lucid unown user id LTSP user cant loggin

[theluketaylor]

David,

With newer versions of samba it's pretty straight forward to do AD
authentication though there are a couple of tricky steps.

I have found the the documents:

https://help.ubuntu.com/community/Samba/Kerberos
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

to be the easiest method to join an edubuntu server to an AD domain,
especially since it doesn't requires changes to the domain itself.
Some of the LDAP and other methods to authenticate against AD require
special AD schema and such and that's hard when you don't control the
domain.  You do need to be a domain admin to join the server in the
first place but after that no special rights are required since your
server is a domain member just like every other domain computer.

The first time I joined a linux server to domain it was a bit scary
but it has become somewhat routine from having done it so many times.
I'd recommend installing ubuntu on a spare workstation and practicing
on it until you get it right so your edubuntu system doesn't get all
messed up.  The PAM portions are the most confusing so I'd read
through that carefully before proceeding (especially since that
controls the methods the server uses to grant login rights so be sure
to have an open root console to back out any changes in case you make
it impossible to log back in).

Using these 2 documents you'll be able to do everything you described
below.  Samba/Winbind will authenticate against the AD controllers and
PAM will create home directories for users who have not logged in
before.  This doesn't actually create local unix accounts, it just
maps active directory accounts into the local passwd database.  This
means you administrate the accounts from AD.  It also means your
domain controller needs to be available for users to be able to log
in.  You can use PAM to define what groups are allowed to log into
your server, by default it's anyone in domain member.  The other
caveat is users can't change the domain password from your linux
server (at least not in a way I'd be willing to try to explain to high
school students) so if their password is expired it can cause some
grief.  I have encouraged my users to change their password before it
expires since that causes problems with all non-windows domain logins
like web UIs and proxy servers.

To make files available from our windows file and print server I also
use pam_mount (http://pam-mount.sourceforge.net/) to mount network
home directories at ~/Documents.  I don't mount their network folder
at ~ to avoid lots of .directories being created that show up in
windows and because CIFS doesn't support sockets and many unix
applications create them in home directories.

Hopefully that points you in the right direction.  I've had great luck
with this method for the last few years with our edubuntu server using
AD logins.

Luke Taylor

On Tue, Sep 14, 2010 at 10:52 PM, David Groos <djgroos at gmail.com> wrote:
>
> I've been perusing all the threads I could find about LDAP and AD authentication.  I've seen Scott's tutorial mentioned more than once (and thanks David H for sharing how you filled in the 'client install section'--extra examples help).  I'm a teacher and not a techer, and when I look at Scotts instruction well, you can imagine how I feel.
>
> The following is what I'm trying to do.  I just have a couple of admin and test users on my Lucid LTSP server at this time.  What I want to happen is that a student, who doesn't yet have an account on my server BUT has one with the district, be able to:
>
> walk up to a thin client, sit down and upon entering her district username and password, authenticate against the districts Active Directory server.
> I want that to create an account and home folder (as a desktop user) for the user on my Lucid server.
> Thereafter, whenever the student logs in on the thin client, they are authenticated against the district AD server and have access to their Lucid home folder.  I think this is possible, right?
> Question: Would I then manage my users with the standard 'Users and Groups' application that's in the 'Administration' menu, or would I use something else to administer the users?
>
> If a few people have had good luck with Scott's page on Lucid, I'll bring that page to the people in the know at our district and ask for some help following the instructions on that page.
>
> I think using some setup like this is probably a basic need for Edubuntu/LTSP setups in large urban districts.  Thanks for your help,
>
> David G
>
> A
>>
>> I also use LDAP (Openldap). Scott Balneaves wrote up a tutorial on how
>> to get authentication working a while back.  It can be found here:
>> https://wiki.edubuntu.org/Edubuntu/WikiSite/SimpleLDAPSetup
>>
>> Follow the section for Client: install client pieces.  For my systems,
>> I added just the ldap-auth-client.    I answered the questions. I
>> changed the ldapi:/// to ldap://IP.x.y.z:389/ ... I also entered the
>> correct info for the realm.  I answered yes to the question about
>> having root be able to change passwords, and no for the authentication
>> required to access the database.
>>
>> Next, I copied/pasted the example profile changing given on the above
>> page, only I changed edubuntu to something appropriate for our school
>> and saved it as ncs-ldap-config.
>>
>> I then invoked auth-client-config -a -p ncs
>>
>> Afterwards I was able to use ldap.  I now have 7 servers all
>> authenticating successfully following this approach. Many thanks to
>> Scott for help with that wiki page.
>>
>> Sincerely,
>> Dave Hopkins
>>
>
> --
> edubuntu-users mailing list
> edubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-users
>