Page 1 of 1

Pi & Windows Domain

Posted: Mon Jan 07, 2013 5:39 pm
by monaghan
Has anyone got a simple solution for a Windows login? The school has a RM supplied Windows (I presume is is standard Windows AD controller) and it would be ideal to have a single login using the Windows account so kids don't need to have different login steps depending on where they login for.

Re: Pi & Windows Domain

Posted: Mon Jan 07, 2013 8:02 pm
by SimonSmall
I don't know much about Windows Active Directory, nor can I experiment as I don't use Active Directory at home.

If you search the internet for "Active Directory Linux" you will find lots of results. They involve installing several packages on the Linux machine, plus setting up Active Directory, and I don't even know if those packages are available for the Pi.

Not a lot of help, perhaps, but good luck!

Re: Pi & Windows Domain

Posted: Mon Jan 07, 2013 9:33 pm
by morphy_richards
Be careful before you invest a lot of time. RM tend to make their own alternatives to many standard Windows tools like AD which do the same job but may not be compatible in the same way as AD proper.

Re: Pi & Windows Domain

Posted: Mon Jan 07, 2013 11:54 pm
by monaghan
Thanks,

Anyone else in an educational Windows environment using a Pi?

Re: Pi & Windows Domain

Posted: Thu Jan 17, 2013 5:48 pm
by sycarion
I am trying to get Pi to talk to Windows Domain.

The rationale is that all student work is tracked by student account (and through their Active Directory account, they have access to network shares).

I'm going to start with this wiki entry and see how far I get:

http://wiki.debian.org/AuthenticatingLi ... eDirectory

Let me know if you get there first!

I don't have an actual Raspbi yet, so I'm running it through qemu on an older server no one wants. If I get it to work, I will let everyone know.

Re: Pi & Windows Domain

Posted: Thu Jan 17, 2013 9:11 pm
by sycarion
Sorry, forgot to say that I am in a fairly large school district in the US.

Right now, there is interest in Math Curriculum, but I'm sure that there are other places.

So far, some ideas (instructional and functional) include:
  • Obviously, including them in current programming curriculum (maybe add Python to current curriculum.)
  • Modifying .stl files for customized cases in CAD classes. (One of the CAD departments has a 3d printer.)
  • Digital signage. Currently there are locations currently using an old PC tower to run digital signage.
  • Hacking by the Robotics Team in one of the high schools.
  • Web kiosk for password resets, HR information lookup and other light web browsing needs.
  • Part of the gaming curriculum used by one of the high schools.
  • Use in schools that are already teaching Scratch as a much cheaper mobile lab setup.
Long-term, I could see them being used as computers we can check out to families that otherwise could not afford access to a computer to learn programing and other skills.

There are, of course, lots of other uses for them. These are just things that seem possible off the top of my head. The first thing the system engineers will want to know is the ability to log into them using Active Directory credentials. It's not a deal-breaker, but if I can get it to work, that would ease a lot of concerns.

After that, it is providing information for straightforward things that are already documented in other places like adding a wifi dongle, installing xrdp (and/or x11vnc), and a few other things.

I'd also like to get (R)?ex working so that I can use ssh to do things like push content to groups of computers, remotely run updates, etc.

Lots of stuff, I know, but I hope to figure out AD. Most of the other stuff is either already done or documented.

Re: Pi & Windows Domain

Posted: Thu Jan 17, 2013 11:27 pm
by SimonSmall
I realise that there are rules about secure access so that the school systems can be protected, so using AD is a way of controlling what access all users of the network have. I think that somehow this is against the intention and benefit of the Pi.

How does the use of AD restrict the investigation of creating new users on the Pi, and investigating user permissions? Would a user even be allowed root access on the Pi? There are ways of allowing access to the internet that do not give access to the rest of the network, and ways of allowing access to shared folders via a network logon (I think; I am barely familiar with AD). I wonder if trying to integrate the Pi into AD might be the wrong direction

Why Active Directory When I Would Choose to Go Another Route

Posted: Fri Jan 18, 2013 3:27 am
by sycarion
I am not a fan of Active Directory. There are other ways of doing things, but I do not have to power to change that. Our district has over fifty thousands students and over 80 locations. Such a change in infrastructure away from Active Directory would require years of planning and testing. As such, it would be easier for me to introduce widespread use of Raspberry Pi's if I could use the infrastructure tools we already have.
How does the use of AD restrict the investigation of creating new users on the Pi, and investigating user permissions?
Without being able to use AD credentials, students would not have access to their network share. Without access to a network share, all their work is stored locally on the computer. In this case, on the individual Raspberry Pi.
Would a user even be allowed root access on the Pi?
This would depend on the situation. Most cases, no.
There are ways of allowing access to the internet that do not give access to the rest of the network, and ways of allowing access to shared folders via a network logon.
Right now and for the next two or three years, access to the internet and how it is filtered is dependent on Active Directory setup. Application of the filter is important due to student data privacy laws here in the US.

Money for our ISP bill comes from the ability to block inappropriate images on all traffic. More of ERate here. http://en.wikipedia.org/wiki/E-Rate.

Anyone with access to student health data cannot have access to Google Apps. If information about student data resides on Google servers and Google servers are hacked, Google will not abide by the regulations of HIPPA. More on HIPPA here. http://en.wikipedia.org/wiki/Health_Ins ... bility_Act

In addition to these concerns are necessary compliance with FERPA (http://en.wikipedia.org/wiki/Family_Edu ... rivacy_Act), IDEA (for students with disabilities) and CIPA (http://www.fcc.gov/guides/childrens-int ... ection-act)

Yes, there are ways to allow access to shares through web interfaces and the like. However, this doesn't get around compliance issues with State and Federal Law. It also prevents us from using our current infrastructure to track which student is using what computer at any given time. I would rather work on integrating AD than maintaining a whitelist of available internet sites on every Rasbpi device.
I wonder if trying to integrate the Pi into AD might be the wrong direction
Like I said, it won't be a deal breaker, but it would be the difference between specialty use and widespread use.

No AD and there will always be the roadblocks I mentioned above. Its use would be limited to a handful of devices not being using for general instruction, but special case instruction like CAD or Computer Science.

I used to manage all the districts' Linux Desktops. (They are going away now.) They were always faster and less problematic than comparable Windows boxes, but the lack of AD integration prevented any kind of Linux from being used in more settings. The distro was locked at Slackware 12.2 by the vendor of a specific piece of software that was critical. The perception of using anything that is not Windows or Mac is colored by this experience.

Hope that helps. Again, not a fan of AD or the regulations, but these are the circumstances I am working under.

Re: Pi & Windows Domain

Posted: Fri Jan 18, 2013 9:07 pm
by SimonSmall
Wow, thanks for that. I had guessed there might be all sorts of administrative rules, but not that many. I don't know if the same things apply in the UK

I was thinking about how the RPi Foundation had suggested how a Pi might help pupils. The work currently done by pupils at home might be done on their parents computers then copied to a USB flash drive. It would be submitted back to the school on the USB flash drive. The Pi was to be used at school, with the hope that pupils could take the Pi home to complete any work on the Pi instead of their parents PCs. The Pi is cheap enough that pupils could borrow one, or be given one. The Pi is intended to allow freedom to do many things relating to the operating system, with very limited chance of bricking the Pi, only having to re-flash the SD card

I was thinking about internet access to be able to install new software, and perhaps search for information, etc. Perhaps there is an easy way round this at school. I was also thinking that work would be submitted by copying it from the Pi to a school network share, but perhaps the USB flash drive would still work

Perhaps I should read more about how the Pi is being used in schools, if I can make the time ;)

Lesson Learned from Joining Pi to AD

Posted: Fri Jan 18, 2013 10:35 pm
by sycarion
I am using a virtual image of Raspbian through QEMU.

Today, I discovered that if I am not connected through a TAP connection, I'm not getting a connection to the domain controller, NTP or anything else within the network.

I feel like I should have known better.

So I have got to setup a tap connection before more work can be done. Three day weekend for me, so no more work for a while. Hope to keep you updated.

Re: Pi & Windows Domain

Posted: Fri Jan 18, 2013 10:48 pm
by sycarion
SimonSmall wrote:Wow, thanks for that. I had guessed there might be all sorts of administrative rules, but not that many. I don't know if the same things apply in the UK

I was thinking about how the RPi Foundation had suggested how a Pi might help pupils. The work currently done by pupils at home might be done on their parents computers then copied to a USB flash drive. It would be submitted back to the school on the USB flash drive. The Pi was to be used at school, with the hope that pupils could take the Pi home to complete any work on the Pi instead of their parents PCs. The Pi is cheap enough that pupils could borrow one, or be given one. The Pi is intended to allow freedom to do many things relating to the operating system, with very limited chance of bricking the Pi, only having to re-flash the SD card

I was thinking about internet access to be able to install new software, and perhaps search for information, etc. Perhaps there is an easy way round this at school. I was also thinking that work would be submitted by copying it from the Pi to a school network share, but perhaps the USB flash drive would still work

Perhaps I should read more about how the Pi is being used in schools, if I can make the time ;)
I think the ability to take RPis home is one of the better idea we could use. In the States, internet service is a lot more expensive than it should be. (I pay $60USD a month for a 9MB down/1MB up connection.) As a result, many kids in some areas of town have no access to the internet. The RPis would still be useful for programming local apps, math work and more. That would work with little issue.

Requiring SD Cards to travel back and forth between home and school is more dicey. That would require the purchase of lots of card readers (and/or adapters).

The regulations hit my particular school district harder than some. It is mostly an issue of our size and the level of services offered compared to smaller schools. They range from healthcare facilities to daycare (for the children of students) to community centers and the like.

For example, a neighboring district is able to partner with Google because they do not have student based health centers like my school district. This frees them from the HIPPA regulations. They have cheaper internet, they use chrome books almost exclusively, management is handled through cloud-based management, etc. RPis would have a much easier time there.

I'll let you know how it goes. It may end up being a bust, but I am hopeful. After my latest adventure for the past few days, will see what happens next week.