I was going to install Ubuntu on my Dell Desktop (n-Series) at work. So, I burned a CD, fired it up, and…the setup crashed to BusyBox with errors about the ata device. I had seen this before. It had been a while, but I had seen it before. A few minutes of irritated googling later, came up with the following steps:

  1. boot to the live CD
  2. add these options to the kernel line (press F6 to get there):
  3. Because of my dual head setup, it was also easier to boot into safe graphics mode

This allowed me to run setup and get Ubuntu installed…and I shouldn’t even have to mess with it.

Joining a Debian box to an Active Directory Domain

I’ve been building a few servers, as of late, at work. For our Windows workstations, we have an AD domain controller setup which, obviously, handles the authentication for each of those machines. For us, as for our users, it is nice to be able to use our normal logins for all of the server maintenance.

So, I joined the boxes to the domain. Like so many things in the Linux world, this task is, ultimately, not hard and has been done by a gazillion people, most of whom have written on it to some degree or another. But, at the same time, the documentation that is received is almost always sketchy, dropping an “obvious” step or two and simply ploughing through. I found some good resources, but still ended up “patching” my directions to get everything working as it ought. Most of the directions came from the first reference below, the author of which seems to be a man after my own heart. However, I still had to do some tweaking. Note: all commands run as root. Anywhere where REALM is used, this is the full domain (i.e. myorg.local or myorg.net, not simply myorg). Anywhere DOMAIN is used, the short name is what it means (myorg, not myorg.local or myorg.net). pdc_ip_address is the IP address for the primary domain controller. Should be obvious, but let’s follow the KISS principle, shall we?

  1. Install the software. Notice that, as opposed to in [1], I installed the package ntp not ntp-server
    apt-get install libkrb53 krb5-config samba winbind ntpdate ntp
  2. Stopping the services.
    sudo /etc/init.d/samba stop
    sudo /etc/init.d/winbind stop
    sudo /etc/init.d/ntp stop
  3. Kerberos needs to be able to do a reverse DNS lookup on the domain controller [1]. This caused me all sorts of problems. In our network, this simply wasn’t happening automatically. Rather than try to figure out why, I added the domain controller to /etc/hosts and restarted the networking service. The downside to this, of course, is if for some reason (like, maybe, a network upgrade) the IP for the domain controller changed in /etc/hosts.
  4. Configure Kerberos as in [1]
    • Add a section like the following to the section [realms]
      kdc = pdc_ip_address
    • In the section libdefaults, set the default realm like so:
      default_realm = REALMNAME
  5. Configure ntp as in [1]
    • Add a line of the form
      server pdc_ip_address
      to /etc/ntp
    • Start the service with /etc/init.d/ntp start
  6. Configure Winbind as in [1] with the following supplemental lines (note: the last few lines disable printing; this was good for the server I was using and suppressed complaints in the logs, but if you need printing take them out):
    realm = REALMNAME
    workgroup = DOMAINNAME
    security = ads
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template shell = /bin/bash
    template homedir = /home/%D/%U
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind separator = \
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
  7. Configure nsswitch

    • Make the following changes to /etc/nsswitch:

      passwd:         files winbind
    • Then, update your configuration with ldconfig
      group:          files winbind

  8. Join the domain with:

    sudo net ads join -U "DOMAINADMIN"
  9. Start samba and winbind
    /etc/init.d/samba start
    /etc/init.d/winbind start
  10. Test
    Run: wbinfo -u
    If you get a list of domain users, you’re on. Otherwise, check logs and doublecheck yourself.
  11. Make the following changes to your pam authentication:

    # /etc/pam.d/common-account
    account	sufficient	pam_winbind.so
    account	required	pam_unix.so
    # /etc/pam.d/common-auth
    auth	sufficient	pam_winbind.so
    auth	required	pam_unix.so use_first_pass
    # /etc/pam.d/common-session
    session	required	pam_mkhomedir.so skel=/etc/skel/ umask=0022
    session	sufficient	pam_winbind.so
  12. Try and login with a domain user. This can be done "at the box" or through an SSH session if sshd has been configured to use PAM

This is almost verbatim from [1]. The changes occur in making an addition to /etc/hosts and restarting networking BEFORE continuing and in some extra lines to /etc/samba/smb.conf. Oddly enough, when I was working on a workstation instead of a server, Ubuntu’s GUIfied version of this process was overly involved and a general pain in the neck.

  1. Using Winbind to Resolve Active Directory Accounts in Debian
  2. Samba Documentation: Chapter 24: Winbind: Use of Domain Accounts

Running CL-SDL in CLISP

I have been experimenting with ways to do this on and off, but I finally got CL-SDL loaded into CLISP and without the UFFI patches that are on sourceforge.

It is the kind of thing that should not have been hard and, in the end, it really wasn’t. It was just a matter of doing the research. I have learned more about Common Lisp packages, implementations, and FFIs than I would have expected on this little project.

The main thrust is that UFFI does not support CLISP, though CFFI does. Fortunately, CFFI includes a compatibility layer that allows it to use UFFI bindings. While I had read this on cliki.net, it took a great deal more googling to figure out how to use the darn thing. On the lispwannabe blog, the writer shows an asdf package for uffi that loads cffi’s compatibility layer into asdf as uffi. This is important, because a great many other things expect to find uffi there. At this point, using cl-sdl’s example1.lisp works when I used the following code:

(require 'asdf)
(asdf:operate 'asdf:load-op :uffi)
(asdf:operate 'asdf:load-op :sdl)

(load "example1")

This, however, does not solve the whole problem in interactive mode. Within cl-sdl, there are a number of places where slightly different code is written for slightly different implementations. This causes a problem as CLISP doesn’t offer any of them in its *features* variable. One answer is to add clisp’s feature to the lists in the bindings, but that takes a good deal of work. Instead, what I found is that if you just push :cmucl onto features, it works.

Where to go from here: get started on the rewrite of Latrunculi’s graphics system, for one. Another would be to try and use this information to use CL-SDL from within ECL which seems, so far as I can tell, to be the CL implementation with the best Windows support.