Linux Active Directory

Here we will document how to setup a Linux machine to authenticate against an Active Directory and then how to solve various problems in using AD

Setup

  • ADAddUbuntu - Detailed notes for having an Ubuntu machine authenticate against the CS Active Directory
  • SettingUpADGradPCs - Lawrence's notes for taking a standard grad PC (without AD configuration) and setting it up to use our AD

Unix attributes in AD

You can find the unix attributes for a user by going into AD (login to najas for CS-GENERAL) and open the MMC Console:
  • Start -> Run: mmc
  • File -> Add&Remove Snapin
    • Click Add
    • Select: ADSI Edit -> Click: Add
    • Close -> OK
  • Right-Click ADSI Edit
    • Select: Connect To:
    • A dialogue box should appear with Path: LDAP://VIRIDIS.cs.uwaterloo.ca/Domain
    • Click: OK
  • Note: if you want to keep this handy, click File -> Save As -> save to your desktop; MMC Console.mmc (or similar)
  • Click [+] to open: ADSI Edit -> Domain -> DC -> OU=CS -> OU=Users
  • Scroll down to the user you are interested in
  • Right-click on the user -> Properties
    • Unix uid: uidNumber
    • Unix gid: gidNumber
    • Home directory: unixHomeDirectory
    • Shell: loginShell

Tools for manipulating AD

  • pam-auth-update

Handling Local Users and Groups

Common tasks

Setting a user's password

  • In CS core - it should update the CS core password and update the AD password
  • Directly in AD - RDP to najas.cs and login as a -adm user. Then Reset Users Password
  • On a Linux machines logged in via AD - should be able to set passwd (need to verify if this works?)

Changing default shell

  • Manually in AD using MMC console (see above). Change loginShell properties to /xhbin/bash or /xhbin/tcsh (etc.)

Checking which group(s) a user belongs to

  • On an AD machine: getent group userid

Troubleshooting

No home directory

Can't cancel screen saver

I've noticed when logged into an AD Linux prepared machine with the local cscf-adm account that the screen saver won't exit after a valid password entry.
To quit the screen saver:
  open a terminal Ctrl-Alt-F1 (may have to try several times)
  $ ps aux | grep gnome-screensaver
  $ sudo kill (the gnome-screensaver process number)

Cannot login at the console

  • If you can ssh into the machine via the network, but cannot login to the console using the same username/password, then your access.conf may be configured incorrectly.
  • eg: cat /etc/security/access.conf
# cat /etc/security/access.conf
...
+ : staff_cscf : 129.97.0.0/16

That line should instead be:

+ : staff_cscf : ALL

Potentially helpful links

Topic revision: r5 - 2013-08-14 - DrewPilcher
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback