• DualBoot

DEPRECATED

This page is now officially deprecated and will NOT be updated. See UbuntuWorkstations for our current Ubuntu setup notes.

Installing samba networking on Ubuntu Breezy (or Hoary) workstations

Description

To use Ubuntu (hoary or breezy) for programming classes we need to have it installed on dual boot machines. To integrate into the network it is highly desireable that:

• the linux installations use our NT logins
• automatically mount their home shares from our NT domain's file server (a linux box using Samba 3).

Required packages

The standard Ubuntu (breezy or hoary) distribution requires the following packages. Either use Synaptic to find and install them or open a terminal and use sudo apt-get install smbfs winbind libpam-mount:

1. smbfs - to allow mounting the shares
2. winbind - to join the domain and manage connections
3. libpam-mount - to mount the home directory automatically

DEPRECATED

This page is now officially deprecated and will NOT be updated. See UbuntuWorkstations for our current Ubuntu setup notes.

Basic Install

The following are needed for dualbooting. If you are just interested in validating from a windows network, skip this section

1. Install or shrink WinXP partition to half size of drive
2. install Ubuntu, allow it to add WinXP to GRUB menu
3. Modify GRUB menu.lst to make WinXP the default
4. Modify Linux side for authentication and automounting from network

DEPRECATED

This page is now officially deprecated and will NOT be updated. See UbuntuWorkstations for our current Ubuntu setup notes.

Required Modifications

1. samba - /etc/samba/smb.conf needs something like the following:

• workgroup = MYDOMAIN
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  template shell = /bin/bash
  template homedir = /home/%U
  winbind enum users = yes
  winbind enum groups = yes
  winbind cache time = 10
  winbind separator = +
  security = domain
  password server = *
  winbind use default domain = yes
  

2. /etc/nsswitch.conf:

• passwd: compat 
  group: compat

  should be changed to

  passwd: compat winbind 
  group: compat winbind

3. /etc/pam.d - edit the following files:

• common-account:

  • account sufficient      pam_winbind.so
    account required        pam_unix.so
          

• common-auth:

  • auth    required        pam_mount.so
    
    ## use the follolwing "auth" line by itself to restrict local access (a bit paranoid) -
    ## will validate ONLY off of network
    #auth   required        pam_winbind.so use_first_pass
    
    ## use the TWO "auth" lines below for either network or local validation -
    ## will validate off of EITHER network or local passwd db
    auth    sufficient      pam_winbind.so use_first_pass
    auth    required        pam_unix.so use_first_pass
    
          

• common-session:

  • session required        pam_unix.so
    session required        pam_mkhomedir.so umask=0022 skel=/etc/skel/
    session optional        pam_mount.so
          

• default password length:
  • /etc/login.defs:

    • PASS_MAX_LEN 50
              

  • /etc/pam.d/common-password:

    • password required pam_unix.so nullok obscure min=4 max=50 md5
              

4. Join the domain and test:

• NOTE: the winbind daemon must be running (/etc/init.d/winbind start), a reboot wouldn't hurt at this point...

  • net rpc join -D MYDOMAIN -U administrator
    

Test it with:

• wbinfo -u
  wbinfo -g
  

The commands above should return lists of users and groups on the domain

5. Automounting with pam_mount

• In addition to the changes included above, edit /etc/security/pam_mount.conf to include:

  • volume * smb servername  &     /home/&         uid=&,gid=10000,dmask=0700 - -
    

• Replace servername with the server's name

• the "&" will be expanded to the user's login name (and their network directory name)

• dmask can be set depending on permissions desred. "0700" give access only to the owner, which is probably what you want. "0644" can cause problems, since it denies entry to even the owner.

NOTE: if both winbind and unix are used in common-auth, it seems to count as two sessions and thus the network share is NOT unmounted on logout.

DEPRECATED

This page is now officially deprecated and will NOT be updated. See UbuntuWorkstations for our current Ubuntu setup notes.

Sound, USB, etc access

Logins validated by the Windows server won't correctly pickup membership in local groups, making sound, USB devices, etc. inaccessible. To fix that do the following (Thanks to Steve Towson, Marist Brothers International School, Japan):

1. edit /etc/pam.d/gdm to include

   • auth optional pam_group.so
             

2. edit /etc/security/group.conf to include

   • gdm;*;*;Al0000-2400;floppy,audio,cdrom,video,plugdev,scanner
            

Explanation:

• No.1 instructs gdm to use the /etc/security/group.conf
• No.2 assigns membership of the floppy, audio, cdrom, video, plugdev (usb sticks) and scanner groups to any user who logs in through the gdm.

DEPRECATED

This page is now officially deprecated and will NOT be updated. See UbuntuWorkstations for our current Ubuntu setup notes.

References

• http://ubuntuforums.org/archive/index.php/t-5409.html

• https://wiki.ubuntu.com/ActiveDirectoryWinbindHowto

• http://pam-mount.sourceforge.net/ - pam_mount