SAMBA PDC
Intro
PDC Main Doc
PDC Config Files
Client Config Files
Admin Quick Reference
Single Sign On Student Info Sheet
This project was researched, desinged and implented at the San Antonio College Computer Information Systems Department computer lab where I worked for about three years(work study).
My supervisor told me he wanted a network logon server that all of the students could get users for and authenticate against from the client machines in the lab.
He told me he wanted it to be a Linux server and that it should use openldap as a backend.
Outside of these basic instructions I was left to my own device.
This project was not fully documented but what documentation was done follows.
Some information has been sanitized.
My main concern about using LDAP and a Linux server was compatibility with Windows 7 operating systems.
Also I wanted to be able to give students the ability to do centralized profile configurations and have access to their files from any of the client machines.
SAMBA can be set up as a PDC, it also supports the Windows file sharing protocols, roaming profiles(centralized configurations) and openLDAP.
I used Oracle Enhanced Linux for the server, openldap used tls and SELINUX was left enabled.
There are some down sides to my configuration.
The smbldap-tools package I used does not provide efficient means of tracking user logon activity.
I did perform some additions after the initial completion of this project.
User home directory quotas were set and each user got a public_html directory in their home directory to practice web programming/design.
I set the webserver to www on our dns server(which I configured for this project) and made an information page about the network server for students to view upon receiving their network user.
If they browsed www they got the info page, if they went to www/~networkusername they got their web page(or whoevers username they entered).
PDC Main Doc
General details: Samba 3
Running on Oracle Linux 6
SELINUX Enabled
OpenLDAP Backend with TLS enabled
All machines have staff account which is a sudoer
Four 250G hard drives in raid 0 as home dir partition.
Home directories served via Samba for Windows machines and nfs for Linux machines.
Each computer needs 2 seperate names, one for Windows and one for Linux.
The Windows boxes are named NTC-122-N**-W and the Linux boxes are named NTC-122-N**-L
LDAP database configured using smbldap-tools
Domain Controller
Windows 7 Clients
Fedora 14 Clients
Ghost Environment
ftp server with SELINUX enabled and ftp user chroot
domain controller image - domain_server.img
domain client image - domain_client _win7.img (sysprepped)
domain client image - domain_client_fed14.img
Updates and To Do List
TLS - Enable client certificates
With current setup ldap is encrypted but clients are not validated. Adding client certificates and validation would add additional security.
Not sure how this would affect/work with Windows clients.
Configure User Storage Quotas (Completed)
Configure Printer Quotas
Configure DNSSEC
Fix issue with hangin shutdown in Linux (I believe this has to do with users not logging out)
Set user to get logged out from inactivity instead of having screen locked.
Switched from pam_mount to autofs after being unable to get pam_mount to fetch proper user id's.
PDC Config Files
ldap.conf
smb.conf
smbldap.conf
smbldap_bind.conf
slapd.conf
Client Config Files
ldap.conf
smb.conf
pam_mount.conf.xml
system-auth
password-auth
idmap.conf
nsswitch.conf
nslcd.conf
Admin Quick Reference
Add a user: | smbldap-useradd -a -m -P -N "full name here" username |
Delete a user: | smbldap-userdel username |
Change user passwd: | smbldap-passwd username |
Search ldap directory: | ldapsearch -xZZ |
Delete ldap entry: | ldapdelete -xZZ 'dn entry here' -D 'cn=adminuser,dc=*,dc=*,dc=*' |
back up ldap database: | stop ldap server (service slapd stop) compress (tar -czf /backup/dir/slapd.tar.gz /var/lib/ldap) start ldap server (service slapd start) |
Single Sign On Info Sheet
This information is very important, please read it thoroughly and completely. If you do not understand it, ask one of the lab workers to help you. This information pertains only to the CIS computer lab located in the Nail Technical Center room 122.
To get your single sign on user account consult a lab worker.
Once you have signed up for and received a sac-cislab user account you can use it to sign on to any of the Dell Vostro machines that are lined up against the left and right walls of the CIS computer lab. These computers run Microsoft Windows 7 and Fedora 14 Linux in a dual boot configuration. This means when the machine is initially turned on you are given a selection menu where you can choose to boot into either Operating System. Your network account will work in both. In Windows select other user before you enter your login credentials.
You get your own customizable profile which you can change to suit your needs and preferences. Only you will get your theme and settings and you will get them on any single sign on machine you access with your logon credentials. Your Windows and Linux themes are separate and must be configured separately.
Your Windows Roaming Profile is loaded into RAM. It should only be used to save theme settings (wallpaper, bookmarks, shortcuts, start menu and task bar customizations). Anything you save in your Roaming Profile will increase the load time when you log in! Documents and other files should be saved in your home directory. In Windows 7 your home directory is a mapped drive. You can access it from “My Computer”, it is drive Z:. You can create a desktop shortcut for easier access. Anything in your profile can only be seen from Windows but your home directory can be accessed by Windows and Linux. When you enter your home directory from Windows you will notice that there are Desktop, Documents, Downloads and other folders, these are your Fedora Linux profile files. Do not delete them!