LTSP/Windows Integration

This page is for articles and HOWTOs for integrating LTSP into Windows environments, or the reverse... Connecting Windows machines to an LTSP network.

If you want to connect to LTSP from Windows, see Clients: The Fat Client.

Setting up LTSP and Windows in Schools

Zouhir Hafidi contributed a great HOWTO for deploying Linux, LTSP and Windows in School environments. You can see his HOWTO here

Authenticating via winbind to Active Directory

In RHEL4 and samba 3--No significant change i can think of from rh9

/etc/nsswitch
passwd:     files winbind
shadow:     files winbind
group:      files winbind
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
#########working###########################################
#auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
#auth required /usr/lib/security/pam_mount.so use_first_pass
############experimental############################################
auth required /usr/lib/security/pam_mount.so 
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass
##############################################################
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so
session      required     /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=077
#session    required        /lib64/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=077
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session required /usr/lib/security/pam_mount.so 
/etc/samba/smb.conf

# Global parameters
[global]
  #ADS server=yourdomaincontroller
   password server = yourdomaincontroller
   realm = ELLSWORTH.K12.ME.US
 log file = /var/log/samba/%m.log
 #passwd chat = *New*password*Dude* %n/n *Retype*new*passord* 5n/n *passwd:*all*authentication*tokens*updated*
 passwd program=/usr/bin/passwd %u
 load printers = yes
 smb passwd file = /etc/samba/smbpasswd
 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 wins server = yourwinsserver
 encrypt passwords = yes
 dns proxy = No
 netbios name = yournetbiosname
 server string = Samba Server
 writable = no
 #browseable = no
 local master = No
 remote announce = yourannounceip
   workgroup = ELLSWORTH
 os level = 33
   security = domain
 #security=ADS
 ######################Winbind
obey pam restrictions = yes
#winbind Separator = 
winbind uid = 10000-20000
winbind gid = 10000-20000
###############tried 2-5-04 above commented
   idmap uid = 10000-20000
   idmap gid = 10000-20000
winbind cache time = 10
##############################   
winbind enum users = yes
   #winbind enum users = no
   winbind enum groups = yes
   #winbind enum groups = no
   winbind use default domain = yes
   template homedir = /home/%U
   template shell = /bin/bash
   smbpasswd file =/etc/samba/smb.conf
   name resolve order = hosts wins lmhosts  bcast
   password server = *
   unix password sync = yes
   create mode=700
   directory mode=700   
##################
   preferred master = False
   max log size = 0
   printer admin = youradmin
   addprinter command = /usr/sbin/addprinter
   printing = cups
[homes]
   #comment=Home Direcorites
   #valid users=%D+%S
   #create mode = 0644
   #directory mode = 0744
valid users=%U
#guest ok = yes
read only = no
##   directory mask=0755
#   browseable=yes
#[home]
   #path=/home
   #browseable=yes
[Print$]
   path = /etc/samba/printer
   guest ok = yes
   public = yes
   read only = no   
   writeable = yes
   browseable = yes
[printers]
comment = All Printers
   guest ok = yes
   path = /var/spool/samba
   printable = Yes
   browseable = yes
   
#[hp4]#by enabling this I can't print from 2000
   #comment = Linux Printers
   #path = /var/spool/lpd/samba/hp4
   #browseable = yes
   #writeable = no
   #printable = yes
   

Notice that winbind seperator is commented..John Terpstra says you need one and need to login using it..like myname+ellsworth.I find I can login just fine with myname..You might have to destroy the contents of /var/cache/samba and let it rebuild with new info cliebow@ltsp.org

Oct 11 06 as submiited by John in ubuntu for login via gdm pam.d/gdm

> #%PAM-1.0
> auth    requisite       pam_nologin.so
> auth    sufficient      pam_winbind.so
> auth    sufficient      pam_unix.so nullok_secure use_first_pass
> auth    required        pam_env.so
> @include common-auth
> @include common-account
> session required        pam_limits.so
> session optional pam_console.so
> @include common-session
> @include common-password

pam_mount.conf

debug 0
mkmountpoint 1
 luserconf .pam_mount.conf
options_allow   nosuid,nodev,loop,encryption
options_require   nosuid,nodev
lsof /usr/sbin/lsof %(MNTPT)
fsck /sbin/fsck -p %(FSCKLOOP)
losetup /sbin/losetup -p0 "%(before=\"-e \" CIPHER)" "%(before=\"-k \" KEYBITS)" %(FSCKLOOP) %(VOLUME)
unlosetup /sbin/losetup -d %(FSCKLOOP)
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
smbmount /bin/mount -t smbfs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
ncpmount /bin/mount -t ncpfs %(SERVER)/%(USER) %(MNTPT) -o "pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)"
umount   /bin/umount %(MNTPT)
lclmount /bin/mount -p0 %(VOLUME) %(MNTPT) "%(before=\"-o \" OPTIONS)"
cryptmount /bin/mount -t crypt "%(before=\"-o \" OPTIONS)" %(VOLUME) %(MNTPT)
nfsmount /bin/mount %(SERVER):%(VOLUME) "%(MNTPT)%(before=\"-o \" OPTIONS)"
mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)
mntcheck /bin/mount # For BSD's (don't have /etc/mtab)
pmvarrun /usr/local/sbin/pmvarrun -u %(USER) -d -o %(OPERATION)

volume * smb META1 Students /home/&/WINDOWS/META1 uid=&,gid=&,dmask=0700,workgroup=Ellsworth - -
volume * smb META2 Students /home/&/WINDOWS/META2 uid=&,gid=&,dmask=0700,workgroup=Ellsworth - -
volume * smb META2 Staff /home/&/WINDOWS/STAFF uid=&,gid=&,dmask=0700,workgroup=Ellsworth - -

cliebow@ltsp.org

pam_mount.conf and LDM (ssh)

LTSP5 uses LDM/ssh for initiating the session rather than xdm/gdm/kdm. There are some weird issues with getting pam_mount to work in conjunction with ssh, so its worth noting some changes that may need to be made from the above. The following changes ensure that shares get unmounted when the user exits:

1. I have found it useful to not let pam_mount call pmvarrun. I do this by setting "pmvarrun /bin/true" in pam_mount.conf. To elaborate: pmvarrun updates /var/run/pam_mount/ which keeps track of how many "sessions" a user has going. If you exit while it still thinks the user has sessions going, it will not unmount things. I find its best to keep pam_mount thinking there are no other sessions. If you have files in /var/run/pam_mount/ and you make this change, you should delete those files, as well.

2. In addition, with ssh, it seems that the unmount is called by the user and not by root (as the mount is). This, of course, causes the umount to fail, as a user is not allowed to unmount a volume, especially not one that it hasn't mounted itself. So, to get around this, I add "sudo" privileges to "smbumount" and tell pam_mount.conf to use:

smbumount /usr/bin/sudo /usr/bin/smbumount %(MNTPT)

To add sudoers privileges, do: sudo visudo and add the lines:

Cmnd_Alias      SMBUMOUNT=/usr/bin/smbumount
ALL ALL=NOPASSWD:SMBUMOUNT

Redirecting My Documents using netlogon--as created by Jason Ingalls

Portion of smb.conf as of 110706

[netlogon]
   comment=Network Logon Services
   path=/opt/samba/netlogon
   hide files = /*.ini/

startup.bat as of 110706
cd p:

IF NOT EXIST "P:\My Documents\." MD "P:\My Documents"

IF NOT EXIST "P:\Desktop\." MD "P:\Desktop"

IF NOT EXIST "P:\My Documents\My Pictures\." MD "P:\My Documents\My Pictures"

IF NOT EXIST "P:\My Documents\FirstClass\settings\." MD "P:\My Documents\FirstClass\settings"

IF NOT EXIST "P:\My Documents\FirstClass\settings\home.fc" copy "\\osprey\netlogon\home.fc" "P:\My Documents\FirstClass\settings\"

regedit /s \\osprey\netlogon\mydoc.reg

regedit /s \\osprey\netlogon\iecache.reg

\\osprey\netlogon\addprinters.vbs

:END

mydoc.reg as of 110706
REGEDIT4



[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

"ExcludeProfileDirs"="Local Settings;Temporary Internet Files;History;Temp;My Documents;Desktop"



[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

"Personal"="P:\\My Documents"

"Desktop"="P:\\Desktop"

"My Pictures"="P:\\My Documents\\My Pictures"

"My Video"="P:\\My Documents\\My Video"

"My Music"="P:\\My Documents\\My Music"



[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]

"Personal"="P:\\My Documents"

"Desktop"="P:\\Desktop"

"My Pictures"="P:\\My Documents\\My Pictures"

"My Video"="P:\\My Documents\\My Video"

"My Music"="P:\\My Documents\\My Music"

iecache.reg as of 110706

REGEDIT4



[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]

"Persistent"=dword:00000000