On Mon, Feb 16, 2009 at 8:34 PM, Christopher Chan <christopher.chan at bradbury.edu.hk> wrote: > Thanks Ross, much appreciated. > > > Now I have to see if I can translate the necessary stuff to Ubuntu > (Centos 5 did not cut it for desktop - cost me almost all the new Linux > desktops but it sure was the easiest to install and setup. Ubuntu is a > pain to get the debian-installer to do what kickstart does...still stuck > on the stupid disk part/RAID/LVM configuration) Yes, Ubuntu is nice, but the automated installer of Debian's still leaves a lot to be desired. Just use sed to edit the pam configs in the script section at the end. Below are what mine look like after authconfig was finished with them. == system-auth == #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so == nsswitch.conf == # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nisplus or nis+ Use NIS+ (NIS version 3) # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files winbind shadow: files winbind group: files winbind #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files aliases: files nisplus == krb5.conf == [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MFG.PRV dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes renewable = yes [realms] MFG.PRV = { kdc = mfg.prv admin_server = mfg.prv default_domain = mfg.prv } [domain_realm] .mfg.prv = MFG.PRV mfg.prv = MFG.PRV [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true renewable = true krb4_convert = false } == smb.conf == [global] workgroup = MFG security = ads realm = MFG.PRV load printers = yes printing = cups max log size = 50 passdb backend = tdbsam use kerberos keytab = Yes allow trusted domains = no idmap backend = rid:"BUILTIN=100000-109999,MFG=110000-999999" winbind gid = 100000-999999 winbind uid = 100000-999999 template homedir = /home/%U template shell = /bin/bash winbind enum groups = yes winbind enum users = yes winbind use default domain = yes wins server = mfg.prv name resolve order = wins bcast host restrict anonymous = no domain master = no preferred master = no printer admin = @"MFG\Printer Admins" [printers] path = /var/spool/samba printable = yes [print$] path = /var/lib/samba/print write list = @"MFG\Printer Admins" force user = root force group = "printer admins" create mask = 0664 directory mask = 0775 == ldap.conf == URI ldap://mfg.prv/ BASE DC=mfg,DC=prv SASL_SECPROPS maxssf=0 TLS_REQCERT allow TLS_CACERTDIR /etc/openldap/cacerts The LDAP stuff really wasn't necessary to get things working, I just like the ldapsearch tool for exploring attributes in AD and it works with GSSAPI (oh you need the GSSAPI/SASL packages installed for SSO to work). On Redhat these are: cyrus-sasl-gssapi-2.1.22-4 libgssapi-0.10-2 cyrus-sasl-2.1.22-4 cyrus-sasl-gssapi-2.1.22-4 cyrus-sasl-lib-2.1.22-4 cyrus-sasl-md5-2.1.22-4 cyrus-sasl-ntlm-2.1.22-4 cyrus-sasl-plain-2.1.22-4 -Ross