lucid unown user id LTSP user cant loggin

David Groos djgroos at gmail.com
Wed Sep 15 16:45:31 UTC 2010 

Thanks Luke for your extensive and informative response.  Your solution
sounds like it has even more than I asked for--accessing students' district
home folders and not just their edubuntu home folder is a big plus and
starts to pave the way of how edubuntu can be integrated with the existing
ICT infrastructure at the district level.  I've got a few question--please
see below.

On Wed, Sep 15, 2010 at 6:45 AM, theluketaylor <ekul.taylor at gmail.com>wrote:

> David,
>
> With newer versions of samba it's pretty straight forward to do AD
> authentication though there are a couple of tricky steps.
>
> I have found the the documents:
>
> https://help.ubuntu.com/community/Samba/Kerberos
> https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
>
> to be the easiest method to join an edubuntu server to an AD domain,
> especially since it doesn't requires changes to the domain itself.
> Some of the LDAP and other methods to authenticate against AD require
> special AD schema and such and that's hard when you don't control the
> domain.  You do need to be a domain admin to join the server in the
> first place but after that no special rights are required since your
> server is a domain member just like every other domain computer.
>
> The first time I joined a linux server to domain it was a bit scary
> but it has become somewhat routine from having done it so many times.
> I'd recommend installing ubuntu on a spare workstation and practicing
> on it until you get it right so your edubuntu system doesn't get all
> messed up.


Could I just use any Edubuntu Lucid installation to test?  In other words,
if students can log in on this test machine that would mean they could also
sign in on an LTSP client/server?  Is there some special things to add to
the basic edubuntu install that are on the actual LTSP server?

The PAM portions are the most confusing so I'd read
> through that carefully before proceeding (especially since that
> controls the methods the server uses to grant login rights so be sure
> to have an open root console to back out any changes in case you make
> it impossible to log back in).
>

You mean that at another computer I would ssh into the test server and
authenticate as root and thus have this access even if I couldn't
re-authenticate?


> Using these 2 documents you'll be able to do everything you described
> below.  Samba/Winbind will authenticate against the AD controllers and
> PAM will create home directories for users who have not logged in
> before.  This doesn't actually create local unix accounts, it just
> maps active directory accounts into the local passwd database.  This
> means you administrate the accounts from AD.


I have no permissions on the AD server and while I don't think I would need
to administer their accounts, I'm sure I need to be able to create groups of
users (by period for example) that don't exist on the district level AD
servers.  Is there a way that I can create and manage these groups and their
membership?


> It also means your
> domain controller needs to be available for users to be able to log
> in.  You can use PAM to define what groups are allowed to log into
> your server, by default it's anyone in domain member.  The other
>
caveat is users can't change the domain password from your linux
> server (at least not in a way I'd be willing to try to explain to high
> school students) so if their password is expired it can cause some
> grief.  I have encouraged my users to change their password before it
> expires since that causes problems with all non-windows domain logins
> like web UIs and proxy servers.
>
> To make files available from our windows file and print server I also
> use pam_mount (http://pam-mount.sourceforge.net/) to mount network
> home directories at ~/Documents.  I don't mount their network folder
> at ~ to avoid lots of .directories being created that show up in
> windows and because CIFS doesn't support sockets and many unix
> applications create them in home directories.
>

Nice!


>
> Hopefully that points you in the right direction.  I've had great luck
> with this method for the last few years with our edubuntu server using
> AD logins.
>
> Luke Taylor
>
My final questions are:

   1. Does this affect how I setup squid proxy?
   2. How would this system relate to using Sabayon to managing users gconf
   preferences?
   3. Would I go about and set up CUPS differently?

Thanks!
David


> On Tue, Sep 14, 2010 at 10:52 PM, David Groos <djgroos at gmail.com> wrote:
> >
> > I've been perusing all the threads I could find about LDAP and AD
> authentication.  I've seen Scott's tutorial mentioned more than once (and
> thanks David H for sharing how you filled in the 'client install
> section'--extra examples help).  I'm a teacher and not a techer, and when I
> look at Scotts instruction well, you can imagine how I feel.
> >
> > The following is what I'm trying to do.  I just have a couple of admin
> and test users on my Lucid LTSP server at this time.  What I want to happen
> is that a student, who doesn't yet have an account on my server BUT has one
> with the district, be able to:
> >
> > walk up to a thin client, sit down and upon entering her district
> username and password, authenticate against the districts Active Directory
> server.
> > I want that to create an account and home folder (as a desktop user) for
> the user on my Lucid server.
> > Thereafter, whenever the student logs in on the thin client, they are
> authenticated against the district AD server and have access to their Lucid
> home folder.  I think this is possible, right?
> > Question: Would I then manage my users with the standard 'Users and
> Groups' application that's in the 'Administration' menu, or would I use
> something else to administer the users?
> >
> > If a few people have had good luck with Scott's page on Lucid, I'll bring
> that page to the people in the know at our district and ask for some help
> following the instructions on that page.
> >
> > I think using some setup like this is probably a basic need for
> Edubuntu/LTSP setups in large urban districts.  Thanks for your help,
> >
> > David G
> >
> > A
> >>
> >> I also use LDAP (Openldap). Scott Balneaves wrote up a tutorial on how
> >> to get authentication working a while back.  It can be found here:
> >> https://wiki.edubuntu.org/Edubuntu/WikiSite/SimpleLDAPSetup
> >>
> >> Follow the section for Client: install client pieces.  For my systems,
> >> I added just the ldap-auth-client.    I answered the questions. I
> >> changed the ldapi:/// to ldap://IP.x.y.z:389/ ... I also entered the
> >> correct info for the realm.  I answered yes to the question about
> >> having root be able to change passwords, and no for the authentication
> >> required to access the database.
> >>
> >> Next, I copied/pasted the example profile changing given on the above
> >> page, only I changed edubuntu to something appropriate for our school
> >> and saved it as ncs-ldap-config.
> >>
> >> I then invoked auth-client-config -a -p ncs
> >>
> >> Afterwards I was able to use ldap.  I now have 7 servers all
> >> authenticating successfully following this approach. Many thanks to
> >> Scott for help with that wiki page.
> >>
> >> Sincerely,
> >> Dave Hopkins
> >>
> >
> > --
> > edubuntu-users mailing list
> > edubuntu-users at lists.ubuntu.com
> > Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/edubuntu-users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/edubuntu-devel/attachments/20100915/5114618d/attachment.html>

More information about the edubuntu-devel mailing list