lucid unown user id LTSP user cant loggin
David Groos
djgroos at gmail.com
Tue Sep 13 02:37:16 UTC 2011
To put a final nail in this coffin, I finally got the LDAP authentication/
home directory creation working on my fat clients on 2 servers. My
directions are quite sloppy (as I finally got it working but not sure what
are the essential, minimum steps) so I'll not put them on the Ubuntu or
Edubuntu wiki, but as a source of detailed ideas/things to try I did put
them on my blog, here:
http://groosd.blogspot.com/2011/09/making-lucid-authenticate-via-district.html.
It sure is nice now that it works.
David
On Fri, Sep 2, 2011 at 8:31 AM, David Groos <djgroos at gmail.com> wrote:
> Instead of starting a new thread, I'm resurrecting this elder thread to
> continue to build on it and not re-create the great info already here.
>
> My focused question is, what is the *minimal* server set-up so that just
> the following 2 behaviors occur:
>
> 1. The first time a user sits at one of my fatclients, types in her
> user/pass, she will be authenticated via our districts AD setup AND a home
> directory on my server will be created for her.
> 2. Thereafter when she sits down, types in her user/pass, she is
> authenticated by our district AD server AND her local (on the LTSP server)
> home folder is mounted.
>
> Luke has provided great resources and I'm looking for the minimal set-up to
> accomplish the 2 behaviors described above, at this time, JUST those 2
> behaviors. With the resources/strategies he described, and the answer to
> the question in this post, I'm confident that I can make this work.
>
> Thanks,
> David
>
>
> On Wed, Sep 15, 2010 at 12:22 PM, theluketaylor <ekul.taylor at gmail.com>wrote:
>
>> David,
>>
>> Hopefully my answers shed some more light
>>
>> On Wed, Sep 15, 2010 at 12:45 PM, David Groos <djgroos at gmail.com> wrote:
>> > Thanks Luke for your extensive and informative response. Your solution
>> > sounds like it has even more than I asked for--accessing students'
>> district
>> > home folders and not just their edubuntu home folder is a big plus and
>> > starts to pave the way of how edubuntu can be integrated with the
>> existing
>> > ICT infrastructure at the district level. I've got a few
>> question--please
>> > see below.
>> >
>> > On Wed, Sep 15, 2010 at 6:45 AM, theluketaylor <ekul.taylor at gmail.com>
>> > wrote:
>> >>
>> >> David,
>> >>
>> >> With newer versions of samba it's pretty straight forward to do AD
>> >> authentication though there are a couple of tricky steps.
>> >>
>> >> I have found the the documents:
>> >>
>> >> https://help.ubuntu.com/community/Samba/Kerberos
>> >> https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
>> >>
>> >> to be the easiest method to join an edubuntu server to an AD domain,
>> >> especially since it doesn't requires changes to the domain itself.
>> >> Some of the LDAP and other methods to authenticate against AD require
>> >> special AD schema and such and that's hard when you don't control the
>> >> domain. You do need to be a domain admin to join the server in the
>> >> first place but after that no special rights are required since your
>> >> server is a domain member just like every other domain computer.
>> >>
>> >> The first time I joined a linux server to domain it was a bit scary
>> >> but it has become somewhat routine from having done it so many times.
>> >> I'd recommend installing ubuntu on a spare workstation and practicing
>> >> on it until you get it right so your edubuntu system doesn't get all
>> >> messed up.
>> >
>> >
>> > Could I just use any Edubuntu Lucid installation to test? In other
>> words,
>> > if students can log in on this test machine that would mean they could
>> also
>> > sign in on an LTSP client/server? Is there some special things to add
>> to
>> > the basic edubuntu install that are on the actual LTSP server?
>>
>> You can use any of the ubuntu flavours with the howtos I linked,
>> edubuntu included. Once you can login to the server itself with AD
>> you can log into any thin client, no additional steps. This is a real
>> advantage of the server/thin client setups since only the server needs
>> to be added to the domain, not each client. You can use any edubuntu
>> installation to test, I just recommended a fresh install on spare
>> hardware to test since there is no telling how smoothly it will go.
>> In terms of software that needs to be added, it all goes on the LTSP
>> server. You have to install:
>> samba
>> winbind
>> kerberos
>> along with the necessary dependencies. Looking through the documents
>> to confirm what all needed to be installed I realized the kerberos
>> document has been changed and isn't quite as helpful as before.
>> https://help.ubuntu.com/community/Samba/Kerberos?action=recall&rev=10
>> is the one I have successfully used in the past
>>
>> >
>> >> The PAM portions are the most confusing so I'd read
>> >> through that carefully before proceeding (especially since that
>> >> controls the methods the server uses to grant login rights so be sure
>> >> to have an open root console to back out any changes in case you make
>> >> it impossible to log back in).
>> >
>> >
>> > You mean that at another computer I would ssh into the test server and
>> > authenticate as root and thus have this access even if I couldn't
>> > re-authenticate?
>>
>> or just have a root terminal open on the test server. Either way
>> works. If you mess up your PAM config in certain ways you won't be
>> able to create new sessions (which also means sudo is out) but
>> existing sessions will work.; You'll be logging in and out to test
>> the config so you need to be sure you have a lifeline in case
>> something goes wrong. Also don't reboot the server until you're sure
>> you can login correctly.
>>
>> >
>> >>
>> >> Using these 2 documents you'll be able to do everything you described
>> >> below. Samba/Winbind will authenticate against the AD controllers and
>> >> PAM will create home directories for users who have not logged in
>> >> before. This doesn't actually create local unix accounts, it just
>> >> maps active directory accounts into the local passwd database. This
>> >> means you administrate the accounts from AD.
>> >
>> >
>> > I have no permissions on the AD server and while I don't think I would
>> need
>> > to administer their accounts, I'm sure I need to be able to create
>> groups of
>> > users (by period for example) that don't exist on the district level AD
>> > servers. Is there a way that I can create and manage these groups and
>> their
>> > membership?
>> >
>> As I said you will need to be a member of Domain Admin in order to
>> join the server to the domain which is a critical step.
>> While I just use AD to manage memberships it is possible to add AD
>> users to local unix groups. Having never had to do it myself I can`t
>> speak to how easy it would be but I`m not sure you`d be able to use
>> the graphical user and groups gnome tool. I do know the command line
>> addgroup scripts work fine though
>>
>> >>
>> >> It also means your
>> >> domain controller needs to be available for users to be able to log
>> >> in. You can use PAM to define what groups are allowed to log into
>> >> your server, by default it's anyone in domain member. The other
>> >>
>> >> caveat is users can't change the domain password from your linux
>> >> server (at least not in a way I'd be willing to try to explain to high
>> >> school students) so if their password is expired it can cause some
>> >> grief. I have encouraged my users to change their password before it
>> >> expires since that causes problems with all non-windows domain logins
>> >> like web UIs and proxy servers.
>> >>
>> >> To make files available from our windows file and print server I also
>> >> use pam_mount (http://pam-mount.sourceforge.net/) to mount network
>> >> home directories at ~/Documents. I don't mount their network folder
>> >> at ~ to avoid lots of .directories being created that show up in
>> >> windows and because CIFS doesn't support sockets and many unix
>> >> applications create them in home directories.
>> >
>> >
>> > Nice!
>> pam_mount was a bit of a pain to setup but now that it's working it
>> hums along nicely. There is slightly annoying issue that gnome
>> sessions don't quite clean themselves up enough to allow pam_mount to
>> unmount on log out but I just run a nightly script that unmounts all
>> CIFS shares and that does the trick. pam_mount is smart enough now
>> not to mount something that's already mounted so it isn't a huge
>> issue.
>>
>> >
>> >>
>> >> Hopefully that points you in the right direction. I've had great luck
>> >> with this method for the last few years with our edubuntu server using
>> >> AD logins.
>> >>
>> >> Luke Taylor
>> >
>> > My final questions are:
>> >
>> > Does this affect how I setup squid proxy?
>> Depends on if you use transparent or authenticated mode. We have a
>> school-wide authenticated squid proxy. I have added a global setting
>> to firefox on our edubuntu server (found in /etc/firefox-3.6/default
>> or something like that) to define the proxy server settings so when
>> users open firefox the first time the setting is automatically added.
>> If you use transparent mode you shouldn't have to do anything
>>
>> > How would this system relate to using Sabayon to managing users gconf
>> > preferences?
>> Integrating AD into PAM means as far as applications are concerned AD
>> users are local unix users. So you can use sabayon just as before,
>> you can even have it use AD groups to choose what settings to apply.
>> I have one profile for an AD group called students_g and one for
>> teachers_g but you could go as fine-grained as you like.
>>
>> > Would I go about and set up CUPS differently?
>> It depends on how you have cups set up now but I doubt you would make
>> any changes.
>>
>> > Thanks!
>> > David
>> >
>> >>
>> >> On Tue, Sep 14, 2010 at 10:52 PM, David Groos <djgroos at gmail.com>
>> wrote:
>> >> >
>> >> > I've been perusing all the threads I could find about LDAP and AD
>> >> > authentication. I've seen Scott's tutorial mentioned more than once
>> (and
>> >> > thanks David H for sharing how you filled in the 'client install
>> >> > section'--extra examples help). I'm a teacher and not a techer, and
>> when I
>> >> > look at Scotts instruction well, you can imagine how I feel.
>> >> >
>> >> > The following is what I'm trying to do. I just have a couple of
>> admin
>> >> > and test users on my Lucid LTSP server at this time. What I want to
>> happen
>> >> > is that a student, who doesn't yet have an account on my server BUT
>> has one
>> >> > with the district, be able to:
>> >> >
>> >> > walk up to a thin client, sit down and upon entering her district
>> >> > username and password, authenticate against the districts Active
>> Directory
>> >> > server.
>> >> > I want that to create an account and home folder (as a desktop user)
>> for
>> >> > the user on my Lucid server.
>> >> > Thereafter, whenever the student logs in on the thin client, they are
>> >> > authenticated against the district AD server and have access to their
>> Lucid
>> >> > home folder. I think this is possible, right?
>> >> > Question: Would I then manage my users with the standard 'Users and
>> >> > Groups' application that's in the 'Administration' menu, or would I
>> use
>> >> > something else to administer the users?
>> >> >
>> >> > If a few people have had good luck with Scott's page on Lucid, I'll
>> >> > bring that page to the people in the know at our district and ask for
>> some
>> >> > help following the instructions on that page.
>> >> >
>> >> > I think using some setup like this is probably a basic need for
>> >> > Edubuntu/LTSP setups in large urban districts. Thanks for your help,
>> >> >
>> >> > David G
>> >> >
>> >> > A
>> >> >>
>> >> >> I also use LDAP (Openldap). Scott Balneaves wrote up a tutorial on
>> how
>> >> >> to get authentication working a while back. It can be found here:
>> >> >> https://wiki.edubuntu.org/Edubuntu/WikiSite/SimpleLDAPSetup
>> >> >>
>> >> >> Follow the section for Client: install client pieces. For my
>> systems,
>> >> >> I added just the ldap-auth-client. I answered the questions. I
>> >> >> changed the ldapi:/// to ldap://IP.x.y.z:389/ ... I also entered the
>> >> >> correct info for the realm. I answered yes to the question about
>> >> >> having root be able to change passwords, and no for the
>> authentication
>> >> >> required to access the database.
>> >> >>
>> >> >> Next, I copied/pasted the example profile changing given on the
>> above
>> >> >> page, only I changed edubuntu to something appropriate for our
>> school
>> >> >> and saved it as ncs-ldap-config.
>> >> >>
>> >> >> I then invoked auth-client-config -a -p ncs
>> >> >>
>> >> >> Afterwards I was able to use ldap. I now have 7 servers all
>> >> >> authenticating successfully following this approach. Many thanks to
>> >> >> Scott for help with that wiki page.
>> >> >>
>> >> >> Sincerely,
>> >> >> Dave Hopkins
>> >> >>
>> >> >
>> >> > --
>> >> > edubuntu-users mailing list
>> >> > edubuntu-users at lists.ubuntu.com
>> >> > Modify settings or unsubscribe at:
>> >> > https://lists.ubuntu.com/mailman/listinfo/edubuntu-users
>> >> >
>> >
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/edubuntu-users/attachments/20110912/8715105a/attachment-0001.html>
More information about the edubuntu-users
mailing list