Linux Active Directory (obsolete)
Here we will document how to setup a Linux machine to authenticate against an Active Directory and then how to solve various problems in using AD
Setup
- ADAddUbuntu - Detailed notes for having an Ubuntu machine authenticate against the CS Active Directory
- SettingUpADGradPCs - Lawrence's notes for taking a standard grad PC (without AD configuration) and setting it up to use our AD
Unix attributes in AD
You can find the unix attributes for a user by going into AD (login to najas for CS-GENERAL) and open the MMC Console:
- Start -> Run: mmc
- File -> Add&Remove Snapin
- Click Add
- Select: ADSI Edit -> Click: Add
- Close -> OK
- Right-Click ADSI Edit
- Select: Connect To:
- A dialogue box should appear with Path: LDAP://VIRIDIS.cs.uwaterloo.ca/Domain
- Click: OK
- Note: if you want to keep this handy, click File -> Save As -> save to your desktop; MMC Console.mmc (or similar)
- Click [+] to open: ADSI Edit -> Domain -> DC -> OU=CS -> OU=Users
- Scroll down to the user you are interested in
- Right-click on the user -> Properties
- Unix uid: uidNumber
- Unix gid: gidNumber
- Home directory: unixHomeDirectory
- Shell: loginShell
Tools for manipulating AD
Handling Local Users and Groups
Common tasks
Setting a user's password
- In CS core - it should update the CS core password and update the AD password
- Directly in AD - RDP to najas.cs and login as a -adm user. Then Reset Users Password
- On a Linux machines logged in via AD - should be able to set passwd (need to verify if this works?)
Changing default shell
- Manually in AD using MMC console (see above). Change loginShell properties to /xhbin/bash or /xhbin/tcsh (etc.)
Checking which group(s) a user belongs to
- On an AD machine: getent group userid
Troubleshooting
No home directory
Can't cancel screen saver
I've noticed when logged into an AD Linux prepared machine with the local cscf-adm account that the screen saver won't exit after a valid password entry.
To quit the screen saver:
open a terminal Ctrl-Alt-F1 (may have to try several times)
$ ps aux | grep gnome-screensaver
$ sudo kill (the gnome-screensaver process number)
Cannot login at the console
- If you can ssh into the machine via the network, but cannot login to the console using the same username/password, then your access.conf may be configured incorrectly.
- eg: cat /etc/security/access.conf
# cat /etc/security/access.conf
...
+ : staff_cscf : 129.97.0.0/16
That line should instead be:
+ : staff_cscf : ALL
Potentially helpful links