https://wiki.archlinux.org/api.php?action=feedcontributions&user=LeX4051&feedformat=atomArchWiki - User contributions [en]2024-03-28T07:59:55ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Active_Directory_integration&diff=202862Active Directory integration2012-05-26T07:36:04Z<p>LeX4051: /* Introduction */</p>
<hr />
<div>[[Category:Networking]]<br />
{{i18n|Active Directory Integration}}<br />
<br />
This guide explains how to integrate an Arch Linux host with an existing Windows Active Directory domain. <br />
<br />
== Disclaimer ==<br />
Because Arch Linux is a rolling release distribution, it is possible that some of the information in this article could be outdated due to package or configuration changes made by the maintainers. Never blindly follow these or any other instructions. When the instructions say to edit or change a file, consider making a backup copy. Check the date of the last revision of this article.<br />
<br />
== Introduction ==<br />
<br />
A key challenge for system administrators of any datacenter is trying to coexisting in Heterogeneous environments. By this we mean the mixing of different server operating system technologies (typicall Microsoft Windows & Unix/Linux). User management and authentication is by far the most difficult of these to solve. The most common way of solving this problem is to use a Directory Server. There are a number of open-source and commercial solutions for the various flavors of *NIX; however, few solve the problem of interoperating with Windows. Active Directory (AD) is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers. <br />
<br />
Active Directory serves as a central location for network administration and security. It is responsible for authenticating and authorizing all users and computers within a network of Windows domain type, assigning and enforcing security policies for all computers in a network and installing or updating software on network computers. For example, when a user logs into a computer that is part of a Windows domain, it is Active Directory that verifies his or her password and specifies whether he or she is a system administrator or normal user.<br />
<br />
Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Kerberos and DNS. These same standards are available as linux, but piecing them together is not an easy task. Following these steps will help you configure an ArchLinux host to authenticate against an AD domain.<br />
<br />
Before continuing, you must have an existing Active Directory domain, and have a user with the appropriate rights within the domain to: query users and add computer accounts (Domain Join). <br />
<br />
This document is not an intended as a complete guide to Active Directory nor Samba. Refer to the resources section for additional information.<br />
<br />
=== AD Basic Terminology ===<br />
<br />
If you are not familiar with Active Directory, there are a few keywords that are helpful to know.<br />
<br />
* '''Domain''' : The name used to group computers and accounts. <br />
* '''SID''' : Each computer that joins the domain as a member must have a unique SID or System Identifier.<br />
* '''SMB''' : Server Message Block.<br />
* '''NETBIOS''': Network naming protocol used as an alternative to DNS. Mostly legacy, but still used in Windows Networking.<br />
* '''WINS''': Windows Information Naming Service. Used for resolving Netbios names to windows hosts.<br />
* '''Winbind''': Protocol for windows authentication.<br />
<br />
== Active Directory Configuration ==<br />
'''NOTE: This section has not been validated. Proceed with caution'''<br />
<br />
=== Updating the GPO ===<br />
'''NOTE: These steps has not been validated. Proceed with caution'''<br />
It may be necessary to disable ''Digital Sign Communication (Always)'' in the AD group policies. Dive into:<p><br />
<br />
Local policies -> Security policies -> Microsoft Network Server -> Digital sign communication (Always) -> activate "define this policy" and use the '''disable''' radio button</p><br />
<br />
If you use Windows Server 2008 R2, you need to modify that in GPO for Default Domain Controller Policy -> Computer Setting -> Policies -> Windows Setting -> Security Setting -> Local Policies -> Security Option -> ''Microsoft network client: Digitally sign communications (always)''<br />
<br />
== Linux Host Configuration ==<br />
<br />
The next few steps will begin the process of configuring the Host. You will need root or sudo access to complete these steps.<br />
<br />
=== Arch Linux Packages ===<br />
<br />
The following packages should also be installed:<br />
* samba<br />
* krb-5<br />
* pam-krb5<br />
* pam_pwcheck<br />
* openntpd (or) ntp<br />
<br />
pacman -S samba pam-krb5 pam_pwcheck openntpd<br />
<br />
=== Updating DNS ===<br />
<br />
Active Directory is heavily dependent upon DNS. You will need to update '''/etc/resolv.conf''' to use one or more of the Active Directory domain controllers:<br />
nameserver <IP1><br />
nameserver <IP2><br />
Replacing <IP1> and <IP2> with valid IP addresses for the AD servers. If your AD domains do not permit DNS forwarding or recursion, you may need to add additional resolvers. <br />
<br />
'''''Important:''''' If your machine dual boots Windows and Linux, you should use a different DNS hostname and netbios name for the linux configuration if both operating systems will be members of the same domain.<br />
<br />
=== Configuring NTP ===<br />
In this example, we use OpenNTPD instead of ISC NTP. You may choose either package, but openntpd is cleaner and easier to configure.<br />
<br />
==== /etc/conf.d/openntpd ====<br />
Ensure the daemon is configured to 'sync' automatically on startup by adding the '-s' paramater to the config:<br />
PARAMS="-s"<br />
<br />
==== /etc/ntpd.conf ====<br />
servers <IP1><br />
servers <IP2><br />
Replacing <IP1> and <IP2> with valid IP addresses for the AD servers. Alternatively, you can use other known NTP servers provided the Active directory servers sync to the same stratum. However, AD servers typically run NTP as a service.<br />
<br />
==== /etc/rc.conf ====<br />
Next, add 'openntpd' to the list of startup daemons in the ArchLinux configuration file:<br />
DAEMONS=(!hwclock syslog-ng dbus network openntpd crond sshd)<br />
* Note we place it AFTER 'network' and BEFORE 'crond'<br />
<br />
==== Start openntpd ====<br />
Start the NTP daemon to sync the time now.<br />
rc.d start openntpd<br />
<br />
=== Kerberos ===<br />
<br />
<p> Let's assume that your AD is named example.com. Let's further assume your AD is ruled by two domain controllers, the primary and secondary one, which are named PDC and BDC, pdc.example.com and bdc.example.com respectively. Their IP adresses will be 192.168.1.2 and 192.168.1.3 in this example. Take care to watch your syntax; upper-case is very important here.</p><br />
<br />
==== /etc/krb5.conf ====<br />
{{bc|1=<br />
[libdefaults]<br />
default_realm = EXAMPLE.COM<br />
clockskew = 300<br />
ticket_lifetime = 1d<br />
forwardable = true<br />
proxiable = true<br />
dns_lookup_realm = true<br />
dns_lookup_kdc = true<br />
<br />
[realms]<br />
EXAMPLE.COM = {<br />
kdc = PDC.EXAMPLE.COM<br />
admin_server = PDC.EXAMPLE.COM<br />
default_domain = EXAMPLE.COM<br />
}<br />
<br />
[domain_realm]<br />
.kerberos.server = EXAMPLE.COM<br />
.example.com = EXAMPLE.COM<br />
example.com = EXAMPLE.COM<br />
example = EXAMPLE.COM<br />
<br />
[appdefaults]<br />
pam = {<br />
ticket_lifetime = 1d<br />
renew_lifetime = 1d<br />
forwardable = true<br />
proxiable = false<br />
retain_after_close = false<br />
minimum_uid = 0<br />
debug = false<br />
}<br />
<br />
[logging]<br />
default = FILE:/var/log/krb5libs.log<br />
kdc = FILE:/var/log/kdc.log<br />
admin_server = FILE:/var/log/kadmind.log<br />
}}<br />
<br />
'''Note:'''<br><br />
Heimdal 1.3.1 deprecated DES encryption which is required for AD authentication before Windows Server 2008. You'll probably have to add {{bc|1=allow_weak_crypto = true}} to the {{Ic|[libdefaults]}} section.<br />
<br />
==== Creating a Kerberos Ticket ====<br />
Now you can query the AD domain controllers and request a kerberos ticket ('''uppercase is necessary'''):<br />
kinit administrator@EXAMPLE.COM<br />
<br />
You can use any username that has rights as a Domain Administrator.<br />
<br />
==== Validating the Ticket ====<br />
Run 'klist' to verify you did receive the token. You should see something similar to:<br />
# klist<br />
Ticket cache: FILE:/tmp/krb5cc_0<br />
Default principal: administrator@EXAMPLE.COM<br />
<br />
Valid starting Expires Service principal <br />
02/04/12 21:27:47 02/05/12 07:27:42 krbtgt/EXAMPLE.COM@EXAMPLE.COM<br />
renew until 02/05/12 21:27:47<br />
<br />
=== Samba ===<br />
Samba is a free software re-implementation of the SMB/CIFS networking protocol. It also includes tools for Linux machines to act as Windows networking servers and clients.<br />
<br />
==== /etc/samba/smb.conf ====<br />
'''''NOTE: The configuration can vary greatly depending on how the Windows environment is deployed. Be prepared to troubleshoot and research.'''''<br />
<br />
In this section, we will focus on getting Authentication to work first by editing the 'Global' section first. Later, we will go back and add shares.<br />
<br />
{{bc|1=<br />
[Global]<br />
netbios name = MYARCHLINUX<br />
workgroup = EXAMPLE<br />
realm = EXAMPLE.COM<br />
server string = %h ArchLinux Host<br />
security = ads<br />
encrypt passwords = yes<br />
password server = pdc.example.com<br />
idmap uid = 10000-20000<br />
idmap gid = 10000-20000<br />
<br />
#idmap backend = rid<br />
<br />
winbind use default domain = Yes<br />
winbind enum users = Yes<br />
winbind enum groups = Yes<br />
winbind nested groups = Yes<br />
winbind separator = +<br />
winbind refresh tickets = yes<br />
winbind gid = 10000-20000<br />
<br />
template shell = /bin/bash<br />
template homedir = /home/%D/%U<br />
<br />
preferred master = no<br />
dns proxy = no<br />
wins server = pdc.example.com<br />
wins proxy = no<br />
<br />
inherit acls = Yes<br />
map acl inherit = Yes<br />
acl group control = yes<br />
<br />
load printers = no<br />
debug level = 3<br />
use sendfile = no<br />
}}<br />
<br />
We shall now explain to Samba that it shall use the PDC´s database for authentication queries. Again, we use winbindd which is a part of the samba package. Winbind maps the UID and GID of the AD to our Linux-machine. Winbind uses a Unix-implementation of RPC-calls, Pluggable Authentication Modules (aka PAM) and Name Service Switch (NSS) to allow Windows AD and users accessing and to grant permissions on the Linux-machine. The best part of winbindd is, that you don´t have to define the mapping yourself, but only define a range of UID and GID. That´s what we defined in smb.conf.<br />
<br />
==== /etc/conf.d/samba ====<br />
Update the samba initscript configuration file to enable the winbind daemon<br />
##### /etc/conf.d/samba #####<br />
#SAMBA_DAEMONS=(smbd nmbd)<br />
SAMBA_DAEMONS=(smbd nmbd winbindd)<br />
<br />
==== /etc/rc.conf ====<br />
Next, add 'samba' to the list of startup daemons in the ArchLinux configuration file:<br />
<br />
The daemons started by /etc/rc.d/samba are configured in the file /etc/conf.d/samba. * NOTE: Your actual list may vary.<br />
DAEMONS=(hwclock syslog-ng dbus network openntpd crond sshd samba)<br />
<br />
== Starting and testing services ==<br />
<br />
=== Starting Samba ===<br />
<br />
Hopefully, you have not rebooted yet! Fine. If you are in an X-session, quit it, so you can test login into another console, while you are still logged in.<br />
<br />
Start Samba (including smbd, nmbd and winbindd):<br />
{{bc|<br />
/etc/rc.d/samba restart<br />
}}<br />
<br />
If you check the processes, you'll see that winbind did not actually start. A quick review of the logs shows that the SID for this host could be obtained from the domain:<br />
{{bc|<br />
# tail /var/log/samba/log.winbindd<br />
[2012/02/05 21:51:30.085574, 0] winbindd/winbindd_cache.c:3147(initialize_winbindd_cache)<br />
initialize_winbindd_cache: clearing cache and re-creating with version number 2<br />
[2012/02/05 21:51:30.086137, 2] winbindd/winbindd_util.c:233(add_trusted_domain)<br />
Added domain BUILTIN S-1-5-32<br />
[2012/02/05 21:51:30.086223, 2] winbindd/winbindd_util.c:233(add_trusted_domain)<br />
Added domain MYARCHLINUX S-1-5-21-3777857242-3272519233-2385508432<br />
[2012/02/05 21:51:30.086254, 0] winbindd/winbindd_util.c:635(init_domain_list)<br />
Could not fetch our SID - did we join?<br />
[2012/02/05 21:51:30.086408, 0] winbindd/winbindd.c:1105(winbindd_register_handlers)<br />
unable to initialize domain list<br />
}}<br />
<br />
=== Join the Domain ===<br />
<br />
You need an AD Administrator account to do this. Let's assume this is named Administrator. The command is 'net ads join'<br />
{{bc|<br />
# net ads join -U Administrator<br />
Administrator's password: xxx<br />
Using short domain name -- EXAMPLE<br />
Joined 'MYARCHLINUX' to realm 'EXAMPLE.COM'<br />
}}<br />
<br />
See screenshot of Active Directory Users and Computers<br />
[[http://en.wikipedia.org/wiki/File:Ads_myarchlinux_computer_account.png]]<br />
<br />
=== Restart Samba ===<br />
'winbindd' failed to start on the first try because we were not yet a domain. Restart the samba service and winbind should fire up as well:<br />
rc.d restart samba<br />
<br />
=== /etc/nsswitch.conf ===<br />
<br />
NSSwitch tells the Linux host how to retrieve information from various sources and in which order to do so. In this case, we are appending Active Directory as additional sources for Users, Groups, and Hosts.<br />
<br />
passwd: files winbind<br />
shadow: files winbind<br />
group: files winbind <br />
<br />
hosts: files dns wins<br />
<br />
=== Testing Winbind ===<br />
Let's check if winbind is able to query the AD. The following command should return a list of AD users:<br />
<br />
{{bc|<br />
# wbinfo -u<br />
administrator<br />
guest<br />
krbtgt<br />
test.user<br />
}}<br />
* Note we created an Active Directory user called 'test.user' on the domain controller<br />
<br />
We can do the same for AD groups:<br />
<br />
{{bc|<br />
# wbinfo -g<br />
domain computers<br />
domain controllers<br />
schema admins<br />
enterprise admins<br />
cert publishers<br />
domain admins<br />
domain users<br />
domain guests<br />
group policy creator owners<br />
ras and ias servers<br />
allowed rodc password replication group<br />
denied rodc password replication group<br />
read-only domain controllers<br />
enterprise read-only domain controllers<br />
dnsadmins<br />
dnsupdateproxy<br />
}}<br />
<br />
=== Testing nsswitch ===<br />
<br />
To ensure that our host is able to query the domain for users and groups, we test nsswitch settings by issuing the 'getent' command. The following output shows what a stock ArchLinux install looks like:<br />
<br />
{{bc|<br />
# getent passwd<br />
root:x:0:0:root:/root:/bin/bash<br />
bin:x:1:1:bin:/bin:/bin/false<br />
daemon:x:2:2:daemon:/sbin:/bin/false<br />
mail:x:8:12:mail:/var/spool/mail:/bin/false<br />
ftp:x:14:11:ftp:/srv/ftp:/bin/false<br />
http:x:33:33:http:/srv/http:/bin/false<br />
nobody:x:99:99:nobody:/:/bin/false<br />
dbus:x:81:81:System message bus:/:/bin/false<br />
ntp:x:87:87:Network Time Protocol:/var/empty:/bin/false<br />
avahi:x:84:84:avahi:/:/bin/false<br />
administrator:*:10001:10006:Administrator:/home/EXAMPLE/administrator:/bin/bash<br />
guest:*:10002:10007:Guest:/home/EXAMPLE/guest:/bin/bash<br />
krbtgt:*:10003:10006:krbtgt:/home/EXAMPLE/krbtgt:/bin/bash<br />
test.user:*:10000:10006:Test User:/home/EXAMPLE/test.user:/bin/bash<br />
}}<br />
<br />
And for groups:<br />
{{bc|<br />
# getent group<br />
root:x:0:root<br />
bin:x:1:root,bin,daemon<br />
daemon:x:2:root,bin,daemon<br />
sys:x:3:root,bin<br />
adm:x:4:root,daemon<br />
tty:x:5:<br />
disk:x:6:root<br />
lp:x:7:daemon<br />
mem:x:8:<br />
kmem:x:9:<br />
wheel:x:10:root<br />
ftp:x:11:<br />
mail:x:12:<br />
uucp:x:14:<br />
log:x:19:root<br />
utmp:x:20:<br />
locate:x:21:<br />
rfkill:x:24:<br />
smmsp:x:25:<br />
http:x:33:<br />
games:x:50:<br />
network:x:90:<br />
video:x:91:<br />
audio:x:92:<br />
optical:x:93:<br />
floppy:x:94:<br />
storage:x:95:<br />
scanner:x:96:<br />
power:x:98:<br />
nobody:x:99:<br />
users:x:100:<br />
dbus:x:81:<br />
ntp:x:87:<br />
avahi:x:84:<br />
domain computers:x:10008:<br />
domain controllers:x:10009:<br />
schema admins:x:10010:administrator<br />
enterprise admins:x:10011:administrator<br />
cert publishers:x:10012:<br />
domain admins:x:10013:test.user,administrator<br />
domain users:x:10006:<br />
domain guests:x:10007:<br />
group policy creator owners:x:10014:administrator<br />
ras and ias servers:x:10015:<br />
allowed rodc password replication group:x:10016:<br />
denied rodc password replication group:x:10017:krbtgt<br />
read-only domain controllers:x:10018:<br />
enterprise read-only domain controllers:x:10019:<br />
dnsadmins:x:10020:<br />
dnsupdateproxy:x:10021:<br />
}}<br />
<br />
=== Testing Samba commands ===<br />
<br />
Try out some net commands to see if samba can communicate with AD:<br />
<br />
{{bc|1=<br />
# net ads info<br />
[2012/02/05 20:21:36.473559, 0] param/loadparm.c:7599(lp_do_parameter)<br />
Ignoring unknown parameter "idmapd backend"<br />
LDAP server: 192.168.1.2<br />
LDAP server name: PDC.example.com<br />
Realm: EXAMPLE.COM<br />
Bind Path: dc=EXAMPLE,dc=COM<br />
LDAP port: 389<br />
Server time: Sun, 05 Feb 2012 20:21:33 CST<br />
KDC server: 192.168.1.2<br />
Server time offset: -3<br />
}}<br />
<br />
{{bc|<br />
# net ads lookup<br />
[2012/02/05 20:22:39.298823, 0] param/loadparm.c:7599(lp_do_parameter)<br />
Ignoring unknown parameter "idmapd backend"<br />
Information for Domain Controller: 192.168.1.2<br />
<br />
Response Type: LOGON_SAM_LOGON_RESPONSE_EX<br />
GUID: 2a098512-4c9f-4fe4-ac22-8f9231fabbad<br />
Flags:<br />
Is a PDC: yes<br />
Is a GC of the forest: yes<br />
Is an LDAP server: yes<br />
Supports DS: yes<br />
Is running a KDC: yes<br />
Is running time services: yes<br />
Is the closest DC: yes<br />
Is writable: yes<br />
Has a hardware clock: yes<br />
Is a non-domain NC serviced by LDAP server: no<br />
Is NT6 DC that has some secrets: no<br />
Is NT6 DC that has all secrets: yes<br />
Forest: example.com<br />
Domain: example.com<br />
Domain Controller: PDC.example.com<br />
Pre-Win2k Domain: EXAMPLE<br />
Pre-Win2k Hostname: PDC<br />
Server Site Name : Office<br />
Client Site Name : Office<br />
NT Version: 5<br />
LMNT Token: ffff<br />
LM20 Token: ffff<br />
}}<br />
<br />
{{bc|<nowiki><br />
# net ads status -U administrator | less<br />
objectClass: top<br />
objectClass: person<br />
objectClass: organizationalPerson<br />
objectClass: user<br />
objectClass: computer<br />
cn: myarchlinux<br />
distinguishedName: CN=myarchlinux,CN=Computers,DC=leafscale,DC=inc<br />
instanceType: 4<br />
whenCreated: 20120206043413.0Z<br />
whenChanged: 20120206043414.0Z<br />
uSNCreated: 16556<br />
uSNChanged: 16563<br />
name: myarchlinux<br />
objectGUID: 2c24029c-8422-42b2-83b3-a255b9cb41b3<br />
userAccountControl: 69632<br />
badPwdCount: 0<br />
codePage: 0<br />
countryCode: 0<br />
badPasswordTime: 0<br />
lastLogoff: 0<br />
lastLogon: 129729780312632000<br />
localPolicyFlags: 0<br />
pwdLastSet: 129729764538848000<br />
primaryGroupID: 515<br />
objectSid: S-1-5-21-719106045-3766251393-3909931865-1105<br />
...<snip>...<br />
</nowiki>}}<br />
<br />
== Configuring PAM ==<br />
<br />
Now we will change various rules in PAM to allow Active Directory users to use the system for things like login and sudo access. When changing the rules, note the order of these items and whether they are marked as 'required' or 'sufficient' is critical to things working as expected. You should not deviate from these rules unless you know how to write PAM rules.<br />
<br />
=== /etc/pam.d/login ===<br />
In case of logins, PAM should first ask for AD accounts, and for local accounts if no matching AD account was found. Therefore, we add entries to include pam_winbindd.so into the authentication process. Furthermore, we include pam_mkhomedir.so. If an AD user logs in, /home/example/user will be created automatically.<br />
<br />
{{bc|1=<br />
#%PAM-1.0<br />
auth required pam_securetty.so<br />
auth requisite pam_nologin.so<br />
auth sufficient pam_unix.so nullok<br />
auth required pam_winbind.so use_first_pass use_authtok<br />
auth required pam_tally.so onerr=succeed file=/var/log/faillog<br />
# use this to lockout accounts for 10 minutes after 3 failed attempts<br />
#auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog<br />
account required pam_access.so<br />
account required pam_time.so<br />
account sufficient pam_unix.so<br />
account sufficient pam_winbind.so use_first_pass use_authtok<br />
password required pam_pwcheck.so<br />
password sufficient pam_unix.so<br />
password sufficient pam_winbind.so use_first_pass use_authtok<br />
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3<br />
#password required pam_unix.so sha512 shadow use_authtok<br />
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022<br />
session sufficient pam_unix.so<br />
session sufficient pam_winbind.so use_first_pass use_authtok<br />
session required pam_env.so<br />
session required pam_motd.so<br />
session required pam_limits.so<br />
session optional pam_mail.so dir=/var/spool/mail standard<br />
session optional pam_lastlog.so<br />
session optional pam_loginuid.so<br />
-session optional pam_ck_connector.so nox11<br />
-session optional pam_systemd.so<br />
}}<br />
<br />
=== Testing login ===<br />
Now, start a new console session (or ssh) and try to login using the AD credentials. The domain name is optional, as this was set in the Winbind configuration as 'default realm'. Please note that in the case of ssh, you will need to modify the /etc/ssh/sshd_config file to allow kerberos authentication (KerberosAuthentication yes).<br />
<br />
{{bc|<br />
test.user<br />
EXAMPLE+test.user<br />
}}<br />
<br />
Both should work. You should notice that /home/example/test.user will be automatically created. Again, if you are using ssh, you need to add the pam_mkhomedir.so line mentioned above to the /etc/pam.d/sshd file.<br />
'''Log into another session using an linux account. Check that you still be able to log in as root - but keep in mind to be logged in as root in at least one session!'''<br />
<br />
=== /etc/pam.d/gdm ===<br />
'''''TODO'''''<br />
<br />
=== Sudo ===<br />
Another thing to get working is 'sudo'. First add the 'test.user' to /etc/sudoers. You can tweak this later, for now lets test things are working:<br />
==== /etc/sudoers ====<br />
{{bc|1=<br />
##<br />
## User privilege specification<br />
##<br />
root ALL=(ALL) ALL<br />
test.user ALL=(ALL) ALL<br />
}}<br />
<br />
If you were to attempt a sudo now, it would fail. <br />
<br />
==== /etc/pam.d/sudo ====<br />
Adjust the sudo file to mark pam_unix as sufficient and add the line for winbind as shown:<br />
<br />
{{bc|<br />
#%PAM-1.0<br />
auth sufficient pam_unix.so<br />
auth required pam_winbind.so use_first_pass use_authtok<br />
auth required pam_nologin.so<br />
}}<br />
<br />
== Configuring Shares ==<br />
Earlier we skipped configuration of the shares. Now that things are working, go back to /etc/smb.conf, and add the exports for the host that you want available on the windows network. <br />
<br />
{{bc|1=<br />
[MyShare]<br />
comment = Example Share<br />
path = /srv/exports/myshare<br />
read only = no<br />
browseable = yes<br />
valid users = @NETWORK+"Domain Admins" NETWORK+test.user<br />
}}<br />
<br />
In the above example, the keywork 'NETWORK' is to be used. Do not mistakenly substitute this with your domain name. For adding groups, prepend the '@' symbol to the group. Note that 'Domain Admins' is encapsulated in quotes so Samba correctly parses it when reading the configuration file.<br />
<br />
= Resources =<br />
<br />
* [http://en.wikipedia.org/wiki/Active_Directory Wikipedia: Active Directory]<br />
* [http://en.wikipedia.org/wiki/Samba_(software) Wikipedia: Samba]<br />
* [http://en.wikipedia.org/wiki/Kerberos_(protocol) Wikipedia: Kerberos]<br />
* [http://www.samba.org/samba/docs Samba: Documentation]<br />
* [http://wiki.samba.org/index.php/Samba_&_Active_Directory Samba Wiki: Samba & Active Directory]<br />
* [http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html Samba Man Page: smb.conf]<br />
<br />
= Commercial Solutions =<br />
* Centrify<br />
* Likewise</div>LeX4051https://wiki.archlinux.org/index.php?title=Cross-compiling_tools_package_guidelines&diff=176371Cross-compiling tools package guidelines2012-01-01T04:23:31Z<p>LeX4051: /* Hows and whys */</p>
<hr />
<div>[[Category: Package development (English)]]<br />
== Important ==<br />
This page describes a proposal, not an accepted approach!<br />
<br />
==Building a Cross Compiler==<br />
The general approach to building a cross compiler is:<br />
#binutils: Build a cross-binutils, which links and processes for the target architecture<br />
#headers: Install a set of C library and kernel headers for the target architecture<br />
#gcc-stage-1: Build a basic (stage 1) gcc cross-compiler. This will be used to compile the C library. It will be unable to build anything almost else (because it can't link against the C library it doesn't have).<br />
#libc: Build the cross-compiled C library (using the stage 1 cross compiler).<br />
#gcc-stage-2: Build a full (stage 2) C cross-compiler. Can be built <br />
<br />
The source of the headers and libc will vary across platforms.<br />
<br />
== Package Naming ==<br />
The package name shall be prefixed with the word '''cross-''', followed by architecture name and the package name itself shall come at the end.<br />
<br />
Thus, cross GCC for MIPS shall be '''cross-mips-gcc'''.<br />
<br />
<br />
== File Placement ==<br />
To prevent file conflicts, place everything into '''/usr/lib/cross-<target>'''. The only exception to this rule are executables, that shall be placed directly into ''/usr/bin/'' (however, to prevent conflicts here, prefix all of them with architecture name).<br />
<br />
Typically, <code>./configure</code> would have at least following parameters:<br />
<pre>_target=<your-target> # e.g. i686-pc-mingw32<br />
_sysroot=/usr/lib/${_target}<br />
...<br />
./configure \<br />
--prefix=${_sysroot} --sysroot=${_sysroot} \<br />
--bindir=/usr/bin</pre><br />
<br />
== Example ==<br />
This is PKGBUILD for binutils for MinGW.<br />
Things worth noticing are:<br />
*specifying root directory of the cross-environment<br />
*usage of <code>${_pkgname}</code>, <code>${_target}</code> and <code>${_sysroot}</code> variables to make the code more readable<br />
*removal of the duplicated/conflicting files<br />
<pre># Maintainer: Allan McRae <allan@archlinux.org><br />
<br />
# cross toolchain build order: binutils, headers, gcc (pass 1), w32api, mingwrt, gcc (pass 2)<br />
<br />
_target=i686-pc-mingw32<br />
_sysroot=/usr/lib/cross-${_target}<br />
<br />
pkgname=cross-${_target}-binutils<br />
_pkgname=binutils<br />
pkgver=2.19.1<br />
pkgrel=1<br />
pkgdesc="MinGW Windows binutils"<br />
arch=('i686' 'x86_64')<br />
url="http://www.gnu.org/software/binutils/"<br />
license=('GPL')<br />
depends=('glibc>=2.10.1' 'zlib')<br />
options=('!libtool' '!distcc' '!ccache')<br />
source=(http://ftp.gnu.org/gnu/${_pkgname}/${_pkgname}-${pkgver}.tar.bz2)<br />
md5sums=('09a8c5821a2dfdbb20665bc0bd680791')<br />
<br />
build() {<br />
cd ${srcdir}/${_pkgname}-${pkgver}<br />
mkdir build && cd build<br />
<br />
../configure --prefix=${_sysroot} --bindir=/usr/bin \<br />
--with-sysroot=${_sysroot} \<br />
--build=$CHOST --host=$CHOST --target=${_target} \<br />
--with-gcc --with-gnu-as --with-gnu-ld \<br />
--enable-shared --without-included-gettext \<br />
--disable-nls --disable-debug --disable-win32-registry<br />
make || return 1<br />
make DESTDIR=${pkgdir}/ install || return 1<br />
<br />
# clean-up cross compiler root<br />
rm -r ${pkgdir}/${_sysroot}/{info,man}<br />
}</pre><br />
<br />
== Hows and whys ==<br />
Why not installing into ''/opt''? There would be no need for fooling around with non-standard executable naming etc.?<br />
: Two reasons:<br />
:: First, according to File Hierarchy Standard, these files just belong somewhere to ''/usr''. Period.<br />
:: Second, installing into ''/opt'' is a last measure when there is no other option.<br />
<br />
What is that ''out-of-path executables'' thing?<br />
: This weird thing allows easier cross-compiling. Sometimes, project Makefiles do not use '''CC''' & co. variables and instead use '''gcc''' directly. If you just want to try to cross-compile such project, editing the Makefile could be a very lengthy operation. However, changing the <code>$PATH</code> to use "our" executables first is a very quick solution.<br />
: You would then run <code>PATH=/usr/bin/cross/<i>arch</i>/:$PATH make</code> instead of <code>make</code>.</div>LeX4051https://wiki.archlinux.org/index.php?title=Intel_graphics&diff=147336Intel graphics2011-06-26T00:18:11Z<p>LeX4051: /* X freeze/crash with intel driver */</p>
<hr />
<div>[[Category: Graphics (English)]][[Category: X Server (English)]]<br />
{{i18n|Intel}}<br />
[[fr:Intel]]<br />
{{Article summary start}}<br />
{{Article summary text|Information on Intel graphics cards/chipsets and the ''intel'' video driver.}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|ATI}}<br />
{{Article summary wiki|NVIDIA}}<br />
{{Article summary wiki|Poulsbo}}<br />
{{Article summary wiki|Xorg}}<br />
{{Article summary end}}<br />
<br />
Since Intel provides and supports open source drivers, Intel graphics are now essentially plug-and-play.<br />
<br />
{{note|For use within the console without [[X]], see [[Uvesafb]].}}<br />
<br />
=== Models ===<br />
It is a popular mistake to think of "Intel 945G" and "Intel GMA 945" as being the same graphics chip with different names. As a matter of fact, the latter does not exist. Intel uses "GMA" to indicate the graphics core, or the GPU. Anything other than that is actually the model of the '''motherboard chipset''', like "915G", "945GM", "G965" or "G45".<br />
<br />
The more common GPUs and their corresponding motherboard chipsets are:<br />
<br />
* Intel GMA 900 (910, 915)<br />
* Intel GMA 950 (945)<br />
<br />
The "i810" chipset (again, motherboard; not GPU) is actually really old and was manufactured long before the 9xx product line with which the GMA onboard-graphics branding began. Similarly, alternative names for the 910, 915 and 945 chips may include the ''i'' prefix.<br />
<br />
See [http://en.wikipedia.org/wiki/Intel_GMA#Table_of_GMA_graphics_cores_and_chipsets this] for a list.<br />
<br />
=== Driver ===<br />
* xf86-video-intel<br />
<br />
== Installation ==<br />
Prerequisite: [[Xorg]]<br />
<br />
# pacman -S xf86-video-intel<br />
<br />
You may need to install lib32-intel-dri in 64-bit systems to use acceleration in 32-bit programs.<br />
<br />
== Configuration ==<br />
<br />
There is no need for any kind of configuration to get the Xorg running (an xorg.conf is unneeded).<br />
<br />
One thing that you should have already done from the start (not a configuration step per se) is to add your user to the relevant group:<br />
<br />
# gpasswd -a username video<br />
<br />
== KMS (Kernel Mode Setting) ==<br />
<br />
KMS is required in order to run X (Gnome, KDE, etc).<br />
<br />
[[KMS]] is supported by Intel chipsets that use the i915 DRM driver and is now enabled by default as of kernel v2.6.32. Since xf86-video-intel 2.10, using KMS is [http://www.archlinux.org/news/484/ mandatory]. KMS is typically initialized after the kernel is bootstrapped. It is possible however to enable KMS during bootstrap itself, allowing the entire boot process to run at native resolution.<br />
<br />
{{Note|When using KMS, you ''must'' remove any references to "vga" or "video" from the kernel line in /boot/grub/menu.lst}}<br />
<br />
Add the {{Codeline|i915}} module to the MODULES line in {{Filename|/etc/mkinitcpio.conf}}:<br />
MODULES="'''i915'''"<br />
<br />
Now, regenerate the initramfs:<br />
# mkinitcpio -p kernel26<br />
where the 26 corresponds to the current kernel version of '''2'''.'''6'''.xx<br />
<br />
Everything should work now. If you are having problems, try explicitly enabling KMS by adding i915.modeset=1 to your kernel line in /boot/grub/menu.lst:<br />
# (0) Arch Linux<br />
title Arch Linux<br />
root (hd0,0)<br />
kernel /boot/vmlinuz26 root=/dev/... '''i915.modeset=1'''<br />
initrd /boot/kernel26.img<br />
and make sure that you do not use the "vga=..." property nor "nomodeset". Now reboot, and Xorg will work.<br />
<br />
If you ever want to disable KMS, you can change the {{Codeline|i915.modeset}} option to 0 in [[GRUB]]'s {{Filename|/boot/grub/menu.lst}}, without rebuilding anything:<br />
# (0) Arch Linux<br />
title Arch Linux<br />
root (hd0,0)<br />
kernel /boot/vmlinuz26 root=/dev/... '''i915.modeset=0'''<br />
initrd /boot/kernel26.img<br />
"i915.modeset=0" is the intel equvalent to "nomodeset" for other video cards.<br />
{{Note| Adding '''nomodeset''' to the kernel boot line might prevent Gnome 3's gnome-shell or KDE's desktop effects from running.}}<br />
<br />
For disabling it without having to edit {{Filename|menu.lst}}, turn on the machine and when you see GRUB's screen, hit a key to disable the timeout. Select the kernel you want to boot (probably the one already selected) and hit "e" for "edit". Now select the line starting with "kernel" and hit again "e" for editing. You can now add the {{Codeline|i915.modeset}} option and disable KMS by setting it to 0. Press enter and then "b" to boot. Note that this will be temporary, so it will be enabled again upon rebooting.<br />
<br />
{{Note|Downgrade to kernel 2.6.31.6-1 or disable modesetting with kernel boot parameter if you get a blank screen during boot process with Intel GMA 950}}<br />
<br />
=== See also ===<br />
* [[KMS]] &mdash; Arch wiki article on kernel mode setting<br />
* Arch Linux forums: [http://bbs.archlinux.org/viewtopic.php?pid=522665#p522665 Intel 945GM, Xorg, Kernel - performance]<br />
<br />
== Tips and tricks ==<br />
<br />
=== Setting scaling mode ===<br />
<br />
This can be useful for some full screen applications.<br />
xrandr --output LVDS1 --set PANEL_FITTING param<br />
where <tt>param</tt> can be<br />
* <tt>center</tt>: resolution will be kept exactly as defined, no scaling will be made,<br />
* <tt>full</tt>: scale the resolution so it uses the entire screen or<br />
* <tt>full_aspect</tt>: scale the resolution to the maximum possible but keep the aspect ratio.<br />
If it does not work, you can try<br />
xrandr --output LVDS1 --set "scaling mode" param<br />
where <tt>param</tt> is one of <tt>"Full"</tt>, <tt>"Center"</tt> or <tt>"Full aspect"</tt>.<br />
<br />
=== KMS Issue: console is limited to small area ===<br />
<br />
One of the low-resolution video ports may be enabled on boot which is causing the terminal to utilize a small area of the screen.<br />
To fix, explicitly disable the port with an i915 module setting. For example, add the following to the end of the kernel line in {{Filename|/boot/grub/menu.lst}}:<br />
<br />
video=SVIDEO-1:d<br />
<br />
If that doesn't work, you may also try disabling TV1 or VGA1 instead of SVIDEO-1.<br />
<br />
==Supported hardware==<br />
See http://intellinuxgraphics.org/documentation.html.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Glxgears shows low performance results ===<br />
<br />
If you run glxgears in order to check your system's graphics' performance, you may notice that glxgears shows results around '''60 FPS''':<br />
<br />
...<br />
311 frames in 5.0 seconds = 61.973 FPS<br />
311 frames in 5.0 seconds = 62.064 FPS<br />
311 frames in 5.0 seconds = 62.026 FPS<br />
...<br />
<br />
That is happening not because there is a performance regression, but because your system graphics are using '''VSync''', that means, your screen's native frames per second.<br />
<br />
{{Note| glxgears is not a benchmark for performance comparison between two or more systems.}}<br />
<br />
=== Blank screen during boot, when "Loading modules" ===<br />
<br />
If you're using "late start" kms and the screen goes blank when "Loading modules", it may help to add i915 and intel_agp to the initramfs. See [[Intel#KMS (Kernel Mode Setting)|KMS]] above.<br />
<br />
Alternatively, appending the following to the kernel command line seems to work as well:<br />
video=SVIDEO-1:d<br />
<br />
=== External monitor connected to laptop flashes black every 30 seconds ===<br />
<br />
If your laptop uses Intel HD graphics and your external LCD is flashing to black every 30 seconds, upgrading your video driver and kernel may help. As of now using xf86-video-intel version 2.14.0-1 and kernel 2.6.37-5 have solved this issue.<br />
<br />
=== X freeze/crash with intel driver ===<br />
If you have issue with X crashing, or GPU hang, or problem with frozen X, then the fix may be [https://bbs.archlinux.org/viewtopic.php?pid=938004#p938004 to use the "Shadow" option]:<br />
{{File|/etc/X11/xorg.conf.d/20-intel.conf|<br />
Section "Device"<br />
Identifier "old intel stuff"<br />
Driver "intel"<br />
Option "Shadow" "True"<br />
Option "DRI" "false"<br />
EndSection}}</div>LeX4051