[COLUG] ActiveDirectory integration: home directories

Scott Merrill skippy at skippy.net
Wed Aug 23 08:33:18 EDT 2006 

We're in the process of building a new Windows Active Directory domain
using Windows Server 2003 R2.  We want to have a lab populated with
Linux machines, which will be deployed via Kickstart, and integrated
into the AD.  I have Kickstart working, and I've successfully tried
several of the AD integration options (winbind, plain ol' kerberos+LDAP)
and account _authentication_ seems to be working fine so far.

We want to provide a single home directory for our students in addition
to single sign-on; so that the student's resources are available from
any machine they choose to use.  This is proving to be the problem.

The home directories for our test implementation reside on our AD
controller.  I've shared the home folder (C:\Home) as both a CIFS share
and an NFS share (using Windows NFS services bundled with Win2K3 R2).
The RHEL workstation can mount the NFS share, but cannot see any of the
contents of that share:
[root at rhel ~]# mount fqdn.ad.example.com:/Home /mnt
[root at rhel ~]# ls /mnt
ls: /mnt: Permission denied

The RHEL workstation can mount the CIFS share, but the permissions are
_way_ too permissive:
[root at rhel ~]# mount -t cifs \
         -o credentials=/etc/samba/credentials.txt \
         fqdn.ad.example.com:/Home /mnt
[root at rhel ~]# ls -lha /mnt
total 8.0K
drwxrwxrwx   1 root root    0 Jul 27 13:26 .
drwxr-xr-x  24 root root 4.0K Aug 18 16:00 ..
drwxrwxrwx   1 root root    0 Aug 18 16:18 user1
drwxrwxrwx   1 root root    0 Aug 18 16:19 user2

Most of the HOWTOs I've found online for dealing with AD integration
suggest using pam_mount to automatically mount (and then remount, using
the --bind option) the user's home directory.  Unfortunately, RHEL4 does
not include pam_mount.  I'm not opposed to compiling it and using it,
but before I do I'd like to get some indication from someone with more
expertise whether or not I'm barking up the wrong tree.

Any suggestions or observations about what I'm trying to do?
Anything blatantly wrong about what I've presented here?  Is
pam_mount the way to go?

Thanks in advance,
Scott

-- 
skippy at skippy.net | http://skippy.net/

gpg --keyserver pgp.mit.edu --recv-keys 9CFA4B35
506C F8BB 17AE 8A05 0B49  3544 476A 7DEC 9CFA 4B35

More information about the colug432 mailing list