In this situation, we need at least 2 servers (see figure 3). One Linux server for LTSP and one W2K3 server for TSE.
Users who use Linux sessions will receive display from the Linux server. They authenticate through basic Unix authentication. The home directories are shares on the TSE server and are mounted as users connect.
Users who use Windows sessions will receive display from the Windows server. To be able to authenticate using the same identifiers as with Linux sessions, the TSE server will be configured as a member of a Windows domain whose controller is the Linux server by use of SAMBA. Then, users will access to their home directories locally on the TSE server.
Follow the steps 1-6 in section 3.1.
Follow step 6a in section 3.2.
Take the file /etc/samba/smb.conf from previous section to let Samba do authentication and host the profiles and the netlogon scripts. Add the following line to tell samba that the home dirs are on the TSE server
[global] ... logon home = \\TSE_server_name_or_IP\%u
Follow steps 6c-6f in section 3.2.
Follow step 2 in section 3.3.
Follow step 2 in section 3.4.
Follow all the steps in tip-a in section 3.2.
Create a user account
# useradd -G tsusers tsuser # smbpasswd -a -n tsuser # passwd tsuser
Now it's time to configure the LTSP server to be able to mount the home directories which are on the TSE server. Unlike NFS, to mount a SMB share which is the user's home directory we must provide the credentials for that user. This can be achieved by several ways:
Let each user explicitely mount his home directory after he logs on a Linux session. The user must know the syntax of the command, he must type the password again, and the mount is done manually.
root must do (once)
# chmod u+s /usr/bin/smbmnt (not smbmount) # chmod u+s /usr/bin/smbumount
The user must do (after each login)
# cd / # smbmount //TSE_server_name_or_IP/user_login /home/user_login -o uid=user_login,gid=user_group,fmask=600,dmask=700
The user must do (before each logout)
# cd / # smbumount /home/user_login
![[Note]](./stylesheet-images/note.png)
Note To avoid to be prompted for the password after issuing smbmount the user can create a file named $HOME/.smbcredentials for example and containing his username and password in clear text !!!
username = user_login password = user_password
Obviously, the permissions on the credentials file must be set properly
# chmod 400 $HOME/.smbcredentials
The mount command becomes
# smbmount //TSE_server_name_or_IP/user_login /home/user_login \ -o uid=user_login,gid=user_group,fmask=600,dmask=700,credentials=/home/user_login/.smbcredentials
Use the automounter to make things more transparent to the user but in this case you must use credentials files with clear passwords
Create a directory to store credentials files
# mkdir -m 0700 /smbcredentials
For each user, create a file /smbcredentials/user_login containing the credentials of the user and set the proper permissions
# chmod 400 /smbcredentials/user_login
Add the following line to /etc/auto.master
/home /etc/auto.home --timeout=60
Create the file /etc/auto.home with the following lines
* -fstype=smbfs,uid=&,gid=&,fmask=600,dmask=700,credentials=/smbcredentials/& ://TSE_server_name_or_IP/&
Restart the automounter
# service autofs restart
Use pam_mount. Incontestably, this is the best way.
pam_mount is a PAM module that can mount volumes for a user session:
Every user can access his own volumes
The user needs to type the password just once (at login)
The mounting process is transparent to the users
There is no need to keep the login passwords in any additional file
The volumes are unmounted upon logout
Download, build, and install pam_mount
# wget http://www.flyn.org/projects/pam_mount/pam_mount-0.9.22-0.fdr.1.src.rpm # rpm -Uvh pam_mount-0.9.22-0.fdr.1.src.rpm # rpmbuild -ba /usr/src/redhat/SPECS/pam_mount.spec # rpm -Uvh /usr/src/redhat/RPMS/i386/pam_mount-0.9.22-0.fdr.1.i386.rpm
Edit the file /etc/security/pam_mount.conf, locate the line beginning with smbmount and change smbfs with cifs. Since we use W2K3, we mount using cifs rather than smbfs
... smbmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)" ...
Add the following line at the end of the file /etc/security/pam_mount.conf. This declares a volume for mounting home directories
volume * smb TSE_server_name_or_IP & /home/& uid=&,gid=&,file_mod=0600,dir_mod=0700 - -
Add two entries in /etc/pam.d/system-auth to mount and umount the shares. The file looks like:
auth required /lib/security/$ISA/pam_env.so # This line is added auth optional /lib/security/$ISA/pam_mount.so # This line is modified auth sufficient /lib/security/$ISA/pam_unix.so use_first_pass likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password required /lib/security/$ISA/pam_smbpass.so nullok use_authtok try_first_pass password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so #This line is added session optional /lib/security/$ISA/pam_mount.so
Follow the steps 1-3,7 and 7-tip-b in section 3.2.
Create a new folder named home
Copy in the folder home the entire skeleton directory (/etc/skel) from the LTSP server. Use WinSCP for that.
In the home folder, create a copy of the skel folder and change its name to tsuser
Right click on tsuser -> Sharing and Security... and change both the sharing and NTFS permissions so that only the user tsuser will have full control on this folder
In the "Sharing" tab
Select "Share this folder" and click on the "Permissions..." button.
Remove the group "Everyone" and add only the user tsuser with Full control
In the "Security" tab
Click on the "Advanced..." button, unselect "Allow inheritable permissions from the parent to propagate to this object and child objects. Include these with entries explicitly defined here" and click on the "Copy" button. Remove the entries which allow the "Users" group. Click on the "Add..." button to add the user tsuser and give to it full control.
Go to the "Owner" tab and click on the "Other Users or Groups..." to add the user tsuser. Highlight the user tsuser and select "Replace owner on subcontainers and objects". Click on the "Apply" button then "OK"
Now try to connect with Linux and Windows. Things will happen as expected!
Refer to section 3.5
Refer to section 3.6
With figure 3, if you have N workstations and M users then (FIXME please, complete the table):
| Machine type | Number of Machines | Commercial License type | Number of licenses |
|---|---|---|---|
| LTSP server | 1 | Windows Server Client Access License (Server CAL) | M |
| TSE server | 1 | Windows Server 2003 (server license) | 1 |
| Workstation | N | Temporary Lincense (limited to 120 days) | N |
| Terminal Server Device Client Acces License (TS Device CAL) (beyond 120 days) | N | ||
| Terminal Server User Client Acces License (TS User CAL) (beyond 120 days) | M | ||
| External Connector License (ECL) (beyond 120 days) | 1 |
Table 4. Licenses needed in figure 3
When a user logs on, I see somme messages from gconfd in /var/log/messages. Fixed (?) by replacing the following line in /etc/gconf/2/path
xml:readwrite:$(HOME)/.gconf
with
xml:readwrite:/tmp/.gconf.$(USER)
I think that these messages come from gnome PreSession and PostSession scripts executed as root which has not permissions to write into the user's home directory. This problem is similar to the root squashing with NFS.
I see the following pam_mount messages in /var/log/secure and things seem to work well :-( I read the pam_mount FAQ but I haven't fixed this yet
pam_mount: error trying to retrieve authtok from auth code
todo...