[K12OSN] New Lab Install - an AD specific solution

Sean Harbour SHarbour at nwresd.k12.or.us
Wed Oct 22 16:24:50 UTC 2008 

John Montoya wrote:
> [QUESTION]
> Is it possible for a student to use the one Windows account to log
> into an XP machine in History class, then later again in English class
> (working in each class) - then use the same login for computer lab, to
> access their home directories to work on the English and History work
> (that they created earlier - and is now all OpenOffice)...working on it from a thin client in
> the lab?
_________

Here's my solution to that problem.

We currently use Active Directory to manage our student accounts.

Through a lot of painful trial and error, I have found that Fedora 9 i386 (with the PAE kernel if you have more than 4GB RAM) works fairly well out of the box. Fedora 9 x86_64 is a PITA with firefox/java and multimedia.

The easiest, most reliable way I have found to authenticate from AD is with Likewise Open 5 community edition. The other ways work, but have not been as trouble free for our use, at least with Fedora 9.

Here's the 5 minute setup:

Download the Linux 2.4 kernel+ 32-bit RPM package from here, you can skip the GUI package.
http://www.likewisesoftware.com/community/index.php/download/

switch to an xterm, and cd into the directory you downloaded the file to, typically ~/Download or ~/Desktop

Make the file executable
chmod +x <filename>

Example: (Note, they seem to update their versions weekly, so it probably won't be this exact file name.)
./LikewiseIdentityServiceOpen-5.0.0.3835-linux-i386-rpm-installer

Agree to the installer GPL2 licensing.

Join the domain. You need to know the fully qualified domain name, not the short name, of the domain. Example: "myschool.mydistrict.org"
You will also need an account and password with domain privileges to join workstations to the domain.

domainjoin-cli --loglevel verbose --log /tmp/domainjoin.log join myschool.mydistrict.org adminaccountname

It should say "SUCCESS" after a few seconds.

Test that you can query AD for users::

/opt/likewise/bin/lw-enum-users

Edit /etc/likewise/lsassd.conf and uncomment the line:

"assume-default-domain = yes"

reboot. Login with an AD account. You're done. Great product.

We are still working on a nice way to map Windows network shares for users, but the following technique works fairly well. You will need to know the fully qualified name of the file server, and the name of the share. Insert the appropriate values into the line starting with "URL".

Assuming you are using the Gnome desktop, create a file in the users ~/Desktop directory called:

Student_Share.desktop

with the contents:

--------------Begin file
[Desktop Entry]
Version=1.0
Encoding=UTF-8
Name=Student_Share
Type=Link
Icon[en_US]=gnome-panel-launcher
Name[en_US]=Student_Share
URL=smb://fileservername.myschool.mydistrict.org/StudentShare
Comment[en_US]=Shared student network drive (S Drive on Windows)
Comment=Shared student network drive (S Drive on Windows)
Icon=/usr/share/icons/Bluecurve/96x96/filesystems/folder_open.png
--------------End file

Drop this file into /etc/skel/Desktop for new users.

For private home folders, I put this in /etc/skel/Desktop. This assumes the student shares are all in the form of <username$>, and are shared individually from the named fileserver, which is fairly standard.

Network_Folder.desktop

--------------Begin file
[Desktop Entry]
Version=1.0
Encoding=UTF-8
Type=Link
Icon[en_US]=/usr/share/icons/Bluecurve/96x96/filesystems/folder_home.png
Icon=/usr/share/icons/Bluecurve/96x96/filesystems/folder_home.png
Name[en_US]=Network Folder for REPLACEME
Name=Network Folder for REPLACEME
URL=smb://fileservername.myschool.mydistrict.org/REPLACEME$
Comment[en_US]=Home folder private network share for student REPLACEME
Comment=Home folder private network share for student REPLACEME
--------------End file

And I added the following .bash_profile file to /etc/skel:

--------------Begin file
.bash_profile
# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
        . ~/.bashrc
fi

# User specific environment and startup programs
PATH=$PATH:$HOME/bin
export PATH
replaceme=`cat ~/Desktop/Network_Folder.desktop | grep REPLACEME`
if [ "$replaceme" != "" ]
  then
sed s/REPLACEME/$LOGNAME/g ~/Desktop/Home\ Folder.desktop >~/Desktop/temp.desktop
mv ~/Desktop/temp.desktop ~/Desktop/Home\ Folder.desktop
else
 echo "Welcome $LOGNAME"
fi
--------------End file

With these additions, logged in users will be able to click an icon on the desktop, and access their Windows network folders. Be warned, it's not perfect, and it will ask for the password the first time you use it, but it does work fairly well, and most importantly, maintains the correct user permissions on files.

I'm very interested in other techniques for duplicating this functionality. Has anybody managed to get some sort of automount working with Windows shares and transparent/passthrough user authentication?

Cheers!,

Sean Harbour
Senior Network Engineer
Northwest Regional ESD

More information about the K12OSN mailing list