This is an old revision of the document!
Scope: Setup a ubuntu 12.04 client to authenticate to Active Directory and access mapped drives
apt-get install cifs-utils samba winbind ntp krb5-kdc krb5-admin-server rng-tools libpam-mount
sudo add-apt-repository ppa:webupd8team/nemo sudo apt-get update sudo apt-get install nemo nemo-fileroller
We will be using Samba or more specifically winbind to authenticate/lookup user via pam First we need to make a /etc/samba/smb/conf. This is a example smb.conf be sure to change workgroup and realm
[global] workgroup = DOMAIN realm = DOMAIN.NET preferred master = no server string = security = ADS encrypt passwords = true log level = 3 log file = /var/log/samba/smb.log max log size = 50 printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + template homedir = /vol1/homes/%U idmap uid = 2000-20000 idmap gid = 2000-20000 ;template primary group = "Domain Users" template shell = /bin/bash obey pam restrictions = yes
Now we need to tell nsswitch to look to winbind for user data
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: winbind compat group: winbind compat shadow: winbind compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Finally we need to join to the Active Directory Domain
net ads -U administrator join /etc/init.d/winbind restart
Now if you enter wbinfo -u you should get a complete list of AD users.
Here is a complete pam_mount config the most important statements are these four lines that mount the various shares for each user
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/public" path="public" server="cfs.sebekaschools.net" fstype="cifs" /> <volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/wpkg" path="wpkg" server="cfs.sebekaschools.net" fstype="cifs" /> <volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/%(USER)-ffs" path="User Data/%(USER)" server="ffs.sebekaschools.net" fstype="cifs" /> <volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/%(USER)-sfs" path="User Data/%(USER)" server="sfs.sebekaschools.net" fstype="cifs" />
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <!-- See pam_mount.conf(5) for a description. --> <pam_mount> <!-- debug should come before everything else, since this file is still processed in a single pass from top-to-bottom --> <debug enable="1" /> <!-- Volume definitions --> <!-- pam_mount parameters: General tunables --> <!--<luserconf name=".pam_mount.conf.xml" /> --> <!-- Note that commenting out mntoptions will give you the defaults. You will need to explicitly initialize it with the empty string to reset the defaults to nothing. --> <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,uid,gid,*" /> <!-- <mntoptions deny="suid,dev" /> <mntoptions allow="*" /> <mntoptions deny="*" /> --> <mntoptions require="" /> <logout wait="0" hup="0" term="0" kill="0" /> <!-- pam_mount parameters: Volume-related --> <mkmountpoint enable="1" remove="true" /> <volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/public" path="public" server="cfs.sebekaschools.net" fstype="cifs" /> <volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/wpkg" path="wpkg" server="cfs.sebekaschools.net" fstype="cifs" /> <volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/%(USER)-ffs" path="User Data/%(USER)" server="ffs.sebekaschools.net" fstype="cifs" /> <volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/%(USER)-sfs" path="User Data/%(USER)" server="sfs.sebekaschools.net" fstype="cifs" /> </pam_mount>
This is a script that links a users network home directory to a bookmark and nautilus or nemo. It is designed to be run at login. Save script to /scripts and chmod 755 /scripts/link_h.sh
#!/bin/sh ##################################################################### #This is the script that updates file manager bookmarks for Unity #place in /scripts ##################################################################### linkstaff() { cd $HOME/.mnt rm H\ Drive ln -s ${LOGNAME}-ffs H\ Drive } linkstudent() { cd $HOME/.mnt rm H\ Drive ln -s ${LOGNAME}-sfs H\ Drive } addBookmark() { cd $HOME if [ "`cat ${HOME}/.gtk-bookmarks | grep H%20Drive`" = "" ] then echo "file://${HOME}/.mnt/H%20Drive" >> ${HOME}/.gtk-bookmarks echo "Added bookmark H Drive" else echo "bookmark already H Drive exists" fi if [ "`cat ${HOME}/.gtk-bookmarks | grep Documents`" = "" ] then echo "file://${HOME}/Documents" >> ${HOME}/.gtk-bookmarks echo "Added bookmark documents" else echo "bookmark already exists documents" fi if [ "`cat ${HOME}/.gtk-bookmarks | grep Downloads`" = "" ] then echo "file://${HOME}/Downloads" >> ${HOME}/.gtk-bookmarks echo "Added bookmark Downloads" else echo "bookmark Downloads already exists" fi } if [ "`id | grep student`" = "" ] then echo "staff" linkstaff else echo "student" linkstudent fi addBookmark
This is a full common-session pam file the only change is this line
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
Notice that we are using /etc/skel for a skeleton dir.
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_winbind.so session optional pam_mount.so session optional pam_ck_connector.so nox11 # end of pam-auth-update config
Dowload skel.tar and extract it to /etc/skel e.g.
wget http://wiki.sebeka.k12.mn.us/_media/ubuntu:skel.tar tar xvf skel.tar -C /etc/skel
This is a full lightdm.conf. I made two changes.
[SeatDefaults] greeter-session=unity-greeter user-session=ubuntu-2d greeter-show-manual-login=true greeter-hide-users=true