[gentoo-user] Adding a gentoo workstation to Active Directory network

[gentoo-user] Adding a gentoo workstation to Active Directory network

[Yoav Luft]

[-- Attachment #1: Type: text/plain, Size: 1420 bytes --]

Hello all,
My workplace has decided to adventure to lands of embedded Linux. As I am
the only one in my department with prior Linux experience, I was given the
task of setting up a Linux workstation that will be used as the host machine
for our embedded system. Since my only Linux experience with anything but
Gentoo is with Debian, and it's a bad experience, I have chosen to make the
host Gentoo-Linux.
Everything is well, and the machine is running and officially I completed my
task, but something still bothers me:
The machine is connect to the company's computer network. In the Windows
workstations, I log into a user that exists on the company's servers, and
not on the individual workstations, and when I log certain network shares
get mounted automatically (for example, "My Documents" sits on the server)
and so on. My username and password are used automatically everywhere on the
network, and so on. I assume this is the working of Active Directory, but my
assumption maybe mistaken... Anyway, I want to duplicate this behavior on
the Gentoo box, and I could find any documentation about it that I found to
be relevant. For now, I have a small script in /etc/profile.d/ that mounts
important shares, although the localizations is some what wrong and
non-English files appear as question marks (They should be in Hebrew). Can
anyone help me or point to some howto, guide, whatever that I might have
missed?

[-- Attachment #2: Type: text/html, Size: 1481 bytes --]

Re: [gentoo-user] Adding a gentoo workstation to Active Directory network

[Andrey Falko]

On Thu, Aug 7, 2008 at 1:31 PM, Yoav Luft <yoav.luft@gmail.com> wrote:
> Hello all,
> My workplace has decided to adventure to lands of embedded Linux. As I am
> the only one in my department with prior Linux experience, I was given the
> task of setting up a Linux workstation that will be used as the host machine
> for our embedded system. Since my only Linux experience with anything but
> Gentoo is with Debian, and it's a bad experience, I have chosen to make the
> host Gentoo-Linux.
> Everything is well, and the machine is running and officially I completed my
> task, but something still bothers me:
> The machine is connect to the company's computer network. In the Windows
> workstations, I log into a user that exists on the company's servers, and
> not on the individual workstations, and when I log certain network shares
> get mounted automatically (for example, "My Documents" sits on the server)
> and so on. My username and password are used automatically everywhere on the
> network, and so on. I assume this is the working of Active Directory, but my
> assumption maybe mistaken... Anyway, I want to duplicate this behavior on
> the Gentoo box, and I could find any documentation about it that I found to
> be relevant. For now, I have a small script in /etc/profile.d/ that mounts
> important shares, although the localizations is some what wrong and
> non-English files appear as question marks (They should be in Hebrew). Can
> anyone help me or point to some howto, guide, whatever that I might have
> missed?
>

As far as I know, don't take my word for it, in order to use Active
Directory on a GNU/Linux host, you need to setup LDAP and have it talk
to AD. Unfortunately I don't know how to do this, perhaps this will
help: http://www.linux.com/articles/40983 .

As far as non-English filenames appearing with question marks, you
need to setup localization correctly. This
http://www.gentoo.org/doc/en/guide-localization.xml or this
http://gentoo-wiki.com/Localization might help you get that setup.
Once again, I've never done this, so maybe someone who has can be of
more help to you.

Re: [gentoo-user] Adding a gentoo workstation to Active Directory network

[Norberto Bensa]

Hello!

Quoting Andrey Falko <ma3oxuct@gmail.com>:

> On Thu, Aug 7, 2008 at 1:31 PM, Yoav Luf
> As far as I know, don't take my word for it, in order to use Active
> Directory on a GNU/Linux host, you need to setup LDAP and have it talk
> to AD.

You just need Kerberos and lots of documentation exists on the  
internet. I've even made a booteable CD which installs Ubuntu for a  
University. This customized Ubuntu then joins a Windows Active  
Directory domain using only the domain name, a privileged domain  
username, and its password. Everything else is done by a script: it  
finds the kerberos server, the short (nt4) domain name, etc.

OP said he successfuly joined the workstation to the Windows domain.  
He just want to know how to automatically mount shares. I still  
haven't figured it out that part neither, but I guess some ldapsearch  
can make the trick. I just need to find the time to take a look at it.

Regards,
Norberto


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Re: [gentoo-user] Adding a gentoo workstation to Active Directory network

[Stroller]

On 7 Aug 2008, at 23:04, Andrey Falko wrote:
> ...
> As far as I know, don't take my word for it, in order to use Active
> Directory on a GNU/Linux host, you need to setup LDAP and have it talk
> to AD. Unfortunately I don't know how to do this, perhaps this will
> help: http://www.linux.com/articles/40983 .

Hi there,

I understood Active Directory to be Microsoft's implementation of  
LDAP + extensions. Or maybe it's a Microsoft's entirely own way of  
doing a directory service, with LDAP support bolted on afterwards.  
Anyway, yes, Linux hosts should indeed be able to talk LDAP to an AD  
server.

On a domain that I manage we authenticate over Samba instead. I can't  
entirely recall why I chose this method instead of AD, but I'm pretty  
sure there were good reasons for it at the time. Once Samba is  
configured to to do winbind - it obviously needs to know the name of  
the domain server &c - one installs the PAM winbind module and  
references it in /etc/pam.d/ for any Linux services one wishes to  
authenticate off the Windows server. Samba then, presumably, acts as  
a client to the domain server and says "user X, hash(password Y)  
wants to log on, is this ok?"; PAM passes the response back to the  
service the user is trying to use.

I think winbind alleviates some need to deal with Active Directory. I  
really know nothing about AD - all I have to do is log on to the  
Windows server (SBS 2003) and add a user to the domain in the Server  
Management For Idiots program Microsoft so kindly provides. The user  
is able to authenticate on the Linux box immediately after restarting  
Samba (and the restart is probably only required because I've fouled- 
up the caching configuration, or something). I also use pam_mkhomedir  
so that when the user logs on to IMAP for the first time ~ is  
automagically created; I had to reject Courier-IMAP in favour of  
Dovecot in order to be able to do this, as IIRC Courier doesn't use  
the PAM type "session", and that's required to make pam_mkhomedir  
work (Dovecot doesn't actually need to use this type, but adds an  
option to open a PAM session specifically to enable mkhomedir to be  
used. This is a requirement of pam_mkhomedir, NOT pam_winbind).

What I have enjoyed about winbind is that it has (so far!) made  
adding additional services easy. I needed to run an ftp server (allow  
only 127.0.0.1) on the Linux machine, so that Squirrelmail's vacation  
plugin could upload the users' vacation messages to their homedirs.  
To get the ftp service (net-ftp/vsftpd) to authenticate off the same  
credentials was as easy as copying the PAM settings for the already- 
working IMAP server to /etc/pam.d/ftp (although I see that each is  
"sufficient" instead of "required" in this case). I was quite  
surprised it worked so easily, quickly and smoothly. Anyway, any user  
can sit at their Windows workstation, CTRL-ALT-DEL and change their  
password and the IMAP server will now respect their new credentials,  
which is the important thing (for me).

Stroller.

[gentoo-user] Problems installing Gentoo on an Asus EeePC 701

[Ricardo Saffi Marques]

Hello folks. I have an Asus EeePC 701 (4GB) and I'm having problems
installing Gentoo on it, so I wrote this giant e-mail to help you
understand what is going on and what I have done and can't do.
I have been using Gentoo for a while, so I am pretty comfortable on
installing it and configuring it.

"Disks" on my Eee:
Internal Flash (4GB): /dev/sda1 -> Ubuntu 8.04 (blergh, not for long) :-)
SD Card (8GB): /dev/sdb1 -> Gentoo 2.6.25-gentoo-r7

The Gentoo system is ready. I mean, it is still text-mode only, but I
have some ideas about the other stuff to be installed, continue reading,
please. :-)
The problem is that I just can't boot the system. At first, I thought I
had forgotten something when configuring the kernel. But I gave up that
idea since me and a friend of mine re-checked it many times.
I have installed Gentoo's grub on the MBR of /dev/sda, since I intend to
remove Ubuntu later. The kernel hangs because it can't find /dev/sdb1
[1]. The system I consider a minimum usable text-mode system is already
installed, configured and even up-to-date.
I have tried a lot of different things. I tried booting Gentoo using the
Ubuntu kernel. Sound reasonable, but Ubuntu's initrd (which later I
realized is the one that recognizes my "disks") already mount /proc and
when Gentoo's RC comes up it "oops" because of /proc [2]. Since booting
Ubuntu's kernel is just temporary, I won't edit the init.d script that
mounts /proc on Gentoo. Anyway.
By-the-way, something that is worth mentioning. When booting Ubuntu's
kernel, it sometimes (not always) hangs at this point [3]. It stays
there for four to five MINUTES, sometimes. But some other times is just
goes straight. Even when "hanging" there for a while, it always passed
that and boots the system. Also happens when trying to boot Gentoo with
Ubuntu's kernel.

I have done tons of online research, but what I found is people that
successfully installed Gentoo on the EeePC.
I've read and bookmarked these links [4] [5] "just in case", but so far
they didn't help me at all.

[1]: http://www.las.ic.unicamp.br/~saffi/eee/Gentoo-Kernel_Gentoo.jpg
[2]: http://www.las.ic.unicamp.br/~saffi/eee/Gentoo-Kernel_Ubuntu.jpg
[3]: http://www.las.ic.unicamp.br/~saffi/eee/Gentoo-Kernel_Ubuntu2.jpg
[4]: http://www.gentoo-wiki.com/Asus_Eee_PC_701
[5]:
http://www.floccinaucinihilipilification.net/wiki/index.php/Gentoo_on_the_EEE_Pc

I have ideas about installing the graphical system and other stuff
later. I intend to share the ideas and will as soon as my basic system
boots. Anyway, thanks in advance for any help!

Best regards,

Saffi

--
Ricardo Saffi Marques
http://www.rsaffi.com
======================================================
Laboratory of System Administration and Security - LAS
Institute of Computing - IC
P.O. Box: 6176
University of Campinas - UNICAMP
13083-852, Campinas, SP, Brazil
======================================================

Re: [gentoo-user] Problems installing Gentoo on an Asus EeePC 701

[Ricardo Saffi Marques]

By the way, this might help.
I put some files online, that you might wanna check:

http://www.las.ic.unicamp.br/~saffi/eee/

* grub.conf
* fstab
* make.conf
* Kernel config

Best regards,

Saffi

-- 
Ricardo Saffi Marques
http://www.rsaffi.com
==========================================================
Laboratório de Administração e Segurança de Sistemas - LAS
Instituto de Computação - IC
Caixa Postal: 6176
Universidade Estadual de Campinas - UNICAMP
13083-852, Campinas, SP, Brasil
==========================================================

Re: [gentoo-user] Problems installing Gentoo on an Asus EeePC 701

[Ricardo Saffi Marques]

Ricardo Saffi Marques wrote:
> By the way, this might help.
> I put some files online, that you might wanna check:
> 
> http://www.las.ic.unicamp.br/~saffi/eee/
> 
> * grub.conf
> * fstab
> * make.conf
> * Kernel config

Cheers! Daniel Veiga had the same issue and contacted me with the
solution. My kernel was perfectly right. The solution is to add:

rootwait rootdelay=10

in the kernel line. Gentoo is now running flawlessly!
I intend to post here my mad ideas about compiling and installing the
rest of the packages (mainly graphical stuff).

Best regards,

Saffi

-- 
Ricardo Saffi Marques
http://www.rsaffi.com
==========================================================
Laboratório de Administração e Segurança de Sistemas - LAS
Instituto de Computação - IC
Caixa Postal: 6176
Universidade Estadual de Campinas - UNICAMP
13083-852, Campinas, SP, Brasil
==========================================================

Re: [gentoo-user] Problems installing Gentoo on an Asus EeePC 701

[Eric Martin]

[-- Attachment #1: Type: text/plain, Size: 714 bytes --]

Ricardo Saffi Marques wrote:
> Hello folks. I have an Asus EeePC 701 (4GB) and I'm having problems
> installing Gentoo on it, so I wrote this giant e-mail to help you
> understand what is going on and what I have done and can't do.
> I have been using Gentoo for a while, so I am pretty comfortable on
> installing it and configuring it.

<snip>

Please don't hijack threads.  Please write a new email to the list if
you wish to start a new thread.  Here's a google search with lots of
good resources on hijacking threads.

http://www.google.com/search?hl=en&q=thread+hijacking&btnG=Google+Search

thanks!

-- 
Eric Martin
Key fingerprint = D1C4 086E DBB5 C18E 6FDA  B215 6A25 7174 A941 3B9F


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: [gentoo-user] Problems installing Gentoo on an Asus EeePC 701

[Ricardo Saffi Marques]

Eric Martin wrote:
> Please don't hijack threads.  Please write a new email to the list if
> you wish to start a new thread.  Here's a google search with lots of
> good resources on hijacking threads.

You don't have to explain to me what thread hijacking means. I moderate a Brazilian e-group of 2900 
people and am always saying that to members. Tell me what made you think I did that, because it sure 
ain't clear for me.
Jeez, wake up. I wrote that e-mail from scratch.

Regards,

Saffi

-- 
Ricardo Saffi Marques
http://www.rsaffi.com
======================================================
Laboratory of System Administration and Security - LAS
Institute of Computing - IC
P.O. Box: 6176
University of Campinas - UNICAMP
13083-852, Campinas, SP, Brazil
======================================================

Re: [gentoo-user] Problems installing Gentoo on an Asus EeePC 701

[Justin Findlay]

On AD 2008 August 08 Friday 03:08:17 PM -0300, Ricardo Saffi Marques wrote:
> You don't have to explain to me what thread hijacking means. I moderate a 
> Brazilian e-group of 2900 people and am always saying that to members. Tell 
> me what made you think I did that, because it sure ain't clear for me.
> Jeez, wake up. I wrote that e-mail from scratch.

Your set of posts showed up as part of another thread in my client.


Justin

Re: [gentoo-user] Problems installing Gentoo on an Asus EeePC 701

[Eric Martin]

[-- Attachment #1: Type: text/plain, Size: 1024 bytes --]

Ricardo Saffi Marques wrote:
> Eric Martin wrote:
>> Please don't hijack threads.  Please write a new email to the list if
>> you wish to start a new thread.  Here's a google search with lots of
>> good resources on hijacking threads.
> 
> You don't have to explain to me what thread hijacking means. I moderate
> a Brazilian e-group of 2900 people and am always saying that to members.
No need to get upset, I was politely asking you not to thread hijack and
pointing you towards references
> Tell me what made you think I did that, because it sure ain't clear for me.
It shows up under the "Adding a gentoo workstation to Active Directory
Network" thread in thunderbird.  Looking at the headers, your message
has an
In-Reply-To:<89ECC6A3-9732-42B4-AABF-4BD8CC897FEE@stellar.eclipse.co.uk>
which means it was in reply to a message.
> Jeez, wake up. I wrote that e-mail from scratch.
> 
> Regards,
> 
> Saffi
> 
-- 
Eric Martin
Key fingerprint = D1C4 086E DBB5 C18E 6FDA  B215 6A25 7174 A941 3B9F


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: [gentoo-user] Problems installing Gentoo on an Asus EeePC 701

[Ricardo Saffi Marques]

Justin Findlay wrote:
> Your set of posts showed up as part of another thread in my client.

Well, not in mine. I wrote that from scratch, I insist. Anyways, I won't discuss about that here on 
the list.
I disencourage thread hijacking and never did that. Sorry for any inconvenience if something weird 
and out of my control happened.

Best regards and let's keep up the good work.

Saffi

-- 
Ricardo Saffi Marques
http://www.rsaffi.com
======================================================
Laboratory of System Administration and Security - LAS
Institute of Computing - IC
P.O. Box: 6176
University of Campinas - UNICAMP
13083-852, Campinas, SP, Brazil
======================================================

Re: [gentoo-user] Problems installing Gentoo on an Asus EeePC 701

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1251 bytes --]

On Friday 08 August 2008, Eric Martin wrote:
> Ricardo Saffi Marques wrote:
> > Eric Martin wrote:
> >> Please don't hijack threads.  Please write a new email to the list if
> >> you wish to start a new thread.  Here's a google search with lots of
> >> good resources on hijacking threads.
> >
> > You don't have to explain to me what thread hijacking means. I moderate
> > a Brazilian e-group of 2900 people and am always saying that to members.
>
> No need to get upset, I was politely asking you not to thread hijack and
> pointing you towards references
>
> > Tell me what made you think I did that, because it sure ain't clear for
> > me.
>
> It shows up under the "Adding a gentoo workstation to Active Directory
> Network" thread in thunderbird.  Looking at the headers, your message
> has an
> In-Reply-To:<89ECC6A3-9732-42B4-AABF-4BD8CC897FEE@stellar.eclipse.co.uk>
> which means it was in reply to a message.
>
> > Jeez, wake up. I wrote that e-mail from scratch.

Same here, it shows as a hi-jack.  I remember raising this on a previous 
occasion and was told that something is wrong with my client (or wasn't 
it?!).

Either way, please tell us how your installation on EeePC comes along.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Adding a gentoo workstation to Active Directory network

[Yoav Luft]

[-- Attachment #1: Type: text/plain, Size: 3774 bytes --]

Hi stroller,
that was actually interesting, but it didn't help me much... I do not manage
the network, neither do I have any knowledge of it's working. I asked the
help desk guys to help out, but all they managed is to get me someone that
knew, after a 2 hours work, to mount the directories I needed manually. If I
were to ask them I will have to be sure I am quite knowing the area so I
could correctly describe to the Microsoft-trained network administrators
what I want. If you could point me to an article of any kind (or to the
relevant part in samba's huge documentation) I would be much grateful.
thanks.

On Fri, Aug 8, 2008 at 2:42 PM, Stroller <stroller@stellar.eclipse.co.uk>wrote:

>
> On 7 Aug 2008, at 23:04, Andrey Falko wrote:
>
>> ...
>> As far as I know, don't take my word for it, in order to use Active
>> Directory on a GNU/Linux host, you need to setup LDAP and have it talk
>> to AD. Unfortunately I don't know how to do this, perhaps this will
>> help: http://www.linux.com/articles/40983 .
>>
>
> Hi there,
>
> I understood Active Directory to be Microsoft's implementation of LDAP +
> extensions. Or maybe it's a Microsoft's entirely own way of doing a
> directory service, with LDAP support bolted on afterwards. Anyway, yes,
> Linux hosts should indeed be able to talk LDAP to an AD server.
>
> On a domain that I manage we authenticate over Samba instead. I can't
> entirely recall why I chose this method instead of AD, but I'm pretty sure
> there were good reasons for it at the time. Once Samba is configured to to
> do winbind - it obviously needs to know the name of the domain server &c -
> one installs the PAM winbind module and references it in /etc/pam.d/ for any
> Linux services one wishes to authenticate off the Windows server. Samba
> then, presumably, acts as a client to the domain server and says "user X,
> hash(password Y) wants to log on, is this ok?"; PAM passes the response back
> to the service the user is trying to use.
>
> I think winbind alleviates some need to deal with Active Directory. I
> really know nothing about AD - all I have to do is log on to the Windows
> server (SBS 2003) and add a user to the domain in the Server Management For
> Idiots program Microsoft so kindly provides. The user is able to
> authenticate on the Linux box immediately after restarting Samba (and the
> restart is probably only required because I've fouled-up the caching
> configuration, or something). I also use pam_mkhomedir so that when the user
> logs on to IMAP for the first time ~ is automagically created; I had to
> reject Courier-IMAP in favour of Dovecot in order to be able to do this, as
> IIRC Courier doesn't use the PAM type "session", and that's required to make
> pam_mkhomedir work (Dovecot doesn't actually need to use this type, but adds
> an option to open a PAM session specifically to enable mkhomedir to be used.
> This is a requirement of pam_mkhomedir, NOT pam_winbind).
>
> What I have enjoyed about winbind is that it has (so far!) made adding
> additional services easy. I needed to run an ftp server (allow only
> 127.0.0.1) on the Linux machine, so that Squirrelmail's vacation plugin
> could upload the users' vacation messages to their homedirs. To get the ftp
> service (net-ftp/vsftpd) to authenticate off the same credentials was as
> easy as copying the PAM settings for the already-working IMAP server to
> /etc/pam.d/ftp (although I see that each is "sufficient" instead of
> "required" in this case). I was quite surprised it worked so easily, quickly
> and smoothly. Anyway, any user can sit at their Windows workstation,
> CTRL-ALT-DEL and change their password and the IMAP server will now respect
> their new credentials, which is the important thing (for me).
>
> Stroller.
>
>
>

[-- Attachment #2: Type: text/html, Size: 4468 bytes --]

Re: [gentoo-user] Adding a gentoo workstation to Active Directory network

[Stroller]

On 9 Aug 2008, at 01:05, Yoav Luft wrote:
> ...
> that was actually interesting, but it didn't help me much... I do  
> not manage the network, neither do I have any knowledge of it's  
> working. I asked the help desk guys to help out, but all they  
> managed is to get me someone that knew, after a 2 hours work, to  
> mount the directories I needed manually.

Hi there,

If I'm understanding correctly that all you want to do is mount the  
directories you need automagically then is put the details in /etc/ 
fstab.
http://preview.tinyurl.com/5vywbm explains how to keep credentials in  
a separate file.

Aside from this, I'm afraid I'm not fully grokking what your  
intentions are. Merely mounting a couple of Windows file-shares on a  
Linux box isn't really integrating it into the AD domain. I have to  
admit that in my eagerness to sound knowledgeable I probably wasn't  
paying full attention when I read your message prior to replying  
yesterday.

In an ideal world users should use their domain username & password  
to log on when they sit down at the Linux box. And they should be  
mounting the directories they need off the file server by (double- 
clicking on a drive icon on their KDE desktop if necessary and) using  
their same unique credentials (*not yours!*). If you want to fully  
implement this then it's not a two minute job; you shouldn't need  
much from the Windows IT admins except the name of the domain and  
perhaps the resolvable name of the domain master server - you should  
be able to test using your own domain\user:pass

Google is muchly the enemy of your enemy. For your punctuation  
question I hope you find this a good starting point:
http://www.google.com/search?q=samba+codepage

Stroller

Re: [gentoo-user] Adding a gentoo workstation to Active Directory network

[Yoav Luft]

[-- Attachment #1: Type: text/plain, Size: 3666 bytes --]

>
> In an ideal world users should use their domain username & password to log
> on when they sit down at the Linux box. And they should be mounting the
> directories they need off the file server by (double-clicking on a drive
> icon on their KDE desktop if necessary and) using their same unique
> credentials (*not yours!*). If you want to fully implement this then it's
> not a two minute job; you shouldn't need much from the Windows IT admins
> except the name of the domain and perhaps the resolvable name of the domain
> master server - you should be able to test using your own domain\user:pass
>

That is, actually, what I'm trying to achieve, but what is crucial to the
usability of the linux box is that each user (a would be developer) would
have access to his own files and the departments files on the server without
any knowledge of the working of Linux, Samba, or others. It would be
especially nice if logon names would be taken from the server, and those
relief users to manually add and configure more users.
I can think on an awkward solution, making a script that sets up a new user
and assumes the user name is the same as the one in the domain. But I am
sure there is a cleaner, better solution, only that I haven't found it yet.
So, I will sum up shortly what I want, starting from most important:
1. Users will have access to the departments files without root access with
their own privileges rather then mine (achieved through given sudo to mount,
and putting it all in a script).
2. Users will have access to their own personal files (achieved through the
same script. Not sure if it is run automatically when a user logs on)
3. Any user on the domain will be able to log on to the machine, and have
access to his files, will automatically authenticate himself to network
services, etc.

On Sat, Aug 9, 2008 at 3:15 PM, Stroller <stroller@stellar.eclipse.co.uk>wrote:

>
> On 9 Aug 2008, at 01:05, Yoav Luft wrote:
>
>> ...
>> that was actually interesting, but it didn't help me much... I do not
>> manage the network, neither do I have any knowledge of it's working. I asked
>> the help desk guys to help out, but all they managed is to get me someone
>> that knew, after a 2 hours work, to mount the directories I needed manually.
>>
>
> Hi there,
>
> If I'm understanding correctly that all you want to do is mount the
> directories you need automagically then is put the details in /etc/fstab.
> http://preview.tinyurl.com/5vywbm explains how to keep credentials in a
> separate file.
>
> Aside from this, I'm afraid I'm not fully grokking what your intentions
> are. Merely mounting a couple of Windows file-shares on a Linux box isn't
> really integrating it into the AD domain. I have to admit that in my
> eagerness to sound knowledgeable I probably wasn't paying full attention
> when I read your message prior to replying yesterday.
>
> In an ideal world users should use their domain username & password to log
> on when they sit down at the Linux box. And they should be mounting the
> directories they need off the file server by (double-clicking on a drive
> icon on their KDE desktop if necessary and) using their same unique
> credentials (*not yours!*). If you want to fully implement this then it's
> not a two minute job; you shouldn't need much from the Windows IT admins
> except the name of the domain and perhaps the resolvable name of the domain
> master server - you should be able to test using your own domain\user:pass
>
> Google is muchly the enemy of your enemy. For your punctuation question I
> hope you find this a good starting point:
> http://www.google.com/search?q=samba+codepage
>
> Stroller
>
>
>

[-- Attachment #2: Type: text/html, Size: 4509 bytes --]

Re: [gentoo-user] Adding a gentoo workstation to Active Directory network

[Stroller]

On 9 Aug 2008, at 14:52, Yoav Luft wrote:

>> In an ideal world users should use their domain username &  
>> password to log on when they sit down at the Linux box. And they  
>> should be mounting the directories they need off the file server  
>> by (double-clicking on a drive icon on their KDE desktop if  
>> necessary and) using their same unique credentials (*not yours!*).  
>> If you want to fully implement this then it's not a two minute  
>> job; you shouldn't need much from the Windows IT admins except the  
>> name of the domain and perhaps the resolvable name of the domain  
>> master server - you should be able to test using your own domain 
>> \user:pass
>
> That is, actually, what I'm trying to achieve, but what is crucial  
> to the usability of the linux box is that each user (a would be  
> developer) would have access to his own files and the departments  
> files on the server without any knowledge of the working of Linux,  
> Samba, or others. It would be especially nice if logon names would  
> be taken from the server, and those relief users to manually add  
> and configure more users.
> I can think on an awkward solution, making a script that sets up a  
> new user and assumes the user name is the same as the one in the  
> domain. But I am sure there is a cleaner, better solution, only  
> that I haven't found it yet.
> So, I will sum up shortly what I want, starting from most important:
> 1. Users will have access to the departments files without root  
> access with their own privileges rather then mine (achieved through  
> given sudo to mount, and putting it all in a script).
> 2. Users will have access to their own personal files (achieved  
> through the same script. Not sure if it is run automatically when a  
> user logs on)
> 3. Any user on the domain will be able to log on to the machine,  
> and have access to his files, will automatically authenticate  
> himself to network services, etc.

http://www.google.com/search?q=authenticating+linux+users+against 
+windows+domain

Sorry to say "read teh g0ggles, newb", but I'd need to read a number  
of these pages myself before I could say "you want to do it this way  
not that" or before I was even aware of the advantages &  
disadvantages of the different approaches.

Mostly you shouldn't need much from the Windows admins. If you were  
to install XP Pro on a new PC and bring it into the office, all you'd  
need to do is right-click on my computer and change from "My  
Workgroup" to "My Domain" (or "BobsElectricals" or whatever) - the  
next time the machine starts you'll need to log on using your  
username:password on the domain. Likewise all you *should* need to  
add the Linux box to the domain is its name, and perhaps the  
hostname / ip address of the master domain server.

The approach for mounting shares isn't obvious to me right now, but  
hopefully will become clear to you during the days that you spend  
setting the authentication up. On a Linux Samba box there is a  
special share called "homes" and mounting that seems to automatically  
use the ~ of the user authenticating; on Windows you can refer to % 
user%, although you probably can't combine these two methods  
directly. I don't use Linux on the desktop, but KDE or Gnome or  
whatever probably has a facility to run scripts upon logon; write a  
Bash script calling var=`whoami` ; mount \\domainserver\$var and put  
it in /etc/skel (or the KDE / Gnome equivalent).

Stroller. 

Re: [gentoo-user] Adding a gentoo workstation to Active Directory network

[Jil Larner]

Hello,

I recently set up samba to allow authentification against Active 
Directory for file sharing on a CentOS 4.5. Even if their installer is 
supposed to do it correctly, it didn't work the way I wanted, so I had 
to understand how to set it up manually.

The main problem I found with documentations is that there's no one-shot 
documentation that allows you to join a domain if you meet so many 
obscure error messages like I had.

I have more knowledge on Gentoo than centOs (so redhat), but what I say 
here has only been tested on centOS.

Unfortunately for you, I'm on hollydays and won't go back to office 
until second part of October, so I can only tell you what I remember :

You need :
- a Kerberos client
- a ntp daemon to set your clock according to your domain controller 
(more than 5 minutes offset will lead kerberos not to deliver tickets)
- samba with winbind support
- manually record your machine in the DNS used by AD

Set up samba with ads security (refer to the official samba howto)
Be sure your smb.conf has winbind configuration directives

Files I remember I updated (CentOS architecture) :
- /etc/samba/smb.conf
- /etc/sysconfig/network (for the hostname of your machine to be the 
FQDN e.g. tux.mywindows.domain.corp and `hostname --fqdn` must 
immediately answer) => /etc/conf.d/hostname on gentoo
- /etc/nsswitch.conf to add winbind for a few things 
(passwd,group,shadow if I remember, with less priority than file; 
otherwise it will be long to log in as a local user)
- /etc/krb5.conf /etc/krb.conf[backward compatibility, may not be needed 
on gentoo; try without that's one file less to manage] (documentations 
give the few lines required)

You'll also have to modify PAM config files for local access matching 
against AD, but I didn't tried it.

Before you frag your brain out with samba and winbind, you must succeed 
a `kinit mywindowsuser` and see your ticket with `klist`. And be sure 
you can resolve local names with a nslookup. Some recommend you set the 
name and ip of your Domain Controller (DC) in /etc/hosts to avoid DNS 
failure.

To join a domain, use the net join ads command, as explained in the docs 
: it must work. If it don't, don't look forward: solve this problem as 
it means you cannot access your DC.

There's no need to configure LDAP if you use an AD architecture. And 
unless your DC is configured otherwise, it should offer you all required 
services (kerberos, ntp, dns).

Don't hesitate to set up the log level of samba to 4 or the example 
value of the man page to get what's wrong.

Don't look for complex configuration : a few simple lines does the job 
for matching AD. If you can identify against AD for file shares, then 
you just ( :D ) have to set up pam for the main login. I'd say there are 
3 or 4 winbind directives (uid/gid range, auto append defautl domain, 
etc) in and 5 important samba directives smb.conf.

I hope this fragment can help you a little bit,
Jil.

Re: [gentoo-user] Adding a gentoo workstation to Active Directory network

[Yoav Luft]

[-- Attachment #1: Type: text/plain, Size: 3391 bytes --]

Thanks everyone. I was actually hoping for a "read the google, newb"
response, as long as it had the right search terms, cause I didn't have a
clue what to google for :). So again, thanks, I've downloaded a pile of
howto's to my workstation and I work on it on my dead time.

On Sun, Aug 10, 2008 at 3:09 PM, Jil Larner <jil@gnoo.eu> wrote:

> Hello,
>
> I recently set up samba to allow authentification against Active Directory
> for file sharing on a CentOS 4.5. Even if their installer is supposed to do
> it correctly, it didn't work the way I wanted, so I had to understand how to
> set it up manually.
>
> The main problem I found with documentations is that there's no one-shot
> documentation that allows you to join a domain if you meet so many obscure
> error messages like I had.
>
> I have more knowledge on Gentoo than centOs (so redhat), but what I say
> here has only been tested on centOS.
>
> Unfortunately for you, I'm on hollydays and won't go back to office until
> second part of October, so I can only tell you what I remember :
>
> You need :
> - a Kerberos client
> - a ntp daemon to set your clock according to your domain controller (more
> than 5 minutes offset will lead kerberos not to deliver tickets)
> - samba with winbind support
> - manually record your machine in the DNS used by AD
>
> Set up samba with ads security (refer to the official samba howto)
> Be sure your smb.conf has winbind configuration directives
>
> Files I remember I updated (CentOS architecture) :
> - /etc/samba/smb.conf
> - /etc/sysconfig/network (for the hostname of your machine to be the FQDN
> e.g. tux.mywindows.domain.corp and `hostname --fqdn` must immediately
> answer) => /etc/conf.d/hostname on gentoo
> - /etc/nsswitch.conf to add winbind for a few things (passwd,group,shadow
> if I remember, with less priority than file; otherwise it will be long to
> log in as a local user)
> - /etc/krb5.conf /etc/krb.conf[backward compatibility, may not be needed on
> gentoo; try without that's one file less to manage] (documentations give the
> few lines required)
>
> You'll also have to modify PAM config files for local access matching
> against AD, but I didn't tried it.
>
> Before you frag your brain out with samba and winbind, you must succeed a
> `kinit mywindowsuser` and see your ticket with `klist`. And be sure you can
> resolve local names with a nslookup. Some recommend you set the name and ip
> of your Domain Controller (DC) in /etc/hosts to avoid DNS failure.
>
> To join a domain, use the net join ads command, as explained in the docs :
> it must work. If it don't, don't look forward: solve this problem as it
> means you cannot access your DC.
>
> There's no need to configure LDAP if you use an AD architecture. And unless
> your DC is configured otherwise, it should offer you all required services
> (kerberos, ntp, dns).
>
> Don't hesitate to set up the log level of samba to 4 or the example value
> of the man page to get what's wrong.
>
> Don't look for complex configuration : a few simple lines does the job for
> matching AD. If you can identify against AD for file shares, then you just (
> :D ) have to set up pam for the main login. I'd say there are 3 or 4 winbind
> directives (uid/gid range, auto append defautl domain, etc) in and 5
> important samba directives smb.conf.
>
> I hope this fragment can help you a little bit,
> Jil.
>
>
>

[-- Attachment #2: Type: text/html, Size: 3784 bytes --]