My goal was to get CLAWS running the way RIT uses it, and then write patches to the main codebase. If certain people in high places liked the changes I made, they could take the patches and apply them upstream. Even if that doesn’t happen, I could always fork the project and continue development on my own. For political reasons, I’d have to wait to do this until after I graduate.

The PAWS Project is aimed at taking what is now a very RIT-centric software system and transforming it into something the general public can use. Much to the chagrin of some un-named information security officials, CLAWS is open source and so I can (at very least) develop from the r2977 snapshot.

In the coming few months I plan to have my documentation finished for building and installing CLAWS. I should have a lighter schedule this summer, so I’m hoping to get most of my development work done then.

The CLAWS central server manages communications between the various clients and back-end systems. A self-help tool allows students to activate an account and edit identity and mail preferences. The Help Desk client provides account management functions for staff that streamlines account creation and maintenance across the multiple systems.

Right now, CLAWS is used in production by both students and Help Desk staff. We are presently working to integrate IPEdit functionality into CLAWS. Visit the project homepage for more information.

The domain member box is running Gentoo Linux. So you may need to adjust the steps to fit your flavor. Make sure the USE flags kerberos, ldap, samba, ssl, and winbind are set. Start by installing an NTP client.

# emerge ntp

The purpose of NTP is to keep your computer’s clock in-sync with the domain controller. Edit your /etc/ntp.conf file to use your domain controller as the time server. Then sync your clock, start the NTP client, and install Samba:

# ntpdate ad01.rit.edu
# /etc/init.d/ntpd start
# rc-update add ntpd default
# emerge samba

Now you can configure kerberos. Open your /etc/krb5.conf file and make it look like this:

[libdefaults]
  ticket_lifetime = 600
  default_realm = RIT.EDU
  clockskew = 120

[realms]
  RIT.EDU = {
    kdc = ad01.rit.edu
    default_domain = RIT.EDU
  }

[domain_realm]
  .rit.edu = RIT.EDU
  rit.edu = RIT.EDU

Test your kerberos setup by requesting a ticket from your domain controller.

# kinit administrator
# klist
# kdestroy

Edit your Samba configuration.

[global]
  workgroup = RIT
  realm = RIT.EDU
  server string =

  log file = /var/log/samba/log.%m
  max log size = 50

  hosts allow = 127.0.0.1 129.21.0.0/16   
  hosts deny = 0.0.0.0/0
  security = ADS
  allow trusted domains = yes
  password server = ad01.rit.edu
  encrypt passwords = yes
  min protocol = NT1

  winbind enum users = yes
  winbind enum groups = yes
  winbind cache time = 600
  winbind use default domain = yes
  template homedir = /home/%U
  obey pam restrictions = yes
  template shell = /bin/bash

  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
  domain master = no
  local master = no

  idmap uid = 10000-99999
  idmap gid = 10000-99999

Add winbind to the daemon_list variable in /etc/conf.d/samba.

daemon_list="smbd nmbd winbind"

Join the domain and start Samba.

# net ads join -U administrator
# /etc/init.d/samba start

Add winbind to the passwd and group lines in /etc/nsswitch.conf.

passwd:      compat winbind
shadow:      compat
group:       compat winbind

Test user resolution and add Samba to the startup:

# getent passwd administrator
# rc-update add samba default

Add the bolded lines to your /etc/pam.d/system-auth file.

auth required pam_env.so
auth sufficient	pam_winbind.so
auth sufficient	pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so

account	required pam_access.so
account	sufficient pam_winbind.so
account	required pam_unix.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so

session	required pam_limits.so
session	required pam_unix.so
session required pam_mkhomedir.so

That’s it! Now all you need to do is start samba and your box is an AD domain member.

My first chore was to install Windows Server 2003 and configure it to be a domain controller. This part was fairly easy, although a little time-consuming. Once that was working I was able to quickly join the Windows machines to the domain. Now to deal with Linux… for that I chose Windows Services for Unix. This software alters the AD schema to allow for Unix account attributes. On the Linux machines, I installed OpenLDAP, a Kerberos client, configured PAM… and voila! Now AD users can authenticate on the Linux machines.

My home-made DHCP/DNS configuration tool, however, was a little trickier. The data for this tool is stored in a MySQL database and accessed via a PHP script. If I wanted to grant someone access to the tool, I needed to first give them a MySQL account. Since Active Directory is basically an LDAP server, I rewrote the authentication mechanism to query AD.

With very little work, I was able to simplify authentication and account management. While this is not new technology, I still feel all warm and fuzzy with a sense of accomplishment.