Ganymede now has a UNIX style schema added to its LDAP database, via AD4UNIX. This means that every user now has a "UNIX Home Directory" attribute, a "UNIX UID" attribute, and a "UNIX GID" attribute, among others. It shows up in each user's properties under a tab labelled "UNIX Settings", where you can set the properties of every user. This means that with some simple tweaking of a linux machine's ldap.conf, they can use AD to auth their users. I've already tested it on ophelia. and it's deployed on hyperion as a "backup" to nis. So hyperion is still using NIS to auth, but if you attempt to log in as a user that doesn't exist in NIS, it'll check AD too. Try logging in as jstudent, password Jstud3nt1.

Also, since AD integrates LDAP with kerberos, we get kinit and stuff for free, which means if we set up SSH properly, we can do that cool kerberos ticket system where SSH forwards tickets.

And don't forget that LDAP can do universal sudoers files! (w00t!)

This is pretty exciting, since now we know it will work. Not only that, but once upstairs finally gets an AD going, we can pretty easily migrate without actually messing with any clients.

GAME PLAN

1) Adduser script: I'm writing an adduser style script right now in C# that will accept the "./addUser blah blah" line and add an AD user. This is important once we get the domain set up.

2) Importing old users: Once that's done, I can make a few simple adjustments and make it import an NIS passwd file and add the users accordingly, all with locked-out passwords. This will basically make all of our current users AD users. The only problem will be setting those passwords, but we can make a simple web form for that (see #3)

3) Solving the password dilemma: Make a web form where existing users can enter their e-mail address, and it will check if there is an AD user (with a locked-out password from #2), and if so, send them an e-mail with a confirmation link. Once they click that link, it will give them a form asking them to set a password for themselves.

4) Legacy support: Get SFU working on Ganymede, so it can serve out an NIS domain. This will be for the old school machines we have which can't do kerberos/ldap, and thus can't connect to AD. What this will do, is the older machines (*cough* Slowlaris 8 *cough*) will connect to the ad.secs.oakland.edu domain, and just treat it as an NIS domain. AD will export a proper NIS passwd file to them, and it will Just Work.

This can all be done within a week or two!

PROBLEMS

1) Roaming profiles and H: drives: Since we won't be on SAMBA anymore, AD will need a *real* windows-style ACL-using filesystem for storing people's roaming profiles. Luckily, the NAS can do that. It's already working (Check \\lex\ad\profiles). The problem is, these can't be the on same share that the UNIX home directories are held on, since they're on a filesystem with unix-style permissions. So no more .winprofile within your ~ that contains your Documents and Settings. Also, no more mounting your H: drive as your UNIX home dir. We can still have H: drives if we need them, but they will not be the same thing as users' UNIX homes. (It's possible that SFU might make this work, but I haven't installed it yet, so we'll see.)

2) Getting Lab machines on the new domain: This will probably require a lot of reimaging, or maybe going machine to machine.

3) Importing old roaming profiles: Part of me just doesn't want to do this at all. Users are supposed to store things on USB drives anyway. If we need to, we can just give them all blank roaming profiles and tell them to use WinSCP to copy their old .winprofiles to their new RP's.

See Also: AD On Linux

CategoryArchive

AD Rollout (last edited 2007-03-03 14:59:13 by castro)