Linux and Active Directory

30 03 2010

Getting Linux to work well with LDAP is a pain. Here is how I set it up to match what one typically finds in a corporate environment, that is Logging in with a domain name and having access to various shares.

Logging in
First is just getting it to login. It’s actually not that hard, I went with using likewise-open which can be installed in Ubuntu via
sudo apt-get install likewise-open5
Now to configure we run
sudo domainjoin-cli join yourdomain.yourserver.com Administrator
Now assuming you only use one domain you probably want to make it default. You need to edit /etc/likewise-open5/lsassd.conf and set “assume-default-domain” to yes
Now if you reboot you should be able to log in via the domain user.
Shares
Now you need to mount all the shares, perhaps a company wide share and a personal one. Run this
sudo apt-get install libpam_mount
Sadly the Ubuntu packages don’t configure it right. Edit /etc/pam.d/common-session and rearrange to lines near the bottom so it looks like this
session optional pam_mount.so
session sufficient pam_lsass.so

Now it will work. The problem is that pam ignores pam_mount when using the likewise open module by default.
Next /etc/security/pam_mount.conf.xml
You can use variables like %USER to have it mount the user’s personal share. Mine looks like this

<pam_mount>
<!-- Volume definitions -->
<volume user="*" fstype="cifs" server="server" path="users/%(USER)" mountpoint="~/Documents" />


Don’t try mounting anything as Desktop because gnome won’t allow it. Too bad.

Wifi
Likewise open doesn’t work with wifi unless you login as a user first, which seems not to be a solution. It’s because network-manager sucks and doesn’t connect until some user logs in. So you need to not use network-manager. I uninstalled it and setup wifi by editing /etc/network/interfaces. It works well but now I can’t change the wifi myself. Useful if the computer never leaves the building. In my case this is acceptable. I hear wicd is a network-manager replacement that can do this. Didn’t try it myself.

Mass deployment
Next you might want to be deploying it on many computers and not one by one. If you want to mess with the default user setup you could install and run sabayon. It crashes a lot, but its actually really useful. Next you need to change the hostname of every machine. I made this script and put it on crontab @restart.
#!/bin/bash
# If hostname is netbook, assume this is a fresh image that needs setup
hostCurrent=$(/bin/hostname)
hostOld='freshimage'
if [ "$hostCurrent" == "$hostOld" ]
then
# set hostname based on Serial Number
host1=$(/usr/sbin/dmidecode | /bin/grep 'Serial Number: ' | /bin/sed 's/.*: \(.*\)/\1/;q')
host2='linux'
host=$host1$host2
host=$(echo $host | sed 's/ //g')
echo $host
/bin/hostname $host
/bin/echo $host > /etc/hostname
# wait for wifi
sleep 10
# join AD
/usr/bin/domainjoin-cli join domain.server.org Administrator 'mypassword'
fi

It automatically makes up a unique hostname and joins my domain at first boot. I set the cloning image’s hostname to “freshinstall” which the script looks for. Clone the hard drive boot it. Wait for GDM to come up, reboot and your good. Not sure why I can’t make reboot from the script. Oh well this is actually way better than joining many Windows computers to a domain, which requires many reboots.

Odds and Ends
I still don’t know a great way to mount ~/Desktop
If you must have MS Office you could try wine, but you may need to use Crossover Linux Pro which generally costs more than what people actually pay for both Windows and MS Office. With CX Pro you can set up Office to multiple users.
I’ll write a follow up post on how the deployments go.

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: