Linux and Active Directory round 2

* edit Jan 12 2010. Better more reliable scripts.

* edit Oct 27th The netbook deployment went well this time. Feedback is generally that they have less problems than our Windows machines. Using Impress instead of MS powerpoint seems to be the biggest issue as Impress has trouble importing some powerpoint files in the office open XML format. Next on my todo list is play around with Unison file sync, NFS, and update this guide to reflect some improvements a colleague made.

The goal here is to create typical Windows Active Directory connect like Linux workstation. This includes being able to log in using Active Directory and mount various shared folders. It also must be idiot proof. We don’t want users saving on the desktop not realizing the desktop is not part of their smb share. It also must be cloneable. There should be absolutely no required interaction with the the computer after putting on this image.

Active Directory Integration

I choose to use Centrify for this. Likewise open is another option, but it seemed more buggy and I hate the way you have to configure it.

Ok make sure partner repositories are enabled and install centrifydc. If you want to make a clone-able image set your host name as something generic like “stockimage”. Add this script to crontab’s @restart

if [ "$hostCurrent" == "$hostOld" ]
    set -x
    host1=$(/usr/sbin/dmidecode | grep 'Serial Number: ' | sed 's/.*: \(.*\)/\1/;q')
    host=$(echo $host | sed 's/[ ]*//g')
    hostname $host
    echo $host > /etc/hostname
    # TODO: axe this ugly hack and have upstart call us when we're connected
    while [ $counter -lt 60 ] && [ ! `/sbin/route -n | sed -rn 's/^0\.0\.0\.0[ ]+([0-9.]+)[ ]+0\.0\.0\.0.*/\1/p'` ]
        sleep 1
        counter=`expr $counter + 1`
    # Do NOT put regular administrator password here!
    # Use a special account and keep it DISABLED.
    /usr/sbin/adleave -u 'j' -p 'secret'
    /usr/share/centrifydc/bin/centrifydc stop
    /usr/sbin/adjoin -f -u 'j' -p 'secret' -w --name $host
set +x
    ) >& /opt/ad.log
elif [ "`sed 1q $commonauth | grep '^# lines inserted by Centrify'`" ]
    # Prevent double password prompt
    pammount=`sed -rn '/^auth[ ]+optional[ ]$/p' $commonauth`
    sed -ri '/^auth[ ]+optional[ ]$/d' $commonauth
    sed -ri 's/^(auth[ ]+sufficient[ ]$/\1 try_first_pass/' $commonauth
    sed -i  "1i\\$pammount" $commonauth

That script will rename the hostname to something unique and join your domain. Because it’s on @reboot it runs every time the computer is turned on thus when you image it, it runs! Maybe put this in crontab last because you don’t want it running on your image. If you’re only joining one machine to AD then just run the adjoin command.

Ok bug work around time! I said Centrify is less buggy remember. This is only important for multi user machines, if there will only be one user you may skip this section. Ubuntu will boot well before you are online and thus a new user will get Authentication Error when trying to log in right away. To fix this first of all make sure if you use wireless that “enabled for all users” is checked in NetworkManager.

Next we need GDM to wait for centrify to connect before starting. We can do this with upstart.

Edit /etc/init/gdm.conf and look for the start on section. This basically tells GDM to only start once certain things have happened. Add centrify-connected to the bottom as seen here.

start on (filesystem
and started dbus
and (graphics-device-added fb0 PRIMARY_DEVICE_FOR_DISPLAY=1
or drm-device-added card0 PRIMARY_DEVICE_FOR_DISPLAY=1
or stopped udevtrigger)
and centrify-connected)

Now it we need to make the centrify-connected signal. Edit /etc/init.d/centrifydc and look for case “$CMD” in start). Add “initctl emit centify-connected” under wait_adclient  Like this.

echo -n "Starting $NAME: "
start-stop-daemon --start --quiet --exec $DAEMON --pidfile $PIDFILE \
if [ $RETVAL -eq 0 ]; then
echo "OK"
# upstart won't start gdm until we say we're connected
initctl emit centrify-connected  # added
echo "FAIL

That emits the signal telling GDM that Centrify is connected. The script is part of Centrify, it just didn’t emit the signal. It’s like they thought of this problem but didn’t actually fix it.You could reboot now if you wanted and it should work, but there’s much more we can do.

If your splash no longer shows up (happens to me 100% of the time on 10.04). You can try this command to fix it. I add this note because it can take a while for wifi to connect, then centrify to find AD, then GDM to start. If the users stares at the black screen for 1 minute they will probably assume the computer is just broken.

sudo -i
echo FRAMEBUFFER=y > /etc/initramfs-tools/conf.d/splash Code:
update-initramfs -u

Mount Windows Shares

Now your users will fire up nautilus and start browsing windows shares. smb://$/myuser/documents is so easy to remember right? 😛

Lets face it users don’t know what a file share is usually. Lets mount them automatically for them like Windows does.

sudo apt-get install libpam-mount smbfs

Now edit /etc/security/pam_mount.conf.xml

make it looks something like this in the section <pam_mount> Make sure to change it for your own purposes. In this example I’m mounting a user’s documents folder.


<!-- Volume definitions -->

<volume user="*" fstype="cifs" server="server" path="users/%(DOMAIN_USER)" mountpoint="~/Documents" />

Don’t try mounting anything as Desktop because gnome won’t like it. There is a workaround here if you really need Desktop to be part of the share. First turn off the auto-creation of these folders (this puts you in charge of making them! Nautilus will not start if it doesn’t have these folders! Yes Nautilus sucks.) Edit /etc/xdg/user-dirs.conf and set enabled to False. Now edit /etc/skel/.profile and add the lines

mkdir "$HOME/Documents/Desktop" 2> /dev/null
ln -s "$HOME/Documents/Desktop" "$HOME/Desktop" 2> /dev/null
mkdir "$HOME/Documents/Downloads" 2> /dev/null
ln -s "$HOME/Documents/Downloads" "$HOME/Downloads" 2> /dev/null

This would symlink the Desktop and Downloads folder to be inside of Documents. Documents in actually a smb share. This should keep users saving files in places that are in smb.

There are two Ubuntu bugs related to smbfs. If your system hangs at logout look here

If it hangs at shutdown look here

Ok another Centrify bug work around is explained here Centrify goofs up pam_mount. I mean who would really want to connect to shares AND use active directory  😉  If you can’t handle clicking

1) Open /etc/pam.d/common-auth file

2) Check if “auth optional” is the first line and “auth sufficient” second line. If “yes” then change the second line to:

auth       sufficient try_first_pass

I also found that adding try_first_pass to the line will allow non AD users to log in without entering the password twice.

Odds and ends

If you want to give some users sudo edit /etc/sudoers and add

%ADMIN\\UnixAdmins ALL = (ALL) ALL

That command would give the UnixAdmins group in the domain ADMIN sudo access.

If you want to edit the default desktop install a program called sabayon. It crashes sometimes but when not crashing it works pretty well. For some reason rebooting fixes it’s crashing…weird.

Another problem is that non admin users can disable network manager for the entire system even after a reboot! I’m not sure what to do about this, it’s a major headache because users won’t be able to log in at all without networking. I can’t think of any fix other than disabling network manager, but this is not ideal as sometimes there are legitimate uses for network manager.

As Mike pointed one could use the adjoin –selfserve command if AD knows the hostnames in advance. I choose to use an account that is usually disabled so if users see the password, they won’t be able to do much.

Compared to Windows this is a huge pain the first time to get right but cloning is way easier. I love running one image on many different models of computers. I moved the image around to several computers fine tuning it for each one. That included installing specific drivers. In the end I have one image that can be deployed anywhere.

I’m still missing a few must have features such as syncing the entire home folder to a share. NFS home folder is not enough, try leaving the building with your NFS home folder laptop. iFolder is an option I want to look into more. My initial experience is that it’s difficult to configure. It also doesn’t give you a CIFS interface which is often nice to have. There are any number of hosted solutions (Dropbox, JungleDisk, Ubuntu one, etc) that might work for you. It’s a shame Canonical won’t offer this as an on site solution like they do Landscape. Sparkle Share is an upcoming project that aims to meet this need but it’s not ready yet. You could also look into CMS software such as Alfresco.

Thoughts on Centrify

Centrify Express is a gratis but not open source client for integrating various platforms (such as Linux and Mac) to active directory. I wrote about Likewise Open before when trying to get Linux on Active Directory with some success. Today I deployed Centrify on a few machines to see if it could fare any better.

Ubuntu 10.04 Server: Centrify worked very well for this. Likewise open has many bugs that annoy me in Ubuntu so that’s what really motivated me to try something new. I ran into a little trouble installing it, but after running apt-get -f install it worked fine. Likewise in Ubuntu has a default domain bug and it also doesn’t seem to like installing on my Proxmox template for some reason. Of course Centrify isn’t (and probably never will be) in Ubuntu’s repositories which make it slightly harder to install.

Ubuntu 10.04 Desktop: Desktop support is always where I get problems in trying to make linux work in Active Directory. The biggest annoyance is getting it to work in a wifi environment. Turn on wireless laptop, new user logs in, authentication failure. It has to do with network-manager not really connecting as soon as you think it would (even if available to all users is checked off). This is what really kills Linux for me in a place where people need to use different computers (ie school). Removing network-manager fixes it somewhat, but I still have issues where I have to wait a few minutes before it allows domain logins. It does at least appear that Centrify works as soon as network is available while likewise seems to just sit for a couple minutes before it works. Centrify however is missing some features that are a great in a company network. Likewise will pass on login information to pam and when connecting to samba shares. Centrify does not (edit, it can be made to work with pam_mount with some work arounds). Also when I log in with GDM in centrify I have to enter the password twice for gnome-keyring to work then again every time I connect to a samba share. There is a “centrified” version of Samba that I wasn’t able to get installed. Likewise just works in this case.

Centrify Pro’s:

  • Less buggy to set up
  • Assumes default domain
  • Mitigates wifi issue at least a little bit

Centrify Con’s

  • Not open source
  • Not in Ubuntu repository
  • Must enter password twice on login for gnome-keyring when using GDM, though there is a work around.
  • Doesn’t pass credentials to Samba shares
  • Little documentation. * edit they do have a pdf manual but they don’t have the forums history likewise does. When I Google Likewise <description of problem> I get results, while with Centrify I really have to hunt.

Once again Linux can integrate well with AD in server land but has issues for end user desktops. Workswithu did a article comparing the two programs too for those interested. Overall Centrify is an acceptable solution, but falls short of a Linux Active Directory integration that “just works.”