console/terminal. Enter the following command, substituting
>    "administrator" for a domain admin name if "administrator" is not what
>    you use. (this assumes that the user is a member of the sudoers group;
>    if not, log on to a console on the server as root):
> 	[k12 at lalauser ~]$ sudo net ads join -U administrator
>    You should see a bunch of stuff flash before you but the most important
>    is a message indicating that you have joined successfully. This comes
>    in the last two lines. If you were unsuccessful then, alas, my how-to
>    was of no avail and I'm afraid I won't be able to help you as my
>    expertise is very limited.
> 2. Getting home directories to be automagically created using
> pam_mkhomedir.
> - BUT for now I'm happy, my little starter lab of 25 ca 1996-1999 $#itbox
> computers is ticking away with Fedora/Gnome desktops and ready for beta
> testing on some unsuspecting class next week -- because I wrote a script
> to manually create about 700 user home directories and everything is
> working... Woohoo!
> - while I'm at it I might as well explain how I made the 700 user home
> directories in case someone else wishes to do the same because they're as
> dumb as me and can't get pam_mkhomedir to work either (this is really
> hackish so bear with me or at least forgive me):
> 	a) Create a list of users via winbind. Here's an easy way:
> 		$ wbinfo -u > userlist.txt
> 	b) Import this list with a spreadsheet program and use it to
> 	   create a batch file. For example, duplicate this formula, which
> 	   makes use of the much-abused concatenate function, in column B:
> 	    =concatenate("mkdir /home/DOMAIN/";A1;" & chown ";A1;" /home/DOMAIN/";A1)
>  	   ...where the A column contains a list of all users to create a
> 	   bunch of one-liners that create the user's directory and change
> 	   ownership to the user.
> 	c) Save the output of this into a file in your /home/DOMAIN
> 	   directory e.g. /home/DOMAIN/mkhomedirs.sh then from the command
> 	   line:
> 		$ cd /home/DOMAIN
> 		$ chmod 700
> 		$ mkhomedirs.sh
> 		$ ./mkhomedirs.sh
> 	d) Then make sure that all of the file names in /home/DOMAIN are
> 	   lower case. Here's a simple script that will do that:
> 		#!/bin/sh
> 		for i in *
> 		do
> 		j=`echo $i | tr '[A-Z]' '[a-z]'`
> 		mv $i $j
> 		done
> - but I want to save myself hassles in the future and get the
> pam_mkhomedir up and running, so please set me straight.
> 3. Getting a nice little shortcut to your user's home directory to
> automagically appear on their desktop once they've logged on.
> HAPPY ***
> ---
> So as you can see I still have a ways to go. I tried John's ideas below
> but none of it seemed to work out despite many efforts and copying my
> backup /etc files to rescue grim outcomes. The effort did give me some
> insight into the whole process, including a few questions:
> Why is it that samba does not appear to be installed from the Yum gui
> tool, and yet when I try to install it it says that there are conflicts
> with an existing samba installation....? And I can find a bunch of samba
> utilities, e.g. smbclient and so on. And... "service samba" start doesn't
> do anything, I can't find the smbd or nmbd executables anywhere, and how
> do I get the smbd and nmbd daemons running? And finally webmin shows that
> samba is not installed... until of course I uninstall it with Yum (which
> seems to want to uninstall half of everything including KDE and
> Gnome...???) and reinstall samba again afterwards...
> Forgive my ignorance, I come from FreeBSD lalaland which is a vastly
> different place when it comes to installing and updating.
> Thanks to everyone for your continued help on pointing me right.
> Regards,
> Tom Wolfe
> On Fri, 17 Nov 2006, john  wrote:
> > Hi Tom,
> >
> > Take a look at this doc. It uses ubuntu, but for the most part it's agnostic
> > in terms of flavor. The pam.d section is very good.
> >
> > https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
> >
> > After your users can authenticate with their Windows domain credentials
> > Basically:
> >
> > 1) install pam_mount
> >
> > 2) Leave all of the stuff at the top alone and at the bottom of the file
> > configure /etc/security/pam_mount.conf to look something like:
> >
> >
> > /home/WINDOWS/&/.windowsShare
> > uid=&,gid=&,dmask=750,workgroup=YOUR_WIN_DOMAIN - -
> >
> > This file will:
> >
> > a) look for the fileserver by name or ip (i added to file server to my
> > /etc/hosts file just to be sure).
> > b) mount the shared directory
> > c) mount the share whereever you want it to be in this case in
> > /home/WINDOWS/domain_user/.hiddenfile (pam_mount will auto-magically create
> > this if it doesn't exist, I believe)
> >
> > d) Then I use a little script to in /etc/gdm/PostLogin/Default to create a
> > shortcut on the desktop which points to the hidden windows share. It's not
> > quite right yet, but you can try it out:
> >
> > #!/bin/sh
> > zd=/home/WINDOWS/$USER/Desktop/ZDrive
> > if [ ! -L $zd ]
> > then
> >     rm -f /home/VANGUARD/$USER/Desktop/ZDrive
> >     ln -s $HOME/.windowsShare/*/$USER $zd
> > fi
> >
> > Hope this helps.
> >
> > John
> >
> > On 11/17/06, Tom Wolfe <twolfe at sawback.com> wrote:
> > >
> > > Good news: I've got a functioning lab of 20 ancient machines composed of
> > > 1996 IBM 350s and a bunch of custom PIII machines from the late 1990s. The
> > > principal is psyched and the teachers are psyched. It's quite the sight,
> > > all of that ancient hardware spitting out a KDE desktop. I'm planning on
> > > adding another 15-workstation lab on the other side of the school powered
> > > by the same server, we'll see how that works.
> > >
> > > No sound yet, I gave up the fight last week and am hoping for divine
> > > intervention on that one. Teachers seem far less discouraged by that than
> > > I though.
> > >
> > > Now I just have to get things moving with domain logons and home
> > > directories.
> > >
> > > Can anyone suggest a helpful how-to on configuring K12LTSP logons to
> > > Active Directory...? Or should I just hit the samba docs? I've already got
> > > authentication working, and I think I just need to configure the pam.d
> > > configs.
> > >
> > > Regards,
> > > Tom Wolfe
> > >
> > > _______________________________________________
> > > K12OSN mailing list
> > > K12OSN at redhat.com
> > > https://www.redhat.com/mailman/listinfo/k12osn
> > > For more info see <http://www.k12os.org>
> > >
> >

More information about the K12OSN mailing list