Winbind Auth with PXE booted diskless clients

General support questions including new installations
Post Reply
Ambo
Posts: 9
Joined: 2010/04/16 05:10:29

Winbind Auth with PXE booted diskless clients

Post by Ambo » 2010/04/29 05:35:28

Hey All,

In short we are booting Centos 5.4 over PXE to a bunch of diskless clients. Once they are booted - we can login (as local root account) and RDP to windows machines using rdesktop as we require.

The next step of the project is to get user authentication to the Windows Domain controller working for the PXE image.

To do so - we continued with our physical install of Centos 5.4 (used to create the pxe image with rsync as per the wiki page for diskless clients) by following through [url=http://www.linuxmail.info/active-directory-integration-samba-centos-5/]this page[/url]. AD auth works perfect on this box (it has a local HDD install of centos obviously).

Once we rsync'd the changes over to the pxeboot location - and rebooted one of the diskless pxe clients - we get issues.

The issue is that winbind seems to start - however the file "/etc/samba/secrets.tdb" cant be read. We tried removing this file that the PXE clients use and recreating it using

[code]touch /etc/samba/secrets.tdb[/code]

however still get the same issue.

So my question is - is it indeed possible to get a PXE booted diskless client to auth using winbind to a windows Domain controller ? We could create local users with the same username/password on the Centos PXE image however that would become tedious when users come and go - and it shouldn't be rocket science to get it working right ?

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Winbind Auth with PXE booted diskless clients

Post by pschaff » 2010/04/29 19:22:41

Don't think removing and creating an empty file is the right approach. Is SELinux running in Enforcing mode? The copy may have lost the SELinux context. Try restoring the original file and running with SELinux temporarily disabled, either by appending "selinux=0" on the GRUB kernel line at boot, or "setenforce 0". If that works the "touch /.autorelabel" and reboot. On second thought - not sure how that's going to work with PXE diskless boot. I believe you need to add the "-X" (or " --xattrs") flag to rsync to preserve the context.

Ambo
Posts: 9
Joined: 2010/04/16 05:10:29

Re: Winbind Auth with PXE booted diskless clients

Post by Ambo » 2010/05/03 00:46:10

[quote]
pschaff wrote:
Is SELinux running in Enforcing mode? The copy may have lost the SELinux context. Try restoring the original file and running with SELinux temporarily disabled, either by appending "selinux=0" on the GRUB kernel line at boot, or "setenforce 0". If that works the "touch /.autorelabel" and reboot. [/quote]

SELinux is disabled - did so to remove any issues that might pop up due to it.

[quote]
pschaff wrote:
On second thought - not sure how that's going to work with PXE diskless boot. I believe you need to add the "-X" (or " --xattrs") flag to rsync to preserve the context.[/quote]

Might have to try the rsync with the -X command added - thanks.

I too was thinking there would be some issues regarding the auth working with diskless client - however there are people out there that have it working.

I suppose it comes down to 1 questions - does a linux machine have to be a member of the domain to be able to use WINBIND auth to a DC ? If the machine doesn't have to be a member - then all should work OK i am guessing - as the secrets.tdb file i am having the issues with is created when adding the machine to the domain right ?

Ambo
Posts: 9
Joined: 2010/04/16 05:10:29

Re: Winbind Auth with PXE booted diskless clients

Post by Ambo » 2010/05/21 05:41:59

OK - have yet to test the rsync with preserve options - however got it to work by changing the ROOT NFS share thats exported for the Diskless clients to be RW instead of RO. Some more info and questions below.

Background:
We are trying to set up a diskless client environment using Centos 5.4

After following through the wiki article

[url=http://wiki.centos.org/HowTos/DisklessClients]http://wiki.centos.org/HowTos/DisklessClients[/url]

we have been successful in getting diskless clients to boot.

We endeavor to be able to log in to the diskless clients using Active Directory authentication.

We have followed through the below link and in turn have it all working on a physical disk install of Centos 5.4. However, once we pxe that install (using rsync), boot a diskless client to that image it seems to break.

[url=http://www.linuxmail.info/active-directory-integration-samba-centos-5/]http://www.linuxmail.info/active-directory-integration-samba-centos-5/[/url]

Now we have been mucking around for a while - changing "/etc/samba" to be a symbolic link to the snapshot area (which the diskless clients have RW access too) instead of a physical folder in /etc - however this has made no difference.

It seems when WINBIND tries to start - its gets an error (seemingnly due to file perms) and if we issue a "service winbind restart" it gives an error advising its unable to start but pid exists.

It a desperate bid - we changed the NFS exports to share out the /root as Read/Write as well instead of just Read Only.

/diskless/Centos/v2/root/ *(rw,sync,no_root_squash)
/diskless/Centos/v2/snapshot/ *(rw,sync,no_root_squash)


Magically the AD auth now works - without changing anything else in the image.

SO the question is - can anyone provide some in-site into what files i would need to move over to the snapshot area to get AD auth to work with the "root" being read-only (ie what files/directories does winbind require for auth to work).

Also what (if any) downsides are there to leaving the root NFS as read-write as opposed to read-only?

Cheers,
Ambo.

Post Reply