Technical:ADIntegration
From K12LTSP Wiki
Active Directory Integration with Home Folders
Updated for FC5 and FC6 (K12LSTP 5.0 and 6.0)
Introduction
I see there's posts every now and then about people trying to join a K12LTSP to a domain and different suggestions of how to do it so here's a very easy way to join it and set up automounting network shares at login. This guide also contains other things you might want to do
First I'll answer some questions you may have.
- Is this the only way to join fedora workstation to a domain? no.
- Is this easy? i've seen harder
- Should I of put these steps in better order? definitely but they still work.
- Does the server need to be modified in any way? NO, put down that keyboard and leave it alone.
- Is this the place to ask for other types of network configurations? Only if you want the earth to stop spinning, your girlfriend to leave you, and your cat to die.
- What if you follow these and it doesn't work? GOOGLE IT.
YOU are responsible for backing up all files you modify and knowing what the originals are if you ever need them. This can be easily done with a command like Code:
cp file file.bak
For these examples the domain name is fedorarocks.com
Do everything below on your K12LSTP Server.
Alternate
I have now started using a tool from Centrify called Direct Control which does the AD integration seamlessly.
System Preparation
Ensure that you have all the proper packages installed.
Install samba
Code:
yum groupinstall "Windows File Server"
you likely will already have this installed so don't worry if yum does nothing here.
Install pam_mount
If you want to automount network shares at login and unmount them at logoff install pam_mount Code:
yum install pam_mount
Joining to the Domain
Set the hostname
Run Code:
system-config-network
and under the dns tab set a name for the computer. Make sure the hostname is unique or else you will suffer the consequences on a later day. Save and exit. What consequenses you're wondering? Well you could overwrite another workstation's account kicking it off the domain.
Setup Authentication
run Code:
system-config-authentication
under the authorization tab select enable winbind support. Then click on configure and enter the appropriate information for your network.
Note: When using the Authentication Configuration wizard, under the Options tab I select Local Authorization is Sufficient for Local Users so that I can log on using my Centos users (root, etc.) as well. --Tom Wolfe 10:22, 26 June 2008 (PDT)
Winbind domain is your short domain name. If your domain is fedorarocks.com you would just enter fedorarocks here.
The security model is obviously ads
Winbind ADS Realm is your full domain name. Using the example above you'd enter fedorarocks.com
Winbind Domain Controllers is your primary domain controller (pdc) if you don't know what this is ask your network admin.
and for template shell select /bin/bash. Save and exit
Disable selinux
Before joining it to the domain, ensure you have selinux disabled. run Code:
system-config-securitylevel
and on the second tab if it says 'enforcing' change it to 'disabled'. if you don't do they then joining the computer to the domain will fail.
[Although this says you need to disable SELinux in order to successfully join a domain, I have not noticed this to be true - TW] --Tom Wolfe 11:33, 28 March 2007 (PDT)
Join the Domain
In the terminal type Code:
net ads join -U user
where user is any network account with privelages to join the macine to the domain. Enter the password for the account when asked. If it works it'll say it joined the domain. If you get an error you probably entered some information wrong. Double check and make sure everything is right. If you feel everything is right I suggest searching google for an answer.
Allow Domain Login
Now you must set fedora up to allow domain account users to log in. There 3-5 files you must modify. Edit /etc/pam.d/login, /etc/pam.d/kdm, /etc/pam.d/gdm, /etc/pam.d,xdm and add the line Code:
auth required pam_mount.so
before the other auth lines, or else it won't work. and further down add this line Code:
session optional pam_mount.so
then, modify /etc/pam.d/system-auth and at the bottom add this line Code:
session required pam_mkhomedir.so skel=/etc/skel umask=0077
Variation on above using system-auth (global authentication module)
Instead of editing multiple pam.d files (as in the example above) you can use the following for system-auth, which controls the pam modules for all logins. Do what is recommended above if you want to do the mounting and homedir creation only for certain types of logins, e.g. gdm or kdm, and not for others, e.g. shell.
Before I make changes to the pam.d directory I always make a backup copy of it and save it in case I screw up.
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
Note: I'm not sure why, but sometimes I have had to reboot after finishing this for my AD users to be recognised.
Important: Before rebooting, make sure that you can at least log on to a console as root so that you can restore your pam.d directory and start over again. Just in case...
Change Password Storage
Open /etc/nssswitch.conf
Find the following lines
passwd: files winbind shadow: files group: files winbind
Change them to
passwd: compat winbind shadow: compat group: compat winbind
Set Default Domain
Set the default login domain to be on your domain, if you don't do this you will have trouble. Edit /etc/samba/smb.conf and by default at line 185 or close to it you'll see the line Code:
winbind use default domain = false
change the false to true. If you don't see it at line 185 search around. You should see that line around your domain realm and password server information. After making this change you must restart winbind to do this type Code:
/sbin/service winbind restart
Create Folder for Domain Home Folders
(the easiest step) create the folder /home/FEDORAROCKS where FEDORAROCKS is your domain name in all caps
[It appears that in K12LTSP 6.0 this step is not necessary. -TW] --Tom Wolfe 11:53, 28 March 2007 (PDT)
[We had to change the default login manager from GDM to KDM to get home folders to mount. Edit /etc/sysconfig/desktop and add DISPLAYMANAGER="KDE" to the otherwise empty file. K12LTSP v.6.0 -Pnelson] -- April 26, 2007
Success!
At this point you should be able to log into the domain test it out in a terminal session. Log in with your domain username and password. You'll get messages about the home folder being creates that is good. If it doesn't work make sure you're joined to the domain and the /etc/pam.d/ files are correct. If you are able to login in the terminal make sure you can login in X also. Also if it doesn't work try logging in as domain\username and see if that works. If that does you did step 6 wrong.
Home Folder Mounting
Now let's setup fedora to automount a users network share at login.
This only works if the user's login and password are the same as the one for the share
1. Edit /etc/security/pam_mount.conf. Scroll down to line 70 where you see the line Code:
options_require nosuid, nodev
comment that line out by placing a # in front.
2. Scroll down further to line 112 where you see Code:
# volume <user> [cifs|ncp|nfs|local] <server> <volume> <mount point> <mount options> <fs key cipher> <fs key path>
and using that as your guide add the appropriate line diectly after it here's a sample Code:
volume * cifs server share /home/FEDORAROCKS/&/mountpoint uid=& - -
(Alternate: Here is a working example that we used to account for hidden shares, etc. P.Nelson)
Code:
volume * cifs servername.domain.com_or_IP_Address &$ /home/FEDORAROCKS/&/mountpoint uid=& - -
This is what's called a template and it will only work for all users if they all have access to that share or if the share is the same as their account name. If the share name is the same as their account put a & where it says share. If this doesn't work for you read the next step. DON"T use smb as FC5 no longer includes support to mount the smb file system, instead use cifs, it's basically the same thing but different name. the * stands for the user logging in and the & is the account name. ~ is replaced by the user's home folder. The mountpoint should be placed in the users home folder as shown so that more than one user can be logged in at a time without causing problems. For more info on options read the entire /etc/security/pam_mount.conf file, it is very detailed and helpful.
3. If you can't use a template then you must create an entry in /etc/security/pam_mount.conf for each user use the guide above only change the * to their account name and the share to their share and have fun if you have many users. Alternatively if you can get their network share from the account name then you can create a script and make them log on, off, and back on the first time. I'll attach an example script. Edit /etc/skel/.bashrc and add an entry to run it something like Code:
/location_to_script/script.txt
and also change the appropriate values in the script. Then Code:
chmod a+x script.txt
Also edit /etc/security/pam_mount.conf and at line 28 Code:
luserconf .pam_mount.conf
uncomment it by removing the #
4. Create the folder mountpoint in your network account home folder. Then log off and back on and check if the folder was mounted properly. If it wasn't scroll up and read all that junk from when you logged in. Specifically see what it says about the share and server and mountpoints and make sure those are all correct and check to see if there are any errors. Once you get it to work edit /etc/security/pam_mount.conf and at line 8 change Code:
debug 1
to Code:
debug 0
also create the mountpoint folder in /etc/skel/
Mounting only an individual user's folder
The instructions above will mount only the share that contains all the AD home folders. But we often want to mount the specific user's folder and not a folder that lists all the shares. Samba will not allow mounting of a folder under a share so we have to pull a little trick out of our hat.
Here is the code I used in my pam_mount.conf file, please adapt for your use. I've added commented lines to explain each preceeding line.
volume * cifs studenta Home /mnt/HomeShare dir_mode=0700,file_mode=0700,uid=& - - #volume * cifs servername share hiddenmountpoint settings - - volume * local - /mnt/HomeShare/& /home/UCASTUDENT/&/Desktop/SaveHere bind - - #volume * local - hiddenmountpoint/& pathtouserdesktop/FolderName bind - -
Final configuration and tips
Logging in without \Domain
Plugins
Set up plugins for firefox or mozilla globally like this Code:
cd /usr/lib/mozilla/plugins ln -s /usr/java/jre1.5.0_06/plugin/i386/ns7/libjavaplugin_oji.so ln -s /usr/local/Adobe/Acrobat7.0/Browser/intellinux/nppdf.so
flash and mplayerplug-in are already installed globally
if you don't have all these plugins but would like them check Stanton Finley's Installation Notes
Setting New User Defaults
I like to create a new local user, log into it and set up kde, firefox and everything else so it looks nice. then copy the folders .kde and .mozilla to /etc/skel/. If you follow the suggestions below make sure to do this.
Numlock on by Default
If you feel like it in kde under kcontrol, peripherals, keyboard. Click the box that says to turn numlock on by default. Nothing makes me angrier than numlock always being off.
Warning
If you uninstall pam_mount after setting this all up you will NOT be able to log into your system at all. You must undo all the changed made to the files in the /etc/pam.d folder.
Attachments
Here are some attachments of what the files look like on the machines i use. The script there assumes that your login is first.last and the share is last.first make sure you change the appropriate values in it.
Script
#!/bin/sh
b=$( echo $USER | awk 'BEGIN{ FS="." } { print $2 ". " $1 }' )
c=($b)
#change mountpoint to wherever you want to mount your share, in your home folder
if [ -e $HOME/mountpoint ]
then
break
else
mkdir $HOME/mountpoint
fi
#change FEDORAROCKS in the next line to your domain name in caps
#you might not need the FEDORAROCKS before the user but some servers require it to access certain shares so for ease i suggest leaving it there
#also change SERVER to your appropriate server
echo "volume FEDORAROCKS\\\\$USER smb SERVER $c $HOME/mountpoint uid=$USER,gid=$USER - -" >> $HOME/.pam_mount.conf
echo "# .bashrc
# User specific aliases and functions
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi" > $HOME/.bashrc
KDM
#%PAM-1.0 auth sufficient pam_timestamp.so auth required pam_mount.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session include system-auth session required pam_loginuid.so session optional pam_timestamp.so session optional pam_selinux.so session optional pam_console.so session optional pam_mount.so
Login
#%PAM-1.0 auth required pam_securetty.so auth required pam_mount.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session include system-auth session required pam_loginuid.so session optional pam_console.so session optional pam_mount.so # pam_selinux.so open should be the last session rule session required pam_selinux.so open
pam_mount.conf
# Turn on if you want to debug why some volume cannot be mounted etc. # This can be overriden by user's local configuration # # Format: debug [ 1 | 0 ] # Local user configuration can override this. debug 1 # Create mountpoint if it does not exist yet. This is a good thing. mkmountpoint 1 # Loopback device to use to run fsck on loopback filesystems. fsckloop /dev/loop7 #------------------------------------------------------------------------------ # Users' local configuration file (if there is none, comment this # parameter out). Will be read as ~/<file> # # Note: you must include either options_allow or options_deny to use # this directive. I recommend also including options_require. # # Individual users may define additional volumes to mount if allowed # by pam_mount.conf (usually ~/.pam_mount.conf). The volume keyword is # the only valid keyword in these per-user configuration files. If the # luserconf parameter is set in pam_mount.conf, allowing user-defined # volumes, users may mount and unmount any volumes they specify. # The mount operation is executed under the user account, not with # root permissions. # # Format: luserconf <file> # luserconf .pam_mount.conf #------------------------------------------------------------------------------ # These directives determine which options may be specified in a user config # file (luserconf). You must include one of these directives if you have a # luserconf directive. You may not include both directives. # # If you have an options_allow directive, then the options listed in that # directive wil be allowed, and all others rejected. If you have an # options_deny directive, then the options listed will be denied, and all others # permitted. # # You may use the wildcard '*' to match all options. # I recommend not permitting the suid and dev options. # #options_allow nosuid,nodev,loop,encryption,fsck #options_deny suid,dev options_allow * #options_deny * # The options listed in this directive are required for all volumes from a # user config file. That is, any volume specified in a user config file that # does not include these options will be ignored. # # Note: you must make sure that a required option is permitted (either by # including it in options_allow, or by not including it in options_deny). # # I recommend requiring at least nosuid and nodev. # # This is ignored completely if the volume is configured to get its options # and mount point from /etc/fstab. # #options_require nosuid,nodev #------------------------------------------------------------------------------ # Commands to mount/unmount volumes. They can take parameters, as shown. # # If you change the -p0 argument for lclmount, you'll need to modify the # source in mount.c (it sends the password to the stdin file descriptor # of the child process -- look for STDIN_FILENO). # lsof /usr/bin/lsof %(MNTPT) fsck /sbin/fsck -p %(FSCKTARGET) losetup /sbin/losetup -p0 "%(before=\"-e\" CIPHER)" "%(before=\"-k\" KEYBITS)" %(FSCKLOOP) %(VOLUME) unlosetup /sbin/losetup -d %(FSCKLOOP) cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)" smbmount /usr/bin/smbmount //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)" ncpmount /usr/bin/ncpmount %(SERVER)/%(USER) %(MNTPT) -o "pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)" smbumount /usr/bin/smbumount %(MNTPT) ncpumount /usr/bin/ncpumount %(MNTPT) # Linux supports lazy unmounting (-l). May be dangerous for encrypted volumes. # May also break loopback mounts because loopback devices are not freed. # Need to unmount mount point not volume to support SMB mounts, etc. umount /bin/umount %(MNTPT) # On OpenBSD try "/usr/local/bin/mount_ehd" (included in pam_mount package). lclmount /bin/mount -p0 -t %(FSTYPE) %(VOLUME) %(MNTPT) "%(before=\"-o\" OPTIONS)" cryptmount /bin/mount -t crypt "%(before=\"-o\" OPTIONS)" %(VOLUME) %(MNTPT) nfsmount /bin/mount %(SERVER):%(VOLUME) %(MNTPT) "%(before=\"-o\" OPTIONS)" mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT) # For BSD: mntagain mount_null %(PREVMNTPT) %(MNTPT) # For Solaris: mntagain mount -F lofs %(PREVMNTPT) %(MNTPT) mntcheck /bin/mount # For BSD's (don't have /etc/mtab) pmvarrun /usr/sbin/pmvarrun -u %(USER) -d -o %(OPERATION)
system-auth
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
Credits
This how-to was adapted from a FedoraForums.com post by axelseap and used with permission.
