====== Desktop Ubuntu Integration with Active Directory ======
Scope:  Setup a ubuntu 12.04 client to authenticate to Active Directory and access mapped drives

===== Install Packages =====
==== Install Samba, cifs-utils, and pam-mount ====
<file>
apt-get install cifs-utils samba winbind ntp krb5-kdc krb5-admin-server rng-tools libpam-mount
</file>

==== Install nemo file manager ====
<file>
sudo add-apt-repository ppa:webupd8team/nemo
sudo apt-get update
sudo apt-get install nemo nemo-fileroller
</file>

===== Active Directory Authentication =====
We will be using Samba or more specifically winbind to authenticate/lookup user via pam
First we need to make a /etc/samba/smb/conf.  This is a example smb.conf be sure to change **workgroup** and **realm**
<file config smb.conf>
[global]                                                                                        
	workgroup = DOMAIN
        realm = DOMAIN.NET
        preferred master = no
        server string =
        security = ADS
        encrypt passwords = true
        log level = 3
        log file = /var/log/samba/smb.log
        max log size = 50
        printcap name = cups
        printing = cups
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nested groups = Yes
        winbind separator = +
        template homedir = /vol1/homes/%U
        idmap uid = 2000-20000
        idmap gid = 2000-20000
        ;template primary group = "Domain Users"
        template shell = /bin/bash
        obey pam restrictions = yes
</file>
Now we need to tell nsswitch to look to winbind for user data
<file nsswitch /etc/nsswitch.conf>
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.


passwd:         winbind compat
group:          winbind compat
shadow:         winbind compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
</file>
Finally we need to join to the Active Directory Domain
<file>
net ads -U administrator join
/etc/init.d/winbind restart
</file>
Now if you enter **wbinfo -u** you should get a complete list of AD users.

===== Setup share mounting (Pam Mount) =====

Here is a complete pam_mount config the most important statements are these four lines that mount the various shares for each user<file>
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/public" path="public" server="cfs.sebekaschools.net" fstype="cifs" />
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/wpkg" path="wpkg" server="cfs.sebekaschools.net" fstype="cifs" />
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/%(USER)-ffs" path="User Data/%(USER)" server="ffs.sebekaschools.net" fstype="cifs" />
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/%(USER)-sfs" path="User Data/%(USER)" server="sfs.sebekaschools.net" fstype="cifs" />
</file>
<file xml /etc/security/pam_mount.conf.xml>
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
	See pam_mount.conf(5) for a description.
-->

<pam_mount>

		<!-- debug should come before everything else,
		since this file is still processed in a single pass
		from top-to-bottom -->

<debug enable="0" />

		<!-- Volume definitions -->


		<!-- pam_mount parameters: General tunables -->

<!--<luserconf name=".pam_mount.conf.xml" /> -->

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,uid,gid,*" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="" />

<logout wait="0" hup="0" term="0" kill="0" />


		<!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />

<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/public" path="public" server="cfs.sebekaschools.net" fstype="cifs" />
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/wpkg" path="wpkg" server="cfs.sebekaschools.net" fstype="cifs" />
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/%(USER)-ffs" path="User Data/%(USER)" server="ffs.sebekaschools.net" fstype="cifs" />
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/%(USER)-sfs" path="User Data/%(USER)" server="sfs.sebekaschools.net" fstype="cifs" />

</pam_mount>
</file>
==== Link Home Dir Script ====
This is a script that links a users network home directory to a bookmark and nautilus or nemo.  It is designed to be run at login.    
  * Save script to **/scripts** and **chmod 755 /scripts/link_h.sh**
<file bash /scripts/link_h.sh>
#!/bin/sh

#####################################################################
#This is the script that updates file manager bookmarks for Unity
#place in /scripts
#####################################################################

linkstaff()
{	cd $HOME/.mnt
	rm H\ Drive
	ln -s ${LOGNAME}-ffs H\ Drive
}

linkstudent()
{	cd $HOME/.mnt
	rm H\ Drive
	ln -s ${LOGNAME}-sfs H\ Drive
}

addBookmark()
{	cd $HOME
	if [ "`cat ${HOME}/.gtk-bookmarks  | grep H%20Drive`" = "" ]
	then
		echo "file://${HOME}/.mnt/H%20Drive" >> ${HOME}/.gtk-bookmarks
		echo "Added bookmark H Drive"
	else
		echo "bookmark already H Drive exists"
	fi

	if [ "`cat ${HOME}/.gtk-bookmarks  | grep Documents`" = "" ]
        then
                echo "file://${HOME}/Documents" >> ${HOME}/.gtk-bookmarks
                echo "Added bookmark documents"
        else
                echo "bookmark already exists documents"
        fi

	if [ "`cat ${HOME}/.gtk-bookmarks  | grep Downloads`" = "" ]
        then
                echo "file://${HOME}/Downloads" >> ${HOME}/.gtk-bookmarks
                echo "Added bookmark Downloads"
        else
                echo "bookmark Downloads already exists"
        fi
}



if [ "`id | grep student`" = "" ]
then
	echo "staff"
	linkstaff
else
	echo "student"
	linkstudent
fi
addBookmark
</file>

===== Automatic Home Directory creation and skeleton Directory setup  =====
This is a full common-session pam file the only change is this line <file>
session required			pam_mkhomedir.so	skel=/etc/skel/ umask=0077</file>
Notice that we are using /etc/skel for a skeleton dir.
<file pam /etc/pam.d/common-session>
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session	[default=1]			pam_permit.so
# here's the fallback if no module succeeds
session	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session	required			pam_permit.so
session required			pam_mkhomedir.so	skel=/etc/skel/ umask=0077
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional			pam_umask.so
# and here are more per-package modules (the "Additional" block)
session	required	pam_unix.so 
session	optional			pam_winbind.so 
session	optional	pam_mount.so 
session	optional			pam_ck_connector.so nox11
# end of pam-auth-update config
</file>

Dowload {{:ubuntu:skel.tar|}} and extract it to /etc/skel e.g.
<file>
wget http://wiki.sebeka.k12.mn.us/_media/ubuntu:skel.tar 
tar xvf skel.tar -C /etc/skel
</file>
===== Configure Lightdm for Network logins =====
This is a full lightdm.conf.  I made two changes.  
  - I changed **user-session to ubuntu-2d** because it's a lot nicer on older hardware.  
  - I added **greeter-show-manual-login=true** to allow login of network users. 
<file config /etc/lightdm/lightdm.conf>
[SeatDefaults]
greeter-session=unity-greeter
user-session=ubuntu-2d
greeter-show-manual-login=true
greeter-hide-users=true
</file>