In this situation, we need at least 3 servers (see figure 4). One Linux server for LTSP, one W2K3 server for TSE, and one W2K3 server for authenticating users with Active Directory (AD).
Users who use Windows sessions will receive display from the TSE server and authenticate against the AD server. They access to their home directories which are shares on the AD server.
Users who use Linux sessions will receive display from the Linux server and use winbind which is a part of SAMBA to authenticate. They access to their home directories by connecting shares.
![[Note]](./stylesheet-images/note.png) | Note |
|---|---|
If you want to use only 2 machines then you have to install AD and TSE on the same W2K3 server but this is not recommanded. A better solution consists of using vmware to have one physical machine hosting 2 virtual machines one for AD and the other for TSE. | |
Follow the steps 1-2 in section 3.2.
Install Active Directory by clicking on Start -> Administrative Tools -> Manage Your Server
"Add or remove a role" and click "Next"
Select "Custom configuration" and click "Next"
Select "Domain Controller (Active Directory)" and click "Next"
Click "Next" until you reach the "Active Directory Installation Wizard". Be sure that "Domain controller for a new domain" is selected and click "Next"
Click "Next" to create a new "Domain in a forest"
Choose example.com as the new domain name and click "Next". Keep "EXAMPLE" as the netbios domain name and click "Next" until the "DNS Registration Diagnostics"
Choose "Install and configure the DNS server on this computer, and set this computer to use this DNS server as its preferred DNS server" and click "Next"
Keep the default setting for "Permissions" and click "Next"
Give the password to be used in Directory Services Restore Mode and click "Next" until the installation of Active Directory begins
Click on "Finish" and restart your computer
After the reboot, the wizard informs you that the server is now a domain controller. Click on "Finish".
Follow the steps 2-3 in section 4.2.
Create a new folder named profiles and share it with full control to the group "Domain Users"
Put the file logon.bat in WINDOWS\SYSVOL\sysvol\example.com\scripts\
Create a user named tsuser by clicking on Start -> Administrative Tools -> Active Directory Users and Computers
Expand "example.com" and right click on "Users" then New -> User
Once the user created, right click on it and choose "Properties"
In the "Profile" tab, make sure you have the following
Profile Path: \\AD_server_name_or_IP\profiles\%USERNAME%
Logon script: logon.bat
Connect: H:
To: \\AD_server_name_or_IP\%USERNAME%
Click "OK" and if you have a message that says that you will create the home directory manually then click "OK"
Follow the steps 4-5 in section 4.2 to create the home directory for tsuser
Follow all the steps in section 3.1 except user creation which will be done on the AD server
Configure winbind which is a part of samba and is used for authenticating users against Active Directory. Since Active Directory = LDAP + Kerberos, we must verify that samba is compiled with both LDAP and kerberos support
# smbd -b | grep LDAP HAVE_LDAP_H HAVE_LDAP HAVE_LDAP_DOMAIN2HOSTLIST HAVE_LDAP_INIT HAVE_LDAP_INITIALIZE HAVE_LDAP_SET_REBIND_PROC HAVE_LIBLDAP LDAP_SET_REBIND_PROC_ARGS # smbd -b | grep KRB HAVE_KRB5_H HAVE_ADDRTYPE_IN_KRB5_ADDRESS HAVE_KRB5 HAVE_KRB5_AUTH_CON_SETUSERUSERKEY HAVE_KRB5_C_ENCTYPE_COMPARE HAVE_KRB5_ENCRYPT_BLOCK HAVE_KRB5_ENCRYPT_DATA HAVE_KRB5_FREE_DATA_CONTENTS HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS HAVE_KRB5_FREE_KTYPES HAVE_KRB5_FREE_UNPARSED_NAME HAVE_KRB5_GET_PERMITTED_ENCTYPES HAVE_KRB5_KEYBLOCK_IN_CREDS HAVE_KRB5_KEYTAB_ENTRY_KEY HAVE_KRB5_KT_FREE_ENTRY HAVE_KRB5_LOCATE_KDC HAVE_KRB5_MK_REQ_EXTENDED HAVE_KRB5_PRINCIPAL2SALT HAVE_KRB5_PRINC_COMPONENT HAVE_KRB5_SET_DEFAULT_TGS_KTYPES HAVE_KRB5_SET_REAL_TIME HAVE_KRB5_STRING_TO_KEY HAVE_KRB5_TKT_ENC_PART2 HAVE_KRB5_USE_ENCTYPE HAVE_LIBGSSAPI_KRB5 HAVE_LIBKRB5
Run authconfig
In "User Information" select "Use Winbind" and in "Authentication" select "Use Winbind Authentication" then hit "Next"
In "Winbind Settings" make sure that you have the following values
Security Model = ads
Domain = EXAMPLE
Domain Controllers = IP_of_AD_server
ADS Realm = EXAMPLE.COM
Template Shell = /bin/bash
Hit "Join Domain" to add the LTSP server in Active Directory. If authconfig asks you to save the settings then hit "Yes" and you will be prompted for the administrator's password
Note This issues the following command:
# /usr/bin/net ads join -w EXAMPLE -S IP_of_DOMAIN_CONTROLLER -U Administrator
Click on "OK" to start winbind. Don't worry for the FAILED message when shutting down winbind. This is because winbind was not running before.
![[Caution]](./stylesheet-images/caution.png)
Caution If you see a message like this, then read ... before continuing
[ ... ] libads/kerberos.c:get_service_ticket(335) get_service_ticket: kerberos_kinit_password LTSP-SRV$@EXAMPLE.COM@EXAMPLE.COM failed: Clock skew too great
Note Here's the list of the files modified by authconfig. You can save them before running authconfig and do diffs after to see how winbind was configured
/etc/pam_smb.conf /etc/nsswitch.conf /etc/pam.d/system-auth /etc/krb5.conf /etc/krb.conf /etc/samba/smb.conf
Check if winbind is ok
Check whether winbindd is still alive
# wbinfo -p Ping to winbindd succeeded on fd 4
Verify that the computer trust account is working
# wbinfo -t checking the trust secret via RPC calls succeeded
Show some info on the AD server ("net help ads" for more commands)
# net ads info LDAP server: AD_server_IP LDAP server name: AD_server_name Realm: EXAMPLE.COM Bind Path: dc=EXAMPLE,dc=COM LDAP port: 389 Server time: Tue, 15 Feb 2005 15:37:15 GMT KDC server: AD_server_IP Server time offset: 0
Get more details
# net ads status -U Administrator
List all users available on the domain controller
# wbinfo -u EXAMPLE\Administrator EXAMPLE\Guest EXAMPLE\SUPPORT_388945a0 EXAMPLE\AD$ EXAMPLE\krbtgt EXAMPLE\ltsp-srv$ EXAMPLE\tsuser
List all groups available on the domain controller
# wbinfo -g BUILTIN\System Operators BUILTIN\Replicators BUILTIN\Guests BUILTIN\Power Users BUILTIN\Print Operators BUILTIN\Administrators BUILTIN\Account Operators BUILTIN\Backup Operators BUILTIN\Users EXAMPLE\Domain Computers EXAMPLE\Domain Controllers EXAMPLE\Schema Admins EXAMPLE\Enterprise Admins EXAMPLE\Domain Admins EXAMPLE\Domain Users EXAMPLE\Domain Guests EXAMPLE\Group Policy Creator Owners EXAMPLE\DnsUpdateProxy
List all users available on both the local system and the domain controller
# getent passwd
List all groups available on both the local system and the domain controller
# getent group
Dump winbind databases
# tdbdump /etc/samba/secrets.tdb # tdbdump /var/cache/samba/winbindd_idmap.tdb # tdbdump /var/cache/samba/winbindd_cache.tdb
Tell winbind to don't prefix entries with "DOMAINNAME\" by adding this in /etc/samba/smb.conf and restarting winbind
winbind use default domain = yes
Try to su to the tsuser
# su - tsuser su: warning: cannot change directory to /home/EXAMPLE/tsuser: No such file or directory
The command above shows that the home directory of tsuser is /home/EXAMPLE/tsuser and that the directory does't exist. Configure winbind so that the home directory of tsuser will be /home/tsuser by putting this line in /etc/samba/smb.conf and restarting winbind
template homedir = /home/%U
Use pam_mount to mount the home directories which are on the AD server
Follow the steps 9-10 in section 4.1
Add the following line at the end of the file /etc/security/pam_mount.conf
volume * smb AD_server_name_or_IP & /home/& uid=&,file_mod=0600,dir_mod=0700,workgroup=EXAMPLE - -
Add pam_mount in /etc/pam.d/system-auth:
auth required /lib/security/$ISA/pam_env.so # This line is added auth optional /lib/security/$ISA/pam_mount.so # This line is modified auth sufficient /lib/security/$ISA/pam_unix.so use_first_pass likeauth nullok auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_winbind.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so #This line is added session optional /lib/security/$ISA/pam_mount.so
Restart some services or reboot to be able to use winbind authentication
# gdm-restart # service sshd restart
At this stage, users will be able to login on LTSP. Before to go to the next section, we must setup the LTSP server to be a WINS server. Also, comment the section [homes] in /etc/samba/smb.conf and start smb
# service smb start
Do all the steps in section 3.5.1 only
Refer to section 3.6
Do the same as in section 5.3
If you see messages containing "Clock skew too great" then kerberos is complaining. Kerberos needs that time is synchronized accross all your computers. You can for example adjust the clock manually or using NTP on the the LTSP server and let the other computers to synchronize with it. To synchronize a Windows machine with a NTP source, execute the following commands on a DOS prompt
c:\> w32tm /config /syncfromflags:manual /manualpeerlist:IP1,IP2 c:\> w32tm /config /update
If pam_mount fails to mount the home directory for more than one user then the problem is with SMB signing. In fact, by default the Windows Server 2003 Domain Controllers require SMB signing which in this case prevents you from doing multiple mounts with different users. You have 2 workarounds for this:
Disable SMB signing on W2K3:
From "Administrative Tools" open "Domain Controller Security Policy"
Select "Local Policies" ---> "Security Options" folder
Double-click "Microsoft network server: Digitally sign communications (always)", and then click Disabled to prevent SMB packet signing from being required.
Click OK.
Reboot or run "gpupdate" to apply the Group Policy change.
Leave SMB signing enabled on W2K3 and apply a cifs patch (I haven't tested this): https://bugzilla.samba.org/show_bug.cgi?id=2369
Changing password on the AD server with winbind?
todo...