Linux Active Directory

Here we will document how to setup a Linux machine to authenticate against an Active Directory and then how to solve various problems in using AD

Setup

• ADAddUbuntu - Detailed notes for having an Ubuntu machine authenticate against the CS Active Directory
• SettingUpADGradPCs - Lawrence's notes for taking a standard grad PC (without AD configuration) and setting it up to use our AD

Unix attributes in AD

You can find the unix attributes for a user by going into AD (login to najas for CS-GENERAL) and open the MMC Console:

• Start -> Run: mmc
• File -> Add&Remove Snapin
  • Click Add
  • Select: ADSI Edit -> Click: Add
  • Close -> OK
• Right-Click ADSI Edit
  • Select: Connect To:
  • A dialogue box should appear with Path: LDAP://VIRIDIS.cs.uwaterloo.ca/Domain
  • Click: OK
• Note: if you want to keep this handy, click File -> Save As -> save to your desktop; MMC Console.mmc (or similar)
• Click [+] to open: ADSI Edit -> Domain -> DC -> OU=CS -> OU=Users
• Scroll down to the user you are interested in
• Right-click on the user -> Properties
  • Unix uid: uidNumber
  • Unix gid: gidNumber
  • Home directory: unixHomeDirectory
  • Shell: loginShell

Tools for manipulating AD

• pam-auth-update

Handling Local Users and Groups

Common tasks

Setting a user's password

• In CS core - it should update the CS core password and update the AD password
• Directly in AD - RDP to najas.cs and login as a -adm user. Then Reset Users Password
• On a Linux machines logged in via AD - should be able to set passwd (need to verify if this works?)

Changing default shell

• Manually in AD using MMC console (see above). Change loginShell properties to /xhbin/bash or /xhbin/tcsh (etc.)

Checking which group(s) a user belongs to

• On an AD machine: getent group userid

Troubleshooting

No home directory

Can't cancel screen saver

I've noticed when logged into an AD Linux prepared machine with the local cscf-adm account that the screen saver won't exit after a valid password entry.
To quit the screen saver:

  open a terminal Ctrl-Alt-F1 (may have to try several times)
  $ ps aux | grep gnome-screensaver
  $ sudo kill (the gnome-screensaver process number)

Cannot login at the console

• If you can ssh into the machine via the network, but cannot login to the console using the same username/password, then your access.conf may be configured incorrectly.
• eg: cat /etc/security/access.conf

# cat /etc/security/access.conf
...
+ : staff_cscf : 129.97.0.0/16

That line should instead be:

+ : staff_cscf : ALL

Potentially helpful links

• Ubuntu documentation: ActiveDirectoryHowto
• Ubuntu documentation: SambaKerberos
• Ubuntu documentation: ActiveDirectoryWinbindHowTo