ClearFoundation

David,
Thank you for the email.
You have now found me on two fora! Help! No hiding from you now!!

Thank you for the trouble of putting together the Howto. It looks to be just the sort of thing I needed.

I cannot try this out just at the moment. A couple of reasons.

1. I was using a computer that I had put up for sale on Ebay - it had been up for a few weeks and I was about to withdraw it from sale but someone has bought it!! So I now have to find a new machine to set this up on but I think I am ready for a production build.
2. I am taking a week off from Friday - the first in 3 years so I will not get back on to it until I return.

I will inform back of the forum when I have tried it all out.

Once again, many thanks

Steve

Depending on which forum you read first this might look familiar!

Nice how to! was a little longer than I was expecting, suddenly the point and click join domain of Windows XP looks prefereable

@Stephen Enjoy your holiday! Let me know when you get back.

@Tim Sorry for the verbosity. I'd like to make some scripts that just make it happen when I have a little time but I wanted to get the essence of what is required written down so that people could use this on various distros.

This setup is not too dissimilar to Mac OSX so I may give that a go as well. Now we are really talking voodoo here.

Don't apologise it wasn't the verbosity it was just that I was suprised at the number of steps required for a linux distro to join a PDC using samba, in honesty I have not tried and assumed that by now it would have been semi-automated

I tried not to make too many assumptions about the level of skill of the individual using the howto. Pretty much you just need to be able to navigate a command line and be able to edit using vi or whatever. So that adds to the wordiness.

But adding a linux box to a samba domain is easy. Mostly it is just changes to nsswitch.conf, smb.conf and pam.d ... some commands to glue it together, a dash of salt, 2 teaspoons of oil, let it rise for 10 mins, roll it out, cut into pleasing shapes, and bake at 165 C until it turns a nice golden brown.

I guess that is a few steps

TIm, David,
It is nice to know there are clever people like you in the background helping thickos like me to get through.
I have had a good read through the howto and Tim, whilst there seems a lot of lines the actual work is really quite minimal.
Tim, I do hope you are not serious when you wish for an XP like click once and go option. I think what Dave has produced simply does to show how much is done in the background when XP (or other Win boxes) join a domain, and if I am any judge of MS processes it probably goes through a whole lot more steps, most of which are unnecessary. In my darker days I am sure MS put in timed delays just to make the user think there is a lot going on when nothing is really happening!!
Dave, just to say that when I last tested Ubuntu with ClearOS (not joined as a domain member tho') I used the connect to server element of Ubuntu to connect shares. In a live commercial enterprise I am not sure I would want users to be given a list of shares to which they need to attach. Just before someone most inconveniently bought my test rig I did use the 'network' option under the places menu in Lucid. This displays a list of ALL shares and when you double click a link one of two things happens. If authorised to access that share by group then it gives you access - Great. If not authorised it prompts for username and password. If of course you do not have that information then the user cannot get access - only to those shares to which they are entitled to access.
One advantage of the Win server logon scripts is that the administrator can make sure (either at group or at user level depending on the script run at logon) that shares to which the user does not have access rights is never displayed to the user as a name. Thus in a large environment users cannot be tempted to access shares they have no knowledge of.
This is why I put on the wish list the other day that it would be nice to have a choice of logon scripts where these are chosen by the administrator through the user profile.
In a school environment which I once maintained using Win 2000 server we needed each year group to have access to a different set of programs and files.
If different scripts were availalble presumably it could be arranged that there could be a different logon script for Windows clients (where you could map th enetwork drives) opposed to Linux clients (where maybe you could mount the relevant volumes).

Gents, may I also presume that if Dave's scripts work then it is not beyond the realms of possibility to put a wrapper round a virgin install of Lucid to make all the changes in the list. After all isn't that what ClearOS is in the first place. And before you shoot me I know each and every distro would need it's own wrapper. And before you wish all the ills of the world to fall on me as I fly off to Corfu to eat souzoukakia and drink ouzo I know that I have not made an offer to code any of this. I gave up coding 19 years ago and all the different elements of my life do not give the me time to concentrate long enough to work it all out. In my time I might have given a number of people a good run for their money programming C in a DOS environment but today - I cannot do it.
Thank you both for the interest you are taking in this issue.

Steve
Kalispera sas

In Linux, as a client, we don't have MSGINA (MS graphical identification 'n authentication, yeehaw!). So there exists no method to push scripts to the Linux client at authentication by way of the SMB/CIFS stack. But we do have Samba to thank for the ability to push scripts to the client upon access of a resource...this is key and I'll explain.

This means that we can push or 'preexec' the script(s) that I included at the bottom of the howto. After all my preparation in the howto, knowing you you'd love the instructional howto and that bananas are your favorite, I didn't add the script in an unusual mood just so you'd have a jumper cake.

The reason to consider using gvfs for the user shares is multi-faceted. First, it is tied to the user's directory structure so the shares are private even in a multi-session or headless environment. Second, the mount points don't require sudo level access to mount. Third, gvfs takes care of the permission structure for the mount so the users sees them as his own, even if they are not. Fourth, the mount points disappear when the user logs off. In a word, scalable.

Getting rid of the network browser from the menu is not necessary because accessing it requires some user interaction that reeks of nerdiness and if they grok it, more's the better....but, if you have a link established to their very basic home directory on the server in their 'bookmarks', then authentication (which can be stored on their keyring) and access (this is the bit that triggers samba magic) can apply whatever script you care to run on the client. This can mount other drives, install software, push proxy settings, or force the user to have a particular home page for their browser.

Oh, and don't worry about us while you are on holiday. We'll just be staying up late eating cold, day old, cheap pizza in our dimly lit rooms coding til all hours of the wee morning while the taskmasters beat us senseless with old VHS recordings of Star Trek and Dr. Who while we make all the magic things that will make your life that much easier upon your blissful return. ;P

Hi,

I tried to setup linux client to authenticate against ClearOS 5.2 but failed. I followed some instructions above. At ClearOS server, I could ssh login with users in LDAP directory. At remote server (client), I set up LDAP client by using file /etc/ldap.conf (at ClearOS server), just modified host setting instead of locahost. Also, I configured nssswitch.conf the same as at ClearOS server.

After finish setup, I tried ssh login to the remote server with users in LDAP directory. It prompted to input password. I input right password but it always told Permission Denied. I can't troubleshoot this, please help me.

Thank you very much.

Regards,
Cuong.

Make sure when you run:



and



that you can see the users from the server.

Make sure you can ping the server with the name, that is what the nsswitch is for.

I'll put in some more validation points tomorrow if I have some more time.

Hi David,

I tried your instructions, getent passwd, getent group on both ClearOS server and client side. The result is the same. LDAP users exist in 2 cases. ClearOS server is configured as gateway. I tried client at both sides of ClearOS, public and private. I've enabled LDAP server listening at 0.0.0.0:389. I dont know why. Previous I used LAM, www.ldap-account-manager.org/ to make LDAP server, it's okay. But with ClearOS, I'm in trouble.

Regards,
Cuong.