To put a final nail in this coffin, I finally got the LDAP authentication/ home directory creation working on my fat clients on 2 servers. My directions are quite sloppy (as I finally got it working but not sure what are the essential, minimum steps) so I'll not put them on the Ubuntu or Edubuntu wiki, but as a source of detailed ideas/things to try I did put them on my blog, here: http://groosd.blogspot.com/2011/09/making-lucid-authenticate-via-district.html. It sure is nice now that it works.
David On Fri, Sep 2, 2011 at 8:31 AM, David Groos <[email protected]> wrote: > Instead of starting a new thread, I'm resurrecting this elder thread to > continue to build on it and not re-create the great info already here. > > My focused question is, what is the *minimal* server set-up so that just > the following 2 behaviors occur: > > 1. The first time a user sits at one of my fatclients, types in her > user/pass, she will be authenticated via our districts AD setup AND a home > directory on my server will be created for her. > 2. Thereafter when she sits down, types in her user/pass, she is > authenticated by our district AD server AND her local (on the LTSP server) > home folder is mounted. > > Luke has provided great resources and I'm looking for the minimal set-up to > accomplish the 2 behaviors described above, at this time, JUST those 2 > behaviors. With the resources/strategies he described, and the answer to > the question in this post, I'm confident that I can make this work. > > Thanks, > David > > > On Wed, Sep 15, 2010 at 12:22 PM, theluketaylor <[email protected]>wrote: > >> David, >> >> Hopefully my answers shed some more light >> >> On Wed, Sep 15, 2010 at 12:45 PM, David Groos <[email protected]> wrote: >> > Thanks Luke for your extensive and informative response. Your solution >> > sounds like it has even more than I asked for--accessing students' >> district >> > home folders and not just their edubuntu home folder is a big plus and >> > starts to pave the way of how edubuntu can be integrated with the >> existing >> > ICT infrastructure at the district level. I've got a few >> question--please >> > see below. >> > >> > On Wed, Sep 15, 2010 at 6:45 AM, theluketaylor <[email protected]> >> > wrote: >> >> >> >> David, >> >> >> >> With newer versions of samba it's pretty straight forward to do AD >> >> authentication though there are a couple of tricky steps. >> >> >> >> I have found the the documents: >> >> >> >> https://help.ubuntu.com/community/Samba/Kerberos >> >> https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto >> >> >> >> to be the easiest method to join an edubuntu server to an AD domain, >> >> especially since it doesn't requires changes to the domain itself. >> >> Some of the LDAP and other methods to authenticate against AD require >> >> special AD schema and such and that's hard when you don't control the >> >> domain. You do need to be a domain admin to join the server in the >> >> first place but after that no special rights are required since your >> >> server is a domain member just like every other domain computer. >> >> >> >> The first time I joined a linux server to domain it was a bit scary >> >> but it has become somewhat routine from having done it so many times. >> >> I'd recommend installing ubuntu on a spare workstation and practicing >> >> on it until you get it right so your edubuntu system doesn't get all >> >> messed up. >> > >> > >> > Could I just use any Edubuntu Lucid installation to test? In other >> words, >> > if students can log in on this test machine that would mean they could >> also >> > sign in on an LTSP client/server? Is there some special things to add >> to >> > the basic edubuntu install that are on the actual LTSP server? >> >> You can use any of the ubuntu flavours with the howtos I linked, >> edubuntu included. Once you can login to the server itself with AD >> you can log into any thin client, no additional steps. This is a real >> advantage of the server/thin client setups since only the server needs >> to be added to the domain, not each client. You can use any edubuntu >> installation to test, I just recommended a fresh install on spare >> hardware to test since there is no telling how smoothly it will go. >> In terms of software that needs to be added, it all goes on the LTSP >> server. You have to install: >> samba >> winbind >> kerberos >> along with the necessary dependencies. Looking through the documents >> to confirm what all needed to be installed I realized the kerberos >> document has been changed and isn't quite as helpful as before. >> https://help.ubuntu.com/community/Samba/Kerberos?action=recall&rev=10 >> is the one I have successfully used in the past >> >> > >> >> The PAM portions are the most confusing so I'd read >> >> through that carefully before proceeding (especially since that >> >> controls the methods the server uses to grant login rights so be sure >> >> to have an open root console to back out any changes in case you make >> >> it impossible to log back in). >> > >> > >> > You mean that at another computer I would ssh into the test server and >> > authenticate as root and thus have this access even if I couldn't >> > re-authenticate? >> >> or just have a root terminal open on the test server. Either way >> works. If you mess up your PAM config in certain ways you won't be >> able to create new sessions (which also means sudo is out) but >> existing sessions will work.; You'll be logging in and out to test >> the config so you need to be sure you have a lifeline in case >> something goes wrong. Also don't reboot the server until you're sure >> you can login correctly. >> >> > >> >> >> >> Using these 2 documents you'll be able to do everything you described >> >> below. Samba/Winbind will authenticate against the AD controllers and >> >> PAM will create home directories for users who have not logged in >> >> before. This doesn't actually create local unix accounts, it just >> >> maps active directory accounts into the local passwd database. This >> >> means you administrate the accounts from AD. >> > >> > >> > I have no permissions on the AD server and while I don't think I would >> need >> > to administer their accounts, I'm sure I need to be able to create >> groups of >> > users (by period for example) that don't exist on the district level AD >> > servers. Is there a way that I can create and manage these groups and >> their >> > membership? >> > >> As I said you will need to be a member of Domain Admin in order to >> join the server to the domain which is a critical step. >> While I just use AD to manage memberships it is possible to add AD >> users to local unix groups. Having never had to do it myself I can`t >> speak to how easy it would be but I`m not sure you`d be able to use >> the graphical user and groups gnome tool. I do know the command line >> addgroup scripts work fine though >> >> >> >> >> It also means your >> >> domain controller needs to be available for users to be able to log >> >> in. You can use PAM to define what groups are allowed to log into >> >> your server, by default it's anyone in domain member. The other >> >> >> >> caveat is users can't change the domain password from your linux >> >> server (at least not in a way I'd be willing to try to explain to high >> >> school students) so if their password is expired it can cause some >> >> grief. I have encouraged my users to change their password before it >> >> expires since that causes problems with all non-windows domain logins >> >> like web UIs and proxy servers. >> >> >> >> To make files available from our windows file and print server I also >> >> use pam_mount (http://pam-mount.sourceforge.net/) to mount network >> >> home directories at ~/Documents. I don't mount their network folder >> >> at ~ to avoid lots of .directories being created that show up in >> >> windows and because CIFS doesn't support sockets and many unix >> >> applications create them in home directories. >> > >> > >> > Nice! >> pam_mount was a bit of a pain to setup but now that it's working it >> hums along nicely. There is slightly annoying issue that gnome >> sessions don't quite clean themselves up enough to allow pam_mount to >> unmount on log out but I just run a nightly script that unmounts all >> CIFS shares and that does the trick. pam_mount is smart enough now >> not to mount something that's already mounted so it isn't a huge >> issue. >> >> > >> >> >> >> Hopefully that points you in the right direction. I've had great luck >> >> with this method for the last few years with our edubuntu server using >> >> AD logins. >> >> >> >> Luke Taylor >> > >> > My final questions are: >> > >> > Does this affect how I setup squid proxy? >> Depends on if you use transparent or authenticated mode. We have a >> school-wide authenticated squid proxy. I have added a global setting >> to firefox on our edubuntu server (found in /etc/firefox-3.6/default >> or something like that) to define the proxy server settings so when >> users open firefox the first time the setting is automatically added. >> If you use transparent mode you shouldn't have to do anything >> >> > How would this system relate to using Sabayon to managing users gconf >> > preferences? >> Integrating AD into PAM means as far as applications are concerned AD >> users are local unix users. So you can use sabayon just as before, >> you can even have it use AD groups to choose what settings to apply. >> I have one profile for an AD group called students_g and one for >> teachers_g but you could go as fine-grained as you like. >> >> > Would I go about and set up CUPS differently? >> It depends on how you have cups set up now but I doubt you would make >> any changes. >> >> > Thanks! >> > David >> > >> >> >> >> On Tue, Sep 14, 2010 at 10:52 PM, David Groos <[email protected]> >> wrote: >> >> > >> >> > I've been perusing all the threads I could find about LDAP and AD >> >> > authentication. I've seen Scott's tutorial mentioned more than once >> (and >> >> > thanks David H for sharing how you filled in the 'client install >> >> > section'--extra examples help). I'm a teacher and not a techer, and >> when I >> >> > look at Scotts instruction well, you can imagine how I feel. >> >> > >> >> > The following is what I'm trying to do. I just have a couple of >> admin >> >> > and test users on my Lucid LTSP server at this time. What I want to >> happen >> >> > is that a student, who doesn't yet have an account on my server BUT >> has one >> >> > with the district, be able to: >> >> > >> >> > walk up to a thin client, sit down and upon entering her district >> >> > username and password, authenticate against the districts Active >> Directory >> >> > server. >> >> > I want that to create an account and home folder (as a desktop user) >> for >> >> > the user on my Lucid server. >> >> > Thereafter, whenever the student logs in on the thin client, they are >> >> > authenticated against the district AD server and have access to their >> Lucid >> >> > home folder. I think this is possible, right? >> >> > Question: Would I then manage my users with the standard 'Users and >> >> > Groups' application that's in the 'Administration' menu, or would I >> use >> >> > something else to administer the users? >> >> > >> >> > If a few people have had good luck with Scott's page on Lucid, I'll >> >> > bring that page to the people in the know at our district and ask for >> some >> >> > help following the instructions on that page. >> >> > >> >> > I think using some setup like this is probably a basic need for >> >> > Edubuntu/LTSP setups in large urban districts. Thanks for your help, >> >> > >> >> > David G >> >> > >> >> > A >> >> >> >> >> >> I also use LDAP (Openldap). Scott Balneaves wrote up a tutorial on >> how >> >> >> to get authentication working a while back. It can be found here: >> >> >> https://wiki.edubuntu.org/Edubuntu/WikiSite/SimpleLDAPSetup >> >> >> >> >> >> Follow the section for Client: install client pieces. For my >> systems, >> >> >> I added just the ldap-auth-client. I answered the questions. I >> >> >> changed the ldapi:/// to ldap://IP.x.y.z:389/ ... I also entered the >> >> >> correct info for the realm. I answered yes to the question about >> >> >> having root be able to change passwords, and no for the >> authentication >> >> >> required to access the database. >> >> >> >> >> >> Next, I copied/pasted the example profile changing given on the >> above >> >> >> page, only I changed edubuntu to something appropriate for our >> school >> >> >> and saved it as ncs-ldap-config. >> >> >> >> >> >> I then invoked auth-client-config -a -p ncs >> >> >> >> >> >> Afterwards I was able to use ldap. I now have 7 servers all >> >> >> authenticating successfully following this approach. Many thanks to >> >> >> Scott for help with that wiki page. >> >> >> >> >> >> Sincerely, >> >> >> Dave Hopkins >> >> >> >> >> > >> >> > -- >> >> > edubuntu-users mailing list >> >> > [email protected] >> >> > Modify settings or unsubscribe at: >> >> > https://lists.ubuntu.com/mailman/listinfo/edubuntu-users >> >> > >> > >> > >> > >
-- edubuntu-users mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-users
