AppNote: Integrating NDS in K12LTSP
Novell Cool Solutions: AppNote
By Peter Van den Wildenbergh
Digg This -
Posted: 17 Nov 2004
by Peter Van den Wildenbergh
License and DisclaimerSee http://www.opencontent.org/opl.shtml for the full software and documentation license. Basically, you can copy, redistribute, or modify this "how to," provided that modified versions, if redistributed, are also covered by the OpenContent License. Please e-mail a copy of your modified document to ltsp @ criticalcontrol <.> com.
Use this document at your own risk, it comes with no warranty. See the OpenContent License mentioned above.
This article explains what needs to be done to authenticate LTS users against a Novell NDS server, and mount the NDS homes as Linux homes on the LTS. It is assumed you are running LTS and Novell 6.0 or above. Basic knowledge of Linux NDS administrator skills is also required.
Note: LTS stands for Linux Terminal Server. LTSP is an add-on package for Linux that allows you to connect lots of low-powered thin client terminals to a Linux server. Applications typically run on the server and accept input and display their output on the thin client display. For more details on LTS and LTSP, see the Linux Terminal Server Project web site at: http://www.ltsp.org/
To integrate NDS with K12LTSP, you need to complete the following tasks, as described in this article:
- Make test users on the Novell side.
- Make the following modifications on the LTS:
* Install ncpfs from source.
* Configure PAM.
* Prepare the /home directory.
* Make extra changes as needed.
* Create startup and logoff scripts.
Making test users on the Novell side
First, add a few test users via Novell ConsoleOne. For each test user, go to the Location attribute (under the General Identification tab) and fill out the desired Linux properties. For example, test1 has a UID of 1001, a default group ID of 1000, and a home of '/home/test1'. Make sure every UID is unique and that the /home directive consists of /home/
The Location attribute example, for test1 is:U:1001
Make sure each of the codes is on a separate line inside the location attribute. Create a home directory for each test user on the NDS and make sure the user has full read/write rights.
Modifying the LTS
Note: The commands used in this section are based on [root@ltsp01 root]#
Installing ncpfs from Source
To download, install, and configure ncpfs 2.2.4, and get Gnome 2.6 going on the clients, follow these steps:
- Change directory to /usr/src.
- Download the 2.2.4 version from the following server as indicated:
- Once the download is complete, unpack the downloaded package with tar:
- Change directory to the ncpfs-2.2.4 directory (created by unpacking the software).
- Configure the package compilation directives. In this case it all runs over a TCP network without the Novell IPX:
- Check the configuration options once ./configure is done. For a sample screen, click here.
- Type 'make' and press Enter to compile the package.
- Once compiled, install it as follows:
- Type 'clear' and press Enter to clear the screen and start fresh:
tar --zxpf ncpfs-2.2.4.tar.gz
./configure --enable-pam --disable-ipx --disable-ipx-tools
Gdm is used to display a login screen on the LTS clients. In order to authenticate against a Novell server, you need to adjust the gdm configuration file in /etc/pam.d as follows:
- Change directory to the configuration file:
- Make a backup copy of what is in place now:
- Use the vi editor to edit the gdm file.
- Press the down-arrow to put the cursor at the beginning of line 2.
- Type 'd10' and press the down-arrow to erase 10 lines (the entire content).
- Press Insert, End, and Enter. This will position the cursor back on line 2, and vi will be in "insert" mode.
cp gdm /root/gdmORIGINAL
Now you can edit the contents of the gdm file as needed to reflect your server settings. Here is a sample gdm file:
#%PAM-1.0 auth requisite pam_nologin.so auth sufficient pam_unix.so nullok auth sufficient /lib/security/pam_ncp_auth.so -a -zAX3 -A -m -d -l -L -u,,r,gcds ndsserver=LTSP:CC auth required pam_deny.so # Account required pam_unix.so # Session required pam_unix.so session optional /lib/security/pam_ncp_auth.so # Password required pam_unix.so nullok obscure min=4
Sample gdm file
pam_ncp_auth Line and Parameters
It is beyond the scope of this how-to to explain how PAM works, but we will explain the pam_ncp_auth line:/lib/security/pam_ncp_auth.so -a -A -zAX3 -m -d -l -L -u,,r,gcds -g,,r ndsserver=LTSP:CC
The pam_ncp_auth module comes with the ncpfs package that is installed. Patrick Pollet is the original author of the module.
The parameters are as follows:
Allow "automagic" creation of accounts on the Linux LTSP server when they pass the NetWare authentication step. This will call 'adduser' with the appropriate parameters that are stored in NDS. This parameter should be on. That way, the first time a user logs in, a /home/userdir will be created, and the passwd and shadow files in etc. will be adjusted.
There should be no "user stuff" on the LTS box. You can delete the /home/userdir and delete the lines in passwd/shadow files whenever you want. Then, the next time users log on they will be recreated, and because /home/userdir is really a share on the NDS, no information is lost. (Note: If you delete the directory /home/userdir, make sure it is empty. Otherwise, the user may be logged in and you will then delete content on the NDS share.)
If no user is logged in, every userdir under /home should be empty. Verify this with (ls * -rA). Current mounts can be checked with 'more /proc/mounts' or 'more /etc/mtab'. When users are created, their home directory is also created. This directory can be a stub (mounting point) for the NDS home. Content under this directory (not in the NDS) will be useless, so make sure /etc/skel does not exist or is empty. (Content of /etc/skel gets copied over into /home/userdir each time a new /home/userdir is created.)
Spawn ncpmount with -A and -S arguments. This enables the mounting of NetWare homes. (Automounting must be on: see -zAX3 below.)
'z' = Turn on some Zenux Flags.
'A' = Automount NetWare home. This will try to mount the NetWare home directory that was read from NDS. Normally this is done in the nwhome directory under the home directory of the user. (The user doesn't have a 'real' home directory on the LTSP box.)
'X' = Zenux flag that allows X access (see -L). In /usr/local/bin there is a bash file called "zenscript0". This 0 refers to that script; the script is launched when the user is authenticated.
n is the number of the ZENscript (in /usr/local/bin) that will run (0 to 2 run at login, 3 to 5 run at logoff). This script also runs when users reset the desktop with Ctrl+Alt+Backspace.
-m <optional directory path>
Directory where the NetWare share is mounted. If no path argument is supplied, /mnt/ncp is used, which will become the home directory of the user.
Note: -m must be used. If you leave this parameter out, the mount will occur in ~/nwmount, a subdirectory of the user's home. That allows the user to store data on the LTS, which is not a good thing.
Debugging output into /var/log/secure
Delete this parameter in production environments. Use it during setup, together with the sources in ncpfs, and it will make your life easier.
Note: If you need to solve 'Unknown server error 0x8901', check licensing on the test Novell box.
This is a required parameter if the user's home is on an NFS remote share and if you want the automounting of NetWare homes. This is a bit tricky, because a user's /home on the Linux box will be an ncpmount. (NCP is not really NFS, but without this flag the magic doesn't work.
Bypass service checking table for remote access
This is an LTSP project, so all the clients are remote access. In Polet's version of pam_ncp, NDS administrators can decide on a per- user basis whether to grant remote access by specific protocols such as telnet, ssh, ftp, and Samba; or even if NDS authentication succeeds. That process uses the pam_ncp snapin for NwAdmin. By default, Polet's version grants nothing for remote access unless appropriate ZEN flags are enabled on the workstation.
Local access is not concerned by this. When the -L flag is used, access is granted in all cases (local by KDE or Gnome, or text console) and remote (ssh) as long as the login/password match. LTS is all about remote clients, so we need this option. (See the X in the -zAX013 parameter as well.)
This controls the user creation on the LTSP box (see -a).
The 'r' means required. The Linux UID/GID and home directory of the users are read from the NDS database; if those parameters are not there (see the Location attribute), then access is refused.
'gcds" means to keep everything on the Linux site in sync with what is in the NDS. For example, if user1 has a uid of 1000 in NDS, then the first time this user logs on, a useradd command is executed (see -a) and a user with uid 1000 will be added into the passwd file. If this setting changes in the NDS database from 1000 to 2000, the next time this user logs in a usermod will be executed to update the user's UID on the LTSP box. This is a pretty handy way to keep a farm of several LTS's in sync.
Make sure that the servername can be resolved to an IP address by adding a line in /etc/hosts. (The current release of ncpfs does not use DNS lookups.) Check this on the command line of the LTS (ping LTSP). You can replace the name by an IP address as well.
Putting Things into Place
Follow these steps:
- Copy the libncp shared object into /lib (for some reason this isn't done in 'make install'):
- Change to the lib directory:
- Make a sym-link to the real so form (libncp.so.2.3):
[root@ltsp01 lib]# cp /usr/src/ncpfs-2.2.4/lib/libncp.so.2.3.0 /lib
[root@ltsp01 lib]# ln -s libncp.so.2.3.0 libncp.so.2.3
Preparing the /home Directory
- Cd to the root directory:
- Remove the existing (and empty or backed up) /home.
- Still in the root directory, make a sym link:
ln --s /mnt/ncp /home
- Check the content of / with ll (or ls --la).
- If the /home -> /mnt/ncp is broken, fix it now.
- Create the directory where the PAM module will put a user home directory:
- Check the link again with 'll'.
rm /home -rf
Start with a clean desk by typing 'clear' and pressing Enter.
Changing X settings
X uses a user's /home directory to store files and locks. All files in a user's home will be set as readable by everyone. (This is something that should be implemented better in ncpmount, but it isn't there for the moment.) X requires some files to be readable by the owners only, and that doesn't happen in a ncp mounted /home, causing X to fail. The solution is to put those temporarily files out of /home:
- vi /etc/X11/xdm/Xsession
- Navigate down (press the down-arrow) and press Insert. Make sure you enter this as the first non-commented line. (Comments start with #.)
- Type the following and press Enter :
- Quit vi by entering ':wq'
- Now edit gdm.conf as follows:
- In vi, search for UserAuthDir. Enter the following:
- Press Insert and End, then add '/tmp' to the line.
- To quit vi, press Escape and enter ':wq'
/UserAuthDir + >
Startup and Logoff Scripts
Now you need to put the startup / logoff script into place.
- Cd to /var
- Enter these commands:
mkdir ltsp/bin --p
- Start up vi and create the script 'umountHome': vi umountHome
- Copy and paste the lines from this sample umountHome text file into the script file.
- Save the script file and quit vi.
- Create doUmount, a script that will be called by umountHome:
- Copy and paste the lines from this sample doUmount text file into the script file.
- Make both scripts executable, as follows:
- Go to the directory where pam expects the zenscript3 to be:
- Make the sym link as follows:
You can put the scripts in /var/ltsp/bin with their own meaningful names. PAM calls script zenscript3 in /usr/local/bin/, so you can sym link zenscript3 to a script in /var/ltsp/bin.
chmod 775 *
ln --s /var/ltsp/bin/umountHome zenscript3
At logoff time, zenscript3 will be launched and try to umount the mounted /home of the user. The ncp_pam module will try to umount the directory but will always fail, because gconfd (Gnome) keeps a lock somewhere in the /home/user/.gnome subdirectory. So the script tries to umount a user's home for up to five minutes after the user has logged out. Eventually, gconfd will stop, and the script will umount the home directory.
Additional Documentation Sources
Website of Patrick Pollet, the author of the pam_ncp module: http://prope.insa-lyon.fr/~ppollet/netware/ncpfs
About the Author
Peter Van den Wildenbergh is a Senior Linux Administrator and a Linux advocate. He can be reached at: ltsp <@> criticalcontrol <.> com. CriticalControl Solutions is an IT solution provider based in Calgary, Alberta, Canada. For more info visit www.criticalcontrol.com
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com