lucid unown user id LTSP user cant loggin

David Groos djgroos at gmail.com
Fri Sep 2 13:31:27 UTC 2011 

Instead of starting a new thread, I'm resurrecting this elder thread to
continue to build on it and not re-create the great info already here.

My focused question is, what is the *minimal* server set-up so that just the
following 2 behaviors occur:

   1. The first time a user sits at one of my fatclients, types in her
   user/pass, she will be authenticated via our districts AD setup AND a home
   directory on my server will be created for her.
   2. Thereafter when she sits down, types in her user/pass, she is
   authenticated by our district AD server AND her local (on the LTSP server)
   home folder is mounted.

Luke has provided great resources and I'm looking for the minimal set-up to
accomplish the 2 behaviors described above, at this time, JUST those 2
behaviors.  With the resources/strategies he described, and the answer to
the question in this post, I'm confident that I can make this work.

Thanks,
David

On Wed, Sep 15, 2010 at 12:22 PM, theluketaylor <ekul.taylor at gmail.com>wrote:

> David,
>
> Hopefully my answers shed some more light
>
> On Wed, Sep 15, 2010 at 12:45 PM, David Groos <djgroos at gmail.com> wrote:
> > Thanks Luke for your extensive and informative response.  Your solution
> > sounds like it has even more than I asked for--accessing students'
> district
> > home folders and not just their edubuntu home folder is a big plus and
> > starts to pave the way of how edubuntu can be integrated with the
> existing
> > ICT infrastructure at the district level.  I've got a few
> question--please
> > see below.
> >
> > On Wed, Sep 15, 2010 at 6:45 AM, theluketaylor <ekul.taylor at gmail.com>
> > wrote:
> >>
> >> David,
> >>
> >> With newer versions of samba it's pretty straight forward to do AD
> >> authentication though there are a couple of tricky steps.
> >>
> >> I have found the the documents:
> >>
> >> https://help.ubuntu.com/community/Samba/Kerberos
> >> https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
> >>
> >> to be the easiest method to join an edubuntu server to an AD domain,
> >> especially since it doesn't requires changes to the domain itself.
> >> Some of the LDAP and other methods to authenticate against AD require
> >> special AD schema and such and that's hard when you don't control the
> >> domain.  You do need to be a domain admin to join the server in the
> >> first place but after that no special rights are required since your
> >> server is a domain member just like every other domain computer.
> >>
> >> The first time I joined a linux server to domain it was a bit scary
> >> but it has become somewhat routine from having done it so many times.
> >> I'd recommend installing ubuntu on a spare workstation and practicing
> >> on it until you get it right so your edubuntu system doesn't get all
> >> messed up.
> >
> >
> > Could I just use any Edubuntu Lucid installation to test?  In other
> words,
> > if students can log in on this test machine that would mean they could
> also
> > sign in on an LTSP client/server?  Is there some special things to add to
> > the basic edubuntu install that are on the actual LTSP server?
>
> You can use any of the ubuntu flavours with the howtos I linked,
> edubuntu included.  Once you can login to the server itself with AD
> you can log into any thin client, no additional steps.  This is a real
> advantage of the server/thin client setups since only the server needs
> to be added to the domain, not each client.  You can use any edubuntu
> installation to test, I just recommended a fresh install on spare
> hardware to test since there is no telling how smoothly it will go.
> In terms of software that needs to be added, it all goes on the LTSP
> server.  You have to install:
> samba
> winbind
> kerberos
> along with the necessary dependencies.  Looking through the documents
> to confirm what all needed to be installed I realized the kerberos
> document has been changed and isn't quite as helpful as before.
> https://help.ubuntu.com/community/Samba/Kerberos?action=recall&rev=10
> is the one I have successfully used in the past
>
> >
> >> The PAM portions are the most confusing so I'd read
> >> through that carefully before proceeding (especially since that
> >> controls the methods the server uses to grant login rights so be sure
> >> to have an open root console to back out any changes in case you make
> >> it impossible to log back in).
> >
> >
> > You mean that at another computer I would ssh into the test server and
> > authenticate as root and thus have this access even if I couldn't
> > re-authenticate?
>
> or just have a root terminal open on the test server.  Either way
> works.  If you mess up your PAM config in certain ways you won't be
> able to create new sessions (which also means sudo is out) but
> existing sessions will work.;  You'll be logging in and out to test
> the config so you need to be sure you have a lifeline in case
> something goes wrong.  Also don't reboot the server until you're sure
> you can login correctly.
>
> >
> >>
> >> Using these 2 documents you'll be able to do everything you described
> >> below.  Samba/Winbind will authenticate against the AD controllers and
> >> PAM will create home directories for users who have not logged in
> >> before.  This doesn't actually create local unix accounts, it just
> >> maps active directory accounts into the local passwd database.  This
> >> means you administrate the accounts from AD.
> >
> >
> > I have no permissions on the AD server and while I don't think I would
> need
> > to administer their accounts, I'm sure I need to be able to create groups
> of
> > users (by period for example) that don't exist on the district level AD
> > servers.  Is there a way that I can create and manage these groups and
> their
> > membership?
> >
> As I said you will need to be a member of Domain Admin in order to
> join the server to the domain which is a critical step.
> While I just use AD to manage memberships it is possible to add AD
> users to local unix groups.  Having never had to do it myself I can`t
> speak to how easy it would be but I`m not sure you`d be able to use
> the graphical user and groups gnome tool.  I do know the command line
> addgroup scripts work fine though
>
> >>
> >> It also means your
> >> domain controller needs to be available for users to be able to log
> >> in.  You can use PAM to define what groups are allowed to log into
> >> your server, by default it's anyone in domain member.  The other
> >>
> >> caveat is users can't change the domain password from your linux
> >> server (at least not in a way I'd be willing to try to explain to high
> >> school students) so if their password is expired it can cause some
> >> grief.  I have encouraged my users to change their password before it
> >> expires since that causes problems with all non-windows domain logins
> >> like web UIs and proxy servers.
> >>
> >> To make files available from our windows file and print server I also
> >> use pam_mount (http://pam-mount.sourceforge.net/) to mount network
> >> home directories at ~/Documents.  I don't mount their network folder
> >> at ~ to avoid lots of .directories being created that show up in
> >> windows and because CIFS doesn't support sockets and many unix
> >> applications create them in home directories.
> >
> >
> > Nice!
> pam_mount was a bit of a pain to setup but now that it's working it
> hums along nicely.  There is slightly annoying issue that gnome
> sessions don't quite clean themselves up enough to allow pam_mount to
> unmount on log out but I just run a nightly script that unmounts all
> CIFS shares and that does the trick.  pam_mount is smart enough now
> not to mount something that's already mounted so it isn't a huge
> issue.
>
> >
> >>
> >> Hopefully that points you in the right direction.  I've had great luck
> >> with this method for the last few years with our edubuntu server using
> >> AD logins.
> >>
> >> Luke Taylor
> >
> > My final questions are:
> >
> > Does this affect how I setup squid proxy?
> Depends on if you use transparent or authenticated mode.  We have a
> school-wide authenticated squid proxy.  I have added a global setting
> to firefox on our edubuntu server (found in /etc/firefox-3.6/default
> or something like that) to define the proxy server settings so when
> users open firefox the first time the setting is automatically added.
> If you use transparent mode you shouldn't have to do anything
>
> > How would this system relate to using Sabayon to managing users gconf
> > preferences?
> Integrating AD into PAM means as far as applications are concerned AD
> users are local unix users.  So you can use sabayon just as before,
> you can even have it use AD groups to choose what settings to apply.
> I have one profile for an AD group called students_g and one for
> teachers_g but you could go as fine-grained as you like.
>
> > Would I go about and set up CUPS differently?
> It depends on how you have cups set up now but I doubt you would make
> any changes.
>
> > Thanks!
> > David
> >
> >>
> >> On Tue, Sep 14, 2010 at 10:52 PM, David Groos <djgroos at gmail.com>
> wrote:
> >> >
> >> > I've been perusing all the threads I could find about LDAP and AD
> >> > authentication.  I've seen Scott's tutorial mentioned more than once
> (and
> >> > thanks David H for sharing how you filled in the 'client install
> >> > section'--extra examples help).  I'm a teacher and not a techer, and
> when I
> >> > look at Scotts instruction well, you can imagine how I feel.
> >> >
> >> > The following is what I'm trying to do.  I just have a couple of admin
> >> > and test users on my Lucid LTSP server at this time.  What I want to
> happen
> >> > is that a student, who doesn't yet have an account on my server BUT
> has one
> >> > with the district, be able to:
> >> >
> >> > walk up to a thin client, sit down and upon entering her district
> >> > username and password, authenticate against the districts Active
> Directory
> >> > server.
> >> > I want that to create an account and home folder (as a desktop user)
> for
> >> > the user on my Lucid server.
> >> > Thereafter, whenever the student logs in on the thin client, they are
> >> > authenticated against the district AD server and have access to their
> Lucid
> >> > home folder.  I think this is possible, right?
> >> > Question: Would I then manage my users with the standard 'Users and
> >> > Groups' application that's in the 'Administration' menu, or would I
> use
> >> > something else to administer the users?
> >> >
> >> > If a few people have had good luck with Scott's page on Lucid, I'll
> >> > bring that page to the people in the know at our district and ask for
> some
> >> > help following the instructions on that page.
> >> >
> >> > I think using some setup like this is probably a basic need for
> >> > Edubuntu/LTSP setups in large urban districts.  Thanks for your help,
> >> >
> >> > David G
> >> >
> >> > A
> >> >>
> >> >> I also use LDAP (Openldap). Scott Balneaves wrote up a tutorial on
> how
> >> >> to get authentication working a while back.  It can be found here:
> >> >> https://wiki.edubuntu.org/Edubuntu/WikiSite/SimpleLDAPSetup
> >> >>
> >> >> Follow the section for Client: install client pieces.  For my
> systems,
> >> >> I added just the ldap-auth-client.    I answered the questions. I
> >> >> changed the ldapi:/// to ldap://IP.x.y.z:389/ ... I also entered the
> >> >> correct info for the realm.  I answered yes to the question about
> >> >> having root be able to change passwords, and no for the
> authentication
> >> >> required to access the database.
> >> >>
> >> >> Next, I copied/pasted the example profile changing given on the above
> >> >> page, only I changed edubuntu to something appropriate for our school
> >> >> and saved it as ncs-ldap-config.
> >> >>
> >> >> I then invoked auth-client-config -a -p ncs
> >> >>
> >> >> Afterwards I was able to use ldap.  I now have 7 servers all
> >> >> authenticating successfully following this approach. Many thanks to
> >> >> Scott for help with that wiki page.
> >> >>
> >> >> Sincerely,
> >> >> Dave Hopkins
> >> >>
> >> >
> >> > --
> >> > edubuntu-users mailing list
> >> > edubuntu-users at lists.ubuntu.com
> >> > Modify settings or unsubscribe at:
> >> > https://lists.ubuntu.com/mailman/listinfo/edubuntu-users
> >> >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/edubuntu-users/attachments/20110902/0ab3e977/attachment-0001.html>

More information about the edubuntu-users mailing list