I use the term hacking in the classic sense, not in the cracker sense.
We moved one of our enterprise electronic medical records (EMR) from AIX to Linux over the last few weeks. Go-live was last Thursday night, and I would like to take the time to discuss one of the more interesting hacks we did. It was a long project with some interesting puzzles but this was the most interesting to me.
We were told that you cannot integrate Star/MSE into active directory. As far as I was concerned that was throwing down the gauntlet of a challenge to make it work. We have had our fair share of problems with Samba and AD over the years so my boss was pushing to use Likewise rather than pure Samba. We have split infrastructure, most of the virtual servers use Likewise because my boss set them up, whereas all of the pure Linux servers use Samba because I set them up. It boiled down to my boss can hack around Likewise and I am more comfortable hacking Samba. I talked him into Samba so I had to make it work. My boss had hacked Likewise to do something similar so we discussed it and the resulting code is below.
For those who use Star/MSE you probably understand the login process, however, for those who don’t let me explain. Every user who gets a GUI interface on a Star server shares the same home directory under a restricted korn shell. We have about 1,500 users that all share one home directory but it doesn’t matter because the .profile just fires off a GUI program. In a typical setup all of the users are in the hbo group and in the password file their home points to /home/mse.
We configured winbind to use the system files first, then AD. This is so that we could have an orderly move from system authentication to AD authentication.
# cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind
In AD we made two groups, hbo to map to the Linux hbo group and a nomse group. Then we forced every AD user into /home/mse directory upon login with the following configuration in /etc/samba/smb.conf.
template shell = /bin/rksh template homedir = /home/mse winbind use default domain = true obey pam restrictions = yes
The point of the nomse group is to be able to pick out the users who should not have the GUI fired off upon login. Even though the group numbers do not match and they are not group mapped with the net groupmap command it doesn’t matter. The trick here is that I am looking for group names in the .profile rather than gids. Below is a portion of the .profile, I would include more but I am not sure of the copyright and it is not pertinent to the discussion.
## 2010-05-19 Jud Bishop ## This is for Active Directory integration of MSE. ## DO NOT CHANGE THIS PORTION OF THE FILE OR USERS WILL NOT BE ABLE TO LOGIN. USER=`whoami` for I in `groups |cut -d \: -f 2` do if [ "$I" = "nomse" ] then export HOME="/home/AD/$USER" export SHELL="/bin/bash" # The MSEFLAG used to be set below, it is now set here for AD integration. MSEFLAG=NO # This break is crucial because it exits out with the correct $HOME break else export HOME="/home/mse" MSEFLAG=YES fi done echo "Setting home directory to $HOME" cd $HOME