"There are no graduates. The learning never stops." -- Rush Limbaugh says that every once in a while when identifying the Rush Limbaugh Institute for Advanced Conservatives Studies.

I like the mantra, today it applies to me, and I think it should apply to everyone in the open source community.

We recently got a call from a guy with a company out of Utah County who needed some work done on a Linux server. The first meeting took a couple months to set up, but it finally happened about a month ago. Adam and I checked it out. He had a Dell rackmount box that had suffered some hardware failure of some kind. It was a pretty important server, so they hurried and built a new server on other hardware.

This led to them contacting us. Now that the original hardware was fixed, our client wanted us to document everything that was installed and configured on the rebuilt system and duplicate it on the original system -- fixing things that weren't done quite right along the way.

We did all that and delivered a 26 page set of documentation on the system.

Our client then requested that we do two more things. First, he wanted one machine to act as a failover slave to the other. Second, he wanted to do implement a single-signon scenario so that users of the Linux system could use their Windows network usernames and passwords to log into the Linux system via SSH.

I've set up a couple High-Availability Linux clusters before, so I wasn't worried about that, but I hadn't really investigated the single-signon thing before - especially not with Windows as the authentication source.

Turns out the single-signon thing wasn't that difficult. It comes down to a handful of steps:

1. Edit /etc/nsswitch.conf and add winbind after files for the passwd and group entries.
2. Configure /etc/krb5.conf with the right Kerberos realm names and server names.
3. Configure /etc/samba/smb.conf with a few winbind parameters like what is shown here.
4. Join the domain with net rpc join -S PDC -U Administrator.
5. Start the winbind service and restart Samba.
6. Edit login and sshd in /etc/pam.d and add lines like auth sufficient /lib/security/pam_winbind.so which tells PAM to use winbind as a source of credential validation.
7. Edit /etc/pam.d/system-auth and add a line session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0022 so that PAM will create a home directory (specified by the template homedir directive in the Samba configuration file) when a user successfully logs in for the first time.

And that's pretty much it.

Tonight was my final visit for these projects. We did it after hours so we could take the servers down for IP address changes and what-not. Two to three hours later, I had two servers using heartbeat failover and accepting Windows username and password logins. Very nice.