Monday, September 12, 2011

Making Lucid authenticate via district LDAP/Active Directory servers and make home folders

Success!  After years of effort (semi-literally), students now authenticate while sitting at their LTSP fatclients to our district LDAP!  The first time they log in, it also creates a home directory for them on the local server.  Here's what I did (but don't follow these directions blindly--it would be a bummer if your system was different and somehow you got locked out of your system and you had to open things up with a live disk and then troubleshoot).

I spent several days reading up and testing on a test setup at my house.  I did try winbind and I did try webmin and though the latter was very good, it wouldn't take me all the way, therefore I finally ended up using likewise-open which worked great.  Of course the following description doesn't tell the few-day long side journeys I made.  So, based on my long-journey success (thanks go out to Doug Roberts with the MPS!) I then set out to make this work on my other server.  As you can see in the following notes it didn't go via simple recipe but it wasn't too hard, just long.
  1. I started by following the CLI directions on this page: https://help.ubuntu.com/community/LDAPClientAuthentication.  It was very easy for me to follow, though it didn't include directions on how to make the file (just use the command sudo touch) nor that most all of the commands should be done with sudo.  I also added a few notes to give more details as needed...
    1. While installing the files mentioned in the first directions on the page referenced above, a package configuration screen--"ldap-auth-config" showed up, this is how I answered each screen:
      1. (As recommended on various web pages, I deleted the default ldapi:/// set value on the first page to ldap://
      2. Next I set the search base to the tree containing the students: OU=Buildings,DC=education,DC=mpls,DC=k12,DC=mn,DC=us
      3. I guessed at the LDAP version as 2... (later changed to 1)
      4. I said "No" to make local root Database admin
      5. I said "No" to 'does the LDAP database require login'
      6. There was no 6... but I did get a warning which I ignored: update-rc.d: warning: libnss-ldap start runlevel arguments (2 3 4 5) do not match LSB Default-Start values (none)
    2. Oops, recognized I made a typo and had to redo the ldap-auth-config 5 steps above with: sudo dpkg-reconfigure ldap-auth-config
    3. To make the home folders I continued on the instructions on the above mentioned page...
      1. After making the page/script and running sudo pam-auth-update it took me to another package configuration page and I made sure that every item had an asterisk  before it, EXCEPT: "Winbind NT/Active Directory authentication".  The AD authentication will be done soon with likewise-open.  This step makes sure that all of these methods would be used in the authentication process.
    4. For local groups I checked what a non-privledged user had on my server and made sure to include them all on the last line of the /etc/security/group.conf file, suchly: *;*;*;Al0000-2400;adm,fax,tape,dip,video,plugdev,fuse,audio,cdrom,dialout,floppy
    5.  That is all the further I needed to go on that page, skipping everything after "LDAP Host Access Authorization".
  2.  To get the most correct likewise open I added the likewise key with: sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys AAFDD5DB, the sudo apt-get update the sudo apt-get install (arg! I found later that I should have done: 
    1. sudo aptitude update
      sudo aptitude safe-upgrade
  3. I followed the very good directions on this page: https://help.ubuntu.com/community/LikewiseOpen
    1. did sudo apt-get-install likewise-open
      1. again it went into the package configuration screen and...
      2. I just left the screen blank as I don't need kerberos...
      3. It went through a verbos process that didn't mean any errors, no worries...
    2. then did sudo apt-get install likewise-open-gui
    3. I double checked that /etc/ldap.conf had the correct base (about 10 lines down) and it did.
    4. The main command to interact with the likewise software is: /usr/bin/domainjoin-cli
    5. So, to join the district's domain I: 
      1. sudo domainjoin-cli join education.mpls.k12.mn.us FLEetc@business.mpls.k12.mn.us (that's all on 1 line...)
      2. When asked I typed in the user's password.
    6. I got the message: SUCCESS (you should reboot before going on...) so I did...
  4. Now I did some likewise-open configs to make it so that:
    1. students can log in with just their username and not DOMAIN\username
    2. Change the automatic location where the home directories will be created.
  5. Follow the directions here: http://ubuntuforums.org/showpost.php?p=9320266&postcount=16.  This explains a bit the process of updating the .reg (aka registry) file (skip the install--we already did it).  It uses .reg files instead of .conf files like the previous versions of likewise-open.  Thus, the .reg files have to be checked out, edited, then checked back in. 
    1. in the post the person describes how to make it so that a person can log in with just their username, not needing DOMAIN\username (with setting, in two places: "AssumeDefaultDomain"=dword:00000001)  But before saving this and doing the 2 commands after that, instead...
    2. Change the line from: from likewise's default location....  "HomeDirTemplate"="%H/likewise-open/%D/%U"     to: "HomeDirTemplate"="%H/ad/%U"  (I had to change this in 3 or 4 places.)  The %D means the domain name.
  6. And... logging in with just username didn't work.  So, I checked out the /etc/ldap.conf file with the working machine, found discrepancies, and changed them to the good setting:
    1. current had: uri ldap://10.99.1.42 and the good had uri ldap://10.99.1.42:3268/
    2. current had: ldap_version 2 and the good had ldap_version 1
  7. Current didn't have values for so change to good values: nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon$
    binddn FLEetc@business.mpls.k12.mn.us
    bindpw [my ldap password here]
    scope one
    tls_checkpeer no
  8. Still didn't work so then I purged winbind via NX and synaptic... then restarted, still didn't work, then...
  9. check step 2 above--didn't do the upgrade thing! figured that after adding the new ppa, then updating then upgrade it would get me the new likewise-open but had to follow directions as shown in parens in step 2! but that didn't work.  next...
  10. I went to webmin, clicked on unused modules, then clicked on "LDAP_Client", clicked on configure, set the file to /etc/ldap.conf and saved it.
  11. Then, clicked on the last icon, the LDAP Browser and it said: The LDAP browser cannot be used : The Net::LDAP Perl module needed for talking to the LDAP server is not installed. Click here to have Webmin download and install it now
  12. yes I did this, (and in webmin changed the tree depth to entire tree but don't think that was it since the other setup doesn't require it... 
  13. AND IT WORKS!

No comments:

Post a Comment