Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora Resources > Guides & Solutions (Not For Questions)
FedoraForum Search

Forgot Password? Join Us!

Guides & Solutions (Not For Questions) Post your guides here (No links to Blogs accepted). You can also append your comments/questions to a guide, but don't start a new thread to ask a question. Use another forum for that.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 22nd January 2006, 02:26 AM
axelseap
Guest
 
Posts: n/a
join ads domain, automount network shares, etc.

Updated for F8
I see there's posts every now and then about people trying to join a fedora workstation to a domain and different suggestions of how to do it so here's a very easy way to join it and set up automounting network shares at login. This guide also contains other things you might want to do

First I'll answer some questions you may have:
Is this the only way to join fedora workstation to a domain? no.
Is this the best way? I seriously doubt it.
Is this easy? i've seen harder
Should I of put these steps in better order? definitely but they still work.
Does the server need to be modified in any way? NO, put down that keyboard and leave it alone.
Is this the place to ask for other types of network configurations? No, i'm not a network admin and have no clue how to set that stuff up or even how other configs work.
What if you follow these and it doesn't work? GOOGLE IT.

YOU are responsible for backing up all files you modify and knowing what the originals are if you ever need them. This can be easily done with a command like
Code:
cp file file.bak
For these examples the domain name is Test.com
Do everything below on your fedora workstation.

Part 1, Joining fedora to the domain

1. You need samba
Code:
yum groupinstall "Windows File Server"
you likely will already have this installed so don't worry if yum does nothing here.

see picture in post #2
2. Set the hostname, run
Code:
system-config-network
Under the dns tab set a name for the computer. Make sure the hostname is unique or else you will suffer the consequences on a later day. Save and exit. What consequenses you're wondering? Well you could overwrite another workstation's account kicking it off the domain.

see picture in post #2
3. Say goodbye to SELinux. run
Code:
system-config-selinux
if it says 'enforcing' change it to 'disabled' or 'permissive'. If you leave selinux as enforcing, you will not be able to log in on an ads account

see picture in post #2
4. Enter the network settings, run
Code:
system-config-authentication
In the first tab check enable winbind support. Then Under the authorization tab also enable winbind support. Then click on configure and enter the appropriate information for your network.
Winbind domain is your short domain name. For our example domain, enter test
For security model select ads
Winbind ADS Realm under our example enter test.com
Winbind Domain Controllers is your primary domain controller (pdc) if you don't know what this is ask your network admin.
For template shell select /bin/bash.

5. Caching (Optional).
Caching allows you to log into a machine with your network account when it is outside the network. This is really only useful for laptops. If you would like this then place a tick where it says "Allow offline login". If you enable both caching and also set up automounting in part 2 of this guide, you will run into difficulties when logging in outside the network. This will result from pam_mount not being able to mount the network shares. As of yet I cannot find a solution for this. Live with it.
Now hit ok to everything and close the window.

6. In the terminal, as root type
Code:
net ads join -U administrator
where administrator is a network account with permissions to join the computer to the domain, it doesn't actually have to be administrator.
If you get an error you probably entered some information wrong. Double check and make sure everything is right. If you feel everything is right I suggest searching google for an answer since that is always the fastest way.

7. Modify /etc/pam.d/system-auth and at the bottom add this line
Code:
session required pam_mkhomedir.so skel=/etc/skel umask=0077
8. Set the default login domain to be on your domain. Edit /etc/samba/smb.conf and at line 71 or close to it you'll see the line
Code:
 winbind use default domain = false
change the false to true. If you don't see it at line 71 search around. You should see that line around your domain realm and password server information. After making this change you must restart winbind to do this type
Code:
/sbin/service winbind restart
9. (The easiest step) Create the folder /home/TEST where TEST is your domain name in all caps

At this point you should be able to log onto the domain. Test it out in a tty session (ctrl+alt+f[1-6]). Log in with your domain username and password. You'll get messages about the home folder being created, that is good. If it doesn't work make sure you're joined to the domain and the /etc/pam.d/system-auth file is correct. If you are able to login in the terminal make sure you can login in X also (if desired). Also if it doesn't work try logging in as domain\username and see if that works. If that does you did step 8 wrong.

Part 2, Automouting. Skip down if u don't want this
Now let's setup fedora to automount a users network share at login.
This only works if the user's login and password are the same as the one for the share

1. First we need to inall pam_mount
Code:
yum install pam_mount
2. Now we need to allow pam_mount to access the password as you login. Edit /etc/pam.d/system-auth and add the line
Code:
auth required pam_mount.so
There can be no auth lines containing sufficient before the above one, or else it won't work. Then somewhere at the bottom add
Code:
session optional pam_mount.so
3. Edit /etc/security/pam_mount.conf. Scroll down to line 72 where you see the line
Code:
options_require       nosuid, nodev
comment that line out by placing a # in front.

4. Scroll down further to line 116 where you see
Code:
# volume <user> [cifs|ncp|nfs|local] <server> <volume> <mount point> <mount options> <fs key cipher> <fs key path>
and using that as your guide add the appropriate line diectly after it. Here's a sample
Code:
volume * cifs server share /home/TEST/&/mountpoint - - -
This is what's called a template and it will only work for all users if they all have access to that share or if the share is the same as their account name. If the share name is the same as their account put a & where it says share. If this doesn't work for you read the next step. DON"T use smb as since FC5, support was no longer included to mount the smb file system, instead use cifs, it's basically the same thing but a different name.
The * stands for the user logging in and the & is the account name. ~ is replaced by the user's home folder. The mountpoint should be placed in the users home folder as shown so that more than one user can be logged in at a time without causing problems. For more info on options read the entire /etc/security/pam_mount.conf file, it is very detailed and helpful.

5. If you can't use a template then you must create an entry in /etc/security/pam_mount.conf for each user. Use the guide above and only change the * to their account name and the share to their share and have fun if you have many users. Alternatively if you can get their network share from the account name then you can create a script and make them log on, off, and back on the first time. I'll attach an example script. Edit /etc/skel/.bashrc and add an entry to run it something like
Code:
/location_to_script/script.txt
and also change the appropriate values in the script. Then
Code:
chmod a+x script.txt
Also edit /etc/security/pam_mount.conf and at line 38
Code:
luserconf .pam_mount.conf
uncomment it by removing the #. The only downside to using a script is then the user is forced to login, then off, and back on again the very first time.

6. Create the folder mountpoint in your network account home folder. Then log off and back on in a tty (ctrl+alt+f[1-6]), NOT X and check if the folder was mounted properly. If it wasn't, scroll up and read all that junk from when you logged in. Specifically see what it says about the share, server and mountpoints and make sure those are all correct and check to see if there are any errors. Once you get it to work edit /etc/security/pam_mount.conf and at line 8 change
Code:
debug 1
to
Code:
debug 0
Also create the mountpoint folder in /etc/skel/ so each new user automatically has it made for them.

Part 3, Final configuration tips.

1. Set up plugins for firefox or mozilla globally like this
Code:
cd /usr/lib/mozilla/plugins
ln -s /usr/java/jre1.6.0_03/plugin/i386/ns7/libjavaplugin_oji.so
ln -s /usr/local/Adobe/Acrobat8.0/Browser/intellinux/nppdf.so
flash and mplayerplug-in are already installed globally
if you don't have all these plugins but would like them check FedoraFaq.

2. I like to create a new local user, login and set up kde or gnome if that's your thing, firefox and everything else so it looks how I want it to. Then copy the folders .kde (or appropriate gnome folder) and .mozilla to /etc/skel/.

3. If you feel like it in kde under kcontrol, peripherals, keyboard. Click the box that says to turn numlock on by default. Nothing is more annoying than numlock always being off.

Attachments

Here are some attachments of what the files look like on the machines I use. The script there assumes that your login is first.last and the share is last.first make sure you change the appropriate values in it.

Warning:If you uninstall pam_mount after setting this all up you will NOT be able to log into your system at all. You must undo all the changed made to the files in the /etc/pam.d folder before uninstalling pam_mount.
Attached Files
File Type: txt script.txt (759 Bytes, 1365 views)
File Type: txt pam_mount.conf.txt (10.5 KB, 1667 views)
File Type: txt system-auth.txt (1.2 KB, 737 views)

Last edited by axelseap; 10th February 2008 at 05:57 PM.
Reply With Quote
  #2  
Old 22nd January 2006, 05:12 AM
axelseap
Guest
 
Posts: n/a
here's some pics of settings up system-config-network and system-config-authentication and system-config-selinux
Attached Thumbnails
Click image for larger version

Name:	snapshot1.png
Views:	1406
Size:	38.2 KB
ID:	14232   Click image for larger version

Name:	snapshot2.png
Views:	1187
Size:	27.5 KB
ID:	14233   Click image for larger version

Name:	snapshot3.png
Views:	1165
Size:	34.7 KB
ID:	14234   Click image for larger version

Name:	snapshot4.png
Views:	1686
Size:	19.5 KB
ID:	14235  

Last edited by axelseap; 7th December 2007 at 04:05 AM.
Reply With Quote
  #3  
Old 1st February 2006, 12:09 PM
SWT-TEAM Offline
Registered User
 
Join Date: Feb 2006
Posts: 3
Problems... with pam_mount

Hi, axelseap!

You created a really nice tutorial. It worked almost (authentication), but automounting with pam is not possible at the moment.

We figured out, that there is a problem with the username. The pam process tries to login with domainname\username, which results in a “13, permission denied”-error. When we try to mount with the username only on the bash it works.

Is there any way to login to domain without domainname\ ?

Structure of the windows share:

-all_user (share) premission(all, admin)
-user1(folder)(prem. user,admin)
-user2(folder)(prem. user,admin)
-user3(folder)(prem. user,admin)
-user4(folder)(prem. user,admin)
-user5(folder)(prem. user,admin)
.
.
.
Reply With Quote
  #4  
Old 1st February 2006, 11:18 PM
axelseap
Guest
 
Posts: n/a
try this, edit /etc/samba/smb.conf and go to line 185 it looks like this
Code:
winbind use default domain = no
change that to yes. then just login with username and password, don't add the domain to the front and see if that works, if it does please tell me

EDIT I had some others try that and it seems to work great, howto has been updated with those changes

Last edited by axelseap; 1st February 2006 at 11:33 PM.
Reply With Quote
  #5  
Old 2nd February 2006, 12:40 PM
SWT-TEAM Offline
Registered User
 
Join Date: Feb 2006
Posts: 3
thx,

it works without domainname\ after chaining line 185 at smb.conf

our problem with share are solved by changing some premissions(w2k3)...

Last edited by SWT-TEAM; 3rd February 2006 at 08:58 AM.
Reply With Quote
  #6  
Old 10th February 2006, 12:58 PM
SWT-TEAM Offline
Registered User
 
Join Date: Feb 2006
Posts: 3
Hi axelseap,



Your tutorial works really fine now, compliments!


But we have a new problem, we want to set the home-directory directly to the windows share mountpoint (export HOME=~/mountpoint/$USER). The bash works fine with this, but KDE is not able to start, because it wants to set locks and create symbolic links on the net share. Both result in error messages.

For us, it is not neccesary that every user can configure his own kde profile. A write protected profile for all users would be enough.

Can you give us a hint, how to setup the home directory to the windows share, and KDE working with this?

Thanks,

SWT-TEAM

Last edited by SWT-TEAM; 10th February 2006 at 01:15 PM.
Reply With Quote
  #7  
Old 11th February 2006, 04:27 AM
axelseap
Guest
 
Posts: n/a
hmm... i'm not sure how to do that, but you did say it works fine in bash? can you have the users log into a tty session and then type startx? does that work? or does it still have the same problem? if that doesn't work i don't think i can help you anymore with this.
Reply With Quote
  #8  
Old 18th March 2006, 07:53 AM
H8-TRAIN Offline
Registered User
 
Join Date: Feb 2006
Posts: 32
ok i need some help with the domain controller. I have three machiens here running fedora core 4 (one is my laptop) adn none of them can see eachother as far as file shareing, i can ping each from each but when i look under "samba shares" i see nothing. I have one that is my mythtv box adn I want to set that up as the MAIN server, samba is running on all three adn i have them all setup to use WORKGROUP as the workgroup (mainly because i allready have two other machiens running win2k on WORKGROUP so....). I need to know if I need to setup the mythtv box as the PDC adn if so, HOW?

OR should I just get SAMBA working correctly adn be done with it? adn if I should just get samba running correctly then is therre a howto on that here? I havent looked yet so dont start yelling "use the search feature n00b" . I tried following a samba tutorial before and got no were.

PLEASE HELP
Thanks in advance

H8
Reply With Quote
  #9  
Old 25th March 2006, 04:40 PM
Kreichek's Avatar
Kreichek Offline
Registered User
 
Join Date: Feb 2005
Location: Sofia, Bulgaria
Age: 32
Posts: 21
Interesting. As soon as I login in Fedora Core 5 I get logged out immediately with the message "The system administrator has disabled your account", which is not true actually. Here's what I have in /var/log/messages
Mar 25 17:32:27 bordeaux pam_winbind[3186]: user '201204030' granted access
Mar 25 17:32:27 bordeaux pam_winbind[3186]: user '201204030' granted access


It just looks OK, but the user is logged out as if there is no shell or graphical environment to be run. Strange, eh? Any ideas?

Btw I had to comment the lines auth optional pam_mount.so use_first_pass and session optional pam_mount.so, because I don't have the file pam_mount.so in the system.

Last edited by Kreichek; 25th March 2006 at 04:46 PM.
Reply With Quote
  #10  
Old 25th March 2006, 07:31 PM
axelseap
Guest
 
Posts: n/a
i'm not sure what causes that error, i haven't really looked into joining fc5 to a domain because pam_mount doesn't seem to be included in extras anymore, and unless it is there's no point in upgrading since compiling pam_mount doesn't work, but as soon as i can figure out how to get pam_mount installed on a system i'll update the guide with any necessary changes/new pictures
Reply With Quote
  #11  
Old 28th March 2006, 08:32 PM
sigtom Offline
Registered User
 
Join Date: Apr 2005
Posts: 24
Wanted to say thanks, this guide helped me in getting a FC5 box to authenticate against our Win2k ADS. Im not mounting any drives/shares to this box, so I have no need for pam_mount. The only thing I had to add to get this to work was to edit the smb.conf and add
Code:
smb ports = 139 445
. This got rid of the pesky error msg, Transport endpoint is not connected. Thanks so much, Im able to assign ADS groups to shares on my FC5 samba share and only have those users I want to access it.

Tom
Reply With Quote
  #12  
Old 7th April 2006, 03:10 PM
till Offline
Registered User
 
Join Date: Apr 2006
Location: Aachen, Germany
Posts: 8
pam_mount is in extras-development atm

Quote:
Originally Posted by axelseap
pam_mount doesn't seem to be included in extras anymore, and unless it is there's no point in upgrading since compiling pam_mount doesn't work, but as soon as i can figure out how to get pam_mount installed on a system i'll update the guide with any necessary changes/new pictures
You can install pam_mount with
Code:
yum --enablerepo extras-development install pam_mount
at the moment. glibc-kernelheaders and the actuall kernelheaders are not in sync at this time and for this reason pam_mount did not compile (See https://bugzilla.redhat.com/bugzilla....cgi?id=174190). It would be great if you update your guide to FC5 because I do not know the correct settings in /etc/pam.d/login resp. /etc/pam.d/gdm, the files changed a lot since FC4 and I only used pam_mount with debian, yet.
Reply With Quote
  #13  
Old 7th April 2006, 04:33 PM
axelseap
Guest
 
Posts: n/a
thx, i have pam_mount installed and working! as soon as i get a chance to update one of these computers and join it, i'll update the guide
Reply With Quote
  #14  
Old 10th April 2006, 10:50 PM
obviousheart221 Offline
Registered User
 
Join Date: Apr 2006
Posts: 42
Is there a way I can change the join process so that Fedora doesn't attempt to create the new machine on the directory? I don't have administrator access to our corporate domain, however the machine's host exists on the directory. I just need to skip the step where it tries to create the machine on the domain and just bond with it. Any ideas?

Last edited by obviousheart221; 10th April 2006 at 11:03 PM.
Reply With Quote
  #15  
Old 11th April 2006, 12:45 AM
WeLsHWiZaRd Offline
Registered User
 
Join Date: May 2005
Posts: 16
Im afraid the System-Config-Authentication and System-Config-Networking do not work.

The replacements are

authconfig-tui

netconfig


Regards

Matt
Reply With Quote
Reply

Tags
ads, automount, domain, join, network, shares

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba: can not join ADS domain The_Source_HIM Servers & Networking 1 13th December 2007 02:04 PM
Join FC5 box to Win2k3 domain... phearthepenguin Servers & Networking 0 15th December 2006 06:46 PM
Cannot join ADS Domain jrmontg Using Fedora 0 12th May 2006 02:39 PM
can't join Samba Domain budds Servers & Networking 4 14th July 2005 08:42 AM
join company's domain from FC2 cuongvt Servers & Networking 0 12th November 2004 03:58 AM


Current GMT-time: 12:51 (Tuesday, 26-09-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat