Hello,
My company, EditShare (based in Boston, MA, USA) is looking for an
expert in configuring Ubuntu Server 12.04 LTS to work with Active
Directory/Windows Server 2008 R2. We need somebody who has done this
many times before and who does not need time for research.
We already hired a reasonably experienced freelance system
administrator to get us going, and we seem to be most of the way
towards getting what we need. However, we are stuck on the last part
and rather than just asking people here on this list to volunteer their
time to help us, I want to say we would be happy to pay somebody to
help us finish what the first system administrator started.
As I said above, we already have working most of what we need:
-- Required winbind, pam and kerberos packages installed on Ubuntu
-- Can create Organization Unit in Active Directory and add user
accounts to it, including a privileged user who can add computers to
the domain
-- Can join Ubuntu to the Active Directory domain OU
-- Can see AD users? UIDs and GIDs in Ubuntu with ?getent? command
-- ?kinit? and ?klist? commands working
-- AD domain users can log into Windows (and Mac OS X) with their
domain credentials
-- AD domain users can browse and mount Ubuntu Samba shares from
Windows or OS X without having to supply any additional username and
password credentials (and users can only see the shares they are
supposed to see, as defined in each smb{ActiveDirectoryUserName}.conf
files -- we use an ?include? line in the smb.conf file to have a
separate smb.{ActiveDirectoryUserName}.conf files for each user)
BUT the one thing we are not able to do yet is to mount Ubuntu shares
on the Windows or Mac workstations when the Active Directory server is
disconnected or down. Jeremy Allison from Samba.org kindly answered my
recent emails to this list (see thread ?Mounting Linux Samba Shares on
Windows when Active Directory Server is down?) and confirmed that
mounting Ubuntu shares when the Active Directory server is unreachable
should work in cases where the user has cached tickets. However,
looking at the logs from the Ubuntu Samba server, we can see that when
Windows users browse and mount Ubuntu shares, NTLM is being used
instead of Kerberos, meaning Ubuntu has to be able to contact the
Active Directory server to get a ?yes? or ?no?. It seems our Ubuntu
Samba is not using the Kerberos tickets. The question is, where is the
problem, and what do we need to do to fix it?
We are very short on time to find a solution, and all of our developers
are very busy with other projects. For this reason, we would be very
happy to hire somebody else to help us get to the finish line as
quickly as possible. Hopefully, we are just missing some small detail
and it?s a quick fix.
If you are interested, please contact me at ?work // at //
editshare.com?.
We also have a related bonus project. We are looking for somebody who
can help us figure out how to get two standalone Windows and Mac
?client applications? (one written in C++, the other in Python) to take
advantage of the Single Sign On system to authenticate to our Ubuntu
server applications. We have an okay workaround for this so it?s not
mission critical, but it would be better to do this the right way if
there is a reasonable solution.
Hopefully, I have not committed some terrible offense by advertising a
job like this on the Samba list. If somebody wants to help us gratis,
that?s fine too. But I realize that people are busy and most people
can only help out for free as time permits, and we are running out of
time to solve this problem.
Thanks for your attention. I?m looking forward to hearing back from
somebody who is interested.
Cheers,
Andy Liebman
CEO, EditShare
