The Linux Student Development Server: Part 2
After much prodding and poking, the dev server launched, albeit dissatisfactorily: due to various issues I’ve decided to treat this first round as a prototype and create a fresh instance of the server, setting it up from scratch again, employing what I’ve learned from round one to get it working properly. Fortunately demand for the service has been low this semester (as the Unix and C unit is not in fact running) and we were able to relocate students from other units to the old dev server which was kept running for just that eventuality.
By far the most time consuming and painful task has been configuring samba / kerberos for AD. Given that this is mostly because of my inexperience in this area: but the entire process seems a lot more painful than it should be. Next time around will certainly be smoother, mostly through what I’ve learned about the available tools such as kinit and net.
Some gotchas:
AllowGroups in sshd_config gave me more hassle than it should have.
Firstly, AllowGroups is CASE sensitive in a funky manner. What I mean by this is, regardless of the actual case of the group according to the active directory, it only works for sshd if the group is specified all lowercase. If not, the group isn’t recognised.
It took me a while to figure out the next reason AllowGroups was not working: it didn’t like co-existing with AllowUsers. To my mind this is a no-brainer, both directives should work. However, once I commented out AllowUsers, the groups started authenticating properly. To maintain access for my local admin users, I added their local group to AllowGroups, so AllowUsers is no longer required.
A puzzlement with account creation which was pretty funny when I discovered the reason: I had left the session PAM module active for samba: every user who browsed the samba share was being created a user account. I twigged to this when I accessed it myself and watched local accounts created both for my user account and my workstation account. Since I don’t want accounts created via samba I split the session, auth, account sections off into seperate PAM files for finer control and made sure samba wasn’t using session anymore.
Once the assorted hassles with AD auth are sorted and behaving as planned, I’ll actually be able to get started on some of the other items in the list. When its all done I’m certainly going to generate some fat HOWTO documentation for my department to east the struggles of the next tech who needs to deal with it.
