Add BU Linux to AD

Using Ansible

1. Set up Ansible in your account in an existing Linux system like engineering-grid
2. Make sure passwordless SSH as root to the new system works, using your public key:

   • $ ssh root@hostname uptime

3. Make sure the hostname is set on the new system and is 15 characters or less, as that will be used as the computer name.
4. As a shortcut to adding the host to the inventory and doing a full Ansible setup, just use the ad-join script:

   • $ ad-join hostname
     Password for jesse08-adm@AD.BU.EDU: 
     
     PLAY [generic-basic] ********************************************************** 
     
     GATHERING FACTS *************************************************************** 
     ok: [engit-linux-tst]
     
     TASK: [ad-client | Check distribution support] ******************************** 
     ok: [engit-linux-tst]
     
     TASK: [ad-client | yum name="krb5-workstation"] ******************************* 
     ok: [engit-linux-tst]
     
     . . .

5. If the system should be inventoried, add an entry with the appropriate Profile to http://eng-deploy.bu.edu/. This way it will be tracked and get any updates in the future.

Old/Alternative Winbind method

Install BU Linux 6

• Download BU Linux
• Burn to Disk
• Install whatever you want
• The hostname must be like <hostname>.ad.bu.edu

Make sure to add a line to the hosts file informing the system of its hostname:

127.0.0.1 <hostname>.ad.bu.edu <hostname>

If the machine has a non-ad static IP, also inform it of that hostname

127.0.0.1 <hostname>.ad.bu.edu <hostname>.bu.edu <hostname>

Samba and Winbind

We need to install winbind:

# yum install samba-winbind

(Maybe necesary, maybe not: get install the krb5.conf from collaborate)

Open in gnome: System -> Administration -> Authentication

Set to the following:

• User account database: Winbind
• Winbind Domain: AD
• Security Model: ads
• Winbind ADS Realm: AD.BU.EDU
• Winbind Domain controllers: ad.bu.edu
• Template Shell: /bin/bash

Some subset of these other configurations are necessary in /etc/samba/smb.conf

[global]

  # -- auto generated stuff --
  # STUFF FROM THAT GUI GETS PUT HERE
  # -- end auto generated stuff

  encrypt passwords = yes
  winbind use default domain = Yes
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind nested groups = Yes
  winbind separator = +
  winbind refresh tickets = Yes
  winbind refresh tickets = Yes
  winbind gid = <whatever they said for idmap>

  template homedir = /home/%U 
# This will be like /home/mgabed

  preferred master = no
  dns proxy = no
  wins server = ad.bu.edu
  wins proxy = no

  inherit acls = Yes
  map acl inherit = Yes
  acl group control = Yes

I’m not sure which subset of these are necessary though.

You’ll have to edit smb.conf, and add them to immediately after where it says it is the end of the “autogenerated” portion
In the GUI, I don’t think I’ve actually seen the “Join Domain” button work
So we’ll do it manually:

# net ads join -U <username>-adm

This will prompt for your adm password, enter it
You should now be joined to AD. If you didn’t configure the hostname stuff correctly it will complain about being unable to update the DNS record. At this point you should also rerun:

# system-config-authentication

and re-click “Apply” to restart the Winbind services. Or “service winbind restart” should also be sufficient.

To verify that something is at least functioning you can query the server

# net ads lookup
# net ads info

you should also be able to run

# wbinfo -u
# wbinfo -g

To obtain a complete listing of users and groups

Winbind Authentication

The GUI we used added winbind to /etc/nsswhich.conf, so we don’t need to touch it

If you’re doing this manually, add “winbind” to the end of the passwd, group, and shadow lists

To verify that Linux is seeing users and groups in AD properly run

# getent passwd
# getent group

You’ll have to enable winbind in PAM now

The authentication gui generates a functioning PAM configuration, but it’s not enabled at first. To enable it you just need to symlink it so it’s active:

# cd /etc/pam.d
# ln -sf auth-ad system-auth

If you’re doing this in another OS, you roughly just need to make pam_unix.so be sufficient, and make pam_winbind.so be required in some way (either make it required, or have it be sufficient and pam_deny required)

You should have a stack similar to the following (modify account, password, and session stacks accordingly)

auth    sufficient    pam_unix.so
auth    sufficient    pam_winbind.so use_first_pass
auth    required      pam_deny.so

Other suggested authentication configs:

• allow offline logins (add cached_login to the pam_winbind.so args)
• automatically create home directory (add pam_mkhomedir.so or the oddjob based one to the session stack)

After this step, anybody on AD can log into the machine. But we would like to mount their home folders off of the netapp. Doing this is a bit more complicated.

Auto-mount Disks

For auto mounting our home directories, we will need to use the pam_mount module.

The package and dependencies aren’t in the BU Linux Repo, and the version from Fedora that works on BU Linux is too old to support a feature we need. The version that does support it is too new. I rebuilt and packaged a version in the middle, so hopefully we can just use those packages and forget about it.

Download pam_mount-2.10.rpm and libHX.rpm from here and run

# yum install path/to/pam_mount.rpm path/to/libHX.rpm

Now we need to set it up.

It has to be added to our pam stack. Copy system-auth-ac to auth-ad and make changes to that:

add

auth    required pam_mount.so

to the (near) top of the auth stack

and

session optional pam_mount.so

above pam_unix but below pam_homedir in the session stack.

At the very least, it should go before pam_unix and pam_winbind (but probably after pam_mkhomedir).

The pam_mount module also needs to be in the password stack since that’s what gdm uses to log people in. It is also auto-generated, but you can just make the auth-ad encapsulate the changes you need for password as well as system, and just maintain the one file and symlink that to both password-auth and system-auth.

The following auth-ad works well:

#%PAM-1.0
# This file was installed for AD authentication with home directories.
# To revert to the old behavior, just link both system-auth and 
# password-auth back to their original versions, for example the -ac
# or -bulinux files:
# ln -sf /etc/pam.d/system-auth-ac /etc/pam.d/system-auth
# ln -sf /etc/pam.d/password-auth-ac /etc/pam.d/password-auth
auth        required      pam_env.so
auth        required      pam_mount.so
auth        sufficient    pam_unix.so try_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_mkhomedir.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     optional      pam_unix.so
session     sufficient    pam_localuser.so
session     optional      pam_mount.so

So now make the links:

# ln -sf auth-ad system-auth
# ln -sf auth-ad password-auth

Now configure how pam_mount mounts drives, this is done in /etc/security/pam_mount.conf.xml

The necessary file is this:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
  <debug enable="0" />
  <msg-authpw>Password:</msg-authpw>
  <volume user="*" fstype="cifs" server="eng-home.bu.edu" path="%(exec /usr/local/sbin/eng-home-volume %(USER))" mountpoint="~"
      options="noserverino,file_mode=0600,dir_mode=0700" />
  <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
  <mntoptions require="nosuid,nodev" />
  <path>/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin</path>
  <logout wait="0" hup="0" term="0" kill="0" />
  <mkmountpoint enable="1" remove="true" />
</pam_mount>

Note the “path” option in the 6th line. It runs a small helper program to figure out the actual share name

You also need a small helper utility I’ve called ‘eng-home-volume’ — you must specify the exact path to this program.

This just transforms a username into the path to their home directory.

It is as follows:

#!/bin/bash
   
USER=$1
U=${USER:0:1}
S=${USER:1:1}
echo -n "users/$U/$S/$USER"

Save this as eng-home-volume somewhere in the PATH and make it executable.

Since BU Linux defaults to using SELinux, you’ll have to make some changes to SELinux

# service winbind stop
# setsebool -P use_samba_home_dirs 1
# setsebool -P samba_create_home_dirs 1
# service winbind start

If you don’t run these, you’ll get complaints about the directory not existing and other weirdness. Alternatively, turn SELinux off, but this will also work.

Once all of that is done, the computer should be good to go. When a local user logs in nothing will get mounted. When a non-local user logs in, it will mount their home folder from the netapp and unmount it when they log out.