lucid unown user id LTSP user cant loggin
theluketaylor
ekul.taylor at gmail.com
Wed Sep 15 18:22:27 BST 2010
David,
Hopefully my answers shed some more light
On Wed, Sep 15, 2010 at 12:45 PM, David Groos <djgroos at gmail.com> wrote:
> Thanks Luke for your extensive and informative response. Your solution
> sounds like it has even more than I asked for--accessing students' district
> home folders and not just their edubuntu home folder is a big plus and
> starts to pave the way of how edubuntu can be integrated with the existing
> ICT infrastructure at the district level. I've got a few question--please
> see below.
>
> On Wed, Sep 15, 2010 at 6:45 AM, theluketaylor <ekul.taylor at gmail.com>
> wrote:
>>
>> David,
>>
>> With newer versions of samba it's pretty straight forward to do AD
>> authentication though there are a couple of tricky steps.
>>
>> I have found the the documents:
>>
>> https://help.ubuntu.com/community/Samba/Kerberos
>> https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
>>
>> to be the easiest method to join an edubuntu server to an AD domain,
>> especially since it doesn't requires changes to the domain itself.
>> Some of the LDAP and other methods to authenticate against AD require
>> special AD schema and such and that's hard when you don't control the
>> domain. You do need to be a domain admin to join the server in the
>> first place but after that no special rights are required since your
>> server is a domain member just like every other domain computer.
>>
>> The first time I joined a linux server to domain it was a bit scary
>> but it has become somewhat routine from having done it so many times.
>> I'd recommend installing ubuntu on a spare workstation and practicing
>> on it until you get it right so your edubuntu system doesn't get all
>> messed up.
>
>
> Could I just use any Edubuntu Lucid installation to test? In other words,
> if students can log in on this test machine that would mean they could also
> sign in on an LTSP client/server? Is there some special things to add to
> the basic edubuntu install that are on the actual LTSP server?
You can use any of the ubuntu flavours with the howtos I linked,
edubuntu included. Once you can login to the server itself with AD
you can log into any thin client, no additional steps. This is a real
advantage of the server/thin client setups since only the server needs
to be added to the domain, not each client. You can use any edubuntu
installation to test, I just recommended a fresh install on spare
hardware to test since there is no telling how smoothly it will go.
In terms of software that needs to be added, it all goes on the LTSP
server. You have to install:
samba
winbind
kerberos
along with the necessary dependencies. Looking through the documents
to confirm what all needed to be installed I realized the kerberos
document has been changed and isn't quite as helpful as before.
https://help.ubuntu.com/community/Samba/Kerberos?action=recall&rev=10
is the one I have successfully used in the past
>
>> The PAM portions are the most confusing so I'd read
>> through that carefully before proceeding (especially since that
>> controls the methods the server uses to grant login rights so be sure
>> to have an open root console to back out any changes in case you make
>> it impossible to log back in).
>
>
> You mean that at another computer I would ssh into the test server and
> authenticate as root and thus have this access even if I couldn't
> re-authenticate?
or just have a root terminal open on the test server. Either way
works. If you mess up your PAM config in certain ways you won't be
able to create new sessions (which also means sudo is out) but
existing sessions will work.; You'll be logging in and out to test
the config so you need to be sure you have a lifeline in case
something goes wrong. Also don't reboot the server until you're sure
you can login correctly.
>
>>
>> Using these 2 documents you'll be able to do everything you described
>> below. Samba/Winbind will authenticate against the AD controllers and
>> PAM will create home directories for users who have not logged in
>> before. This doesn't actually create local unix accounts, it just
>> maps active directory accounts into the local passwd database. This
>> means you administrate the accounts from AD.
>
>
> I have no permissions on the AD server and while I don't think I would need
> to administer their accounts, I'm sure I need to be able to create groups of
> users (by period for example) that don't exist on the district level AD
> servers. Is there a way that I can create and manage these groups and their
> membership?
>
As I said you will need to be a member of Domain Admin in order to
join the server to the domain which is a critical step.
While I just use AD to manage memberships it is possible to add AD
users to local unix groups. Having never had to do it myself I can`t
speak to how easy it would be but I`m not sure you`d be able to use
the graphical user and groups gnome tool. I do know the command line
addgroup scripts work fine though
>>
>> It also means your
>> domain controller needs to be available for users to be able to log
>> in. You can use PAM to define what groups are allowed to log into
>> your server, by default it's anyone in domain member. The other
>>
>> caveat is users can't change the domain password from your linux
>> server (at least not in a way I'd be willing to try to explain to high
>> school students) so if their password is expired it can cause some
>> grief. I have encouraged my users to change their password before it
>> expires since that causes problems with all non-windows domain logins
>> like web UIs and proxy servers.
>>
>> To make files available from our windows file and print server I also
>> use pam_mount (http://pam-mount.sourceforge.net/) to mount network
>> home directories at ~/Documents. I don't mount their network folder
>> at ~ to avoid lots of .directories being created that show up in
>> windows and because CIFS doesn't support sockets and many unix
>> applications create them in home directories.
>
>
> Nice!
pam_mount was a bit of a pain to setup but now that it's working it
hums along nicely. There is slightly annoying issue that gnome
sessions don't quite clean themselves up enough to allow pam_mount to
unmount on log out but I just run a nightly script that unmounts all
CIFS shares and that does the trick. pam_mount is smart enough now
not to mount something that's already mounted so it isn't a huge
issue.
>
>>
>> Hopefully that points you in the right direction. I've had great luck
>> with this method for the last few years with our edubuntu server using
>> AD logins.
>>
>> Luke Taylor
>
> My final questions are:
>
> Does this affect how I setup squid proxy?
Depends on if you use transparent or authenticated mode. We have a
school-wide authenticated squid proxy. I have added a global setting
to firefox on our edubuntu server (found in /etc/firefox-3.6/default
or something like that) to define the proxy server settings so when
users open firefox the first time the setting is automatically added.
If you use transparent mode you shouldn't have to do anything
> How would this system relate to using Sabayon to managing users gconf
> preferences?
Integrating AD into PAM means as far as applications are concerned AD
users are local unix users. So you can use sabayon just as before,
you can even have it use AD groups to choose what settings to apply.
I have one profile for an AD group called students_g and one for
teachers_g but you could go as fine-grained as you like.
> Would I go about and set up CUPS differently?
It depends on how you have cups set up now but I doubt you would make
any changes.
> Thanks!
> David
>
>>
>> On Tue, Sep 14, 2010 at 10:52 PM, David Groos <djgroos at gmail.com> wrote:
>> >
>> > I've been perusing all the threads I could find about LDAP and AD
>> > authentication. I've seen Scott's tutorial mentioned more than once (and
>> > thanks David H for sharing how you filled in the 'client install
>> > section'--extra examples help). I'm a teacher and not a techer, and when I
>> > look at Scotts instruction well, you can imagine how I feel.
>> >
>> > The following is what I'm trying to do. I just have a couple of admin
>> > and test users on my Lucid LTSP server at this time. What I want to happen
>> > is that a student, who doesn't yet have an account on my server BUT has one
>> > with the district, be able to:
>> >
>> > walk up to a thin client, sit down and upon entering her district
>> > username and password, authenticate against the districts Active Directory
>> > server.
>> > I want that to create an account and home folder (as a desktop user) for
>> > the user on my Lucid server.
>> > Thereafter, whenever the student logs in on the thin client, they are
>> > authenticated against the district AD server and have access to their Lucid
>> > home folder. I think this is possible, right?
>> > Question: Would I then manage my users with the standard 'Users and
>> > Groups' application that's in the 'Administration' menu, or would I use
>> > something else to administer the users?
>> >
>> > If a few people have had good luck with Scott's page on Lucid, I'll
>> > bring that page to the people in the know at our district and ask for some
>> > help following the instructions on that page.
>> >
>> > I think using some setup like this is probably a basic need for
>> > Edubuntu/LTSP setups in large urban districts. Thanks for your help,
>> >
>> > David G
>> >
>> > A
>> >>
>> >> I also use LDAP (Openldap). Scott Balneaves wrote up a tutorial on how
>> >> to get authentication working a while back. It can be found here:
>> >> https://wiki.edubuntu.org/Edubuntu/WikiSite/SimpleLDAPSetup
>> >>
>> >> Follow the section for Client: install client pieces. For my systems,
>> >> I added just the ldap-auth-client. I answered the questions. I
>> >> changed the ldapi:/// to ldap://IP.x.y.z:389/ ... I also entered the
>> >> correct info for the realm. I answered yes to the question about
>> >> having root be able to change passwords, and no for the authentication
>> >> required to access the database.
>> >>
>> >> Next, I copied/pasted the example profile changing given on the above
>> >> page, only I changed edubuntu to something appropriate for our school
>> >> and saved it as ncs-ldap-config.
>> >>
>> >> I then invoked auth-client-config -a -p ncs
>> >>
>> >> Afterwards I was able to use ldap. I now have 7 servers all
>> >> authenticating successfully following this approach. Many thanks to
>> >> Scott for help with that wiki page.
>> >>
>> >> Sincerely,
>> >> Dave Hopkins
>> >>
>> >
>> > --
>> > edubuntu-users mailing list
>> > edubuntu-users at lists.ubuntu.com
>> > Modify settings or unsubscribe at:
>> > https://lists.ubuntu.com/mailman/listinfo/edubuntu-users
>> >
>
>
More information about the edubuntu-users
mailing list