Using Active Directory for Ubuntu: Difference between revisions
No edit summary |
No edit summary |
||
(9 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{{Deprecated}} | |||
===Step 1: Install the Required Packages=== | |||
Step 1: Install the Required Packages | |||
Note: Enter Y when asked if you want to install the additional packages | Note: Enter Y when asked if you want to install the additional packages | ||
apt-get install krb5-user | apt-get install krb5-user | ||
apt-get install winbind samba | apt-get install winbind samba | ||
Step 2: Edit the /etc/krb5.conf File | ===Step 2: Edit the /etc/krb5.conf File=== | ||
[logging] | [logging] | ||
default = FILE10000:/var/log/krb5lib.log | default = FILE10000:/var/log/krb5lib.log | ||
[libdefaults] | [libdefaults] | ||
ticket_lifetime = 24000 | ticket_lifetime = 24000 | ||
default_realm = DOMAIN.INTERNAL | default_realm = DOMAIN.INTERNAL | ||
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc | default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc | ||
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc | default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc | ||
[realms] | [realms] | ||
DOMAIN.INTERNAL = { | DOMAIN.INTERNAL = { | ||
kdc = domainserver.domain.internal | kdc = domainserver.domain.internal | ||
admin_server = domainserver.domain.internal | admin_server = domainserver.domain.internal | ||
default_domain = DOMAIN.INTERNAL | default_domain = DOMAIN.INTERNAL | ||
} | } | ||
[domain_realm] | [domain_realm] | ||
.domain.internal = DOMAIN.INTERNAL | .domain.internal = DOMAIN.INTERNAL | ||
domain.internal = DOMAIN.INTERNAL | domain.internal = DOMAIN.INTERNAL | ||
Step 3: Edit /etc/samba/smb/conf | ===Step 3: Edit /etc/samba/smb/conf=== | ||
Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!! | Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!! | ||
Line 39: | Line 37: | ||
[global] | [global] | ||
security = ads | security = ads | ||
netbios name = CMHRG02 | netbios name = CMHRG02 | ||
realm = DOMAIN.INTERNAL | realm = DOMAIN.INTERNAL | ||
password server = domainserver.domain.internal | password server = domainserver.domain.internal | ||
workgroup = DOMAIN | workgroup = DOMAIN | ||
idmap uid = 500-10000000 | idmap uid = 500-10000000 | ||
idmap gid = 500-10000000 | idmap gid = 500-10000000 | ||
winbind separator = + | winbind separator = + | ||
winbind enum users = no | winbind enum users = no | ||
winbind enum groups = no | winbind enum groups = no | ||
winbind use default domain = yes | winbind use default domain = yes | ||
template homedir = /home/%D/%U | template homedir = /home/%D/%U | ||
template shell = /bin/bash | template shell = /bin/bash | ||
client use spnego = yes | client use spnego = yes | ||
domain master = no | domain master = no | ||
2) Test the configuration with the testparm command | 2) Test the configuration with the testparm command | ||
Step 4: Edit /etc/nsswitch.conf to look like the example below | ==Step 4: Edit /etc/nsswitch.conf to look like the example below== | ||
passwd: compat winbind | passwd: compat winbind | ||
group: compat winbind | group: compat winbind | ||
shadow: compat | shadow: compat | ||
hosts: files dns wins | hosts: files dns wins | ||
networks: files | networks: files | ||
protocols: db files | protocols: db files | ||
services: db files | services: db files | ||
ethers: db files | ethers: db files | ||
rpc: db files | rpc: db files | ||
netgroup: nis | netgroup: nis | ||
Step 5: Modify the PAM settings | ==Step 5: Modify the PAM settings== | ||
1) /etc/pam.d/common-account should contain only the following lines | 1) /etc/pam.d/common-account should contain only the following lines | ||
account sufficient pam_winbind.so | account sufficient pam_winbind.so | ||
account required pam_unix.so | account required pam_unix.so | ||
Line 86: | Line 84: | ||
auth sufficient pam_winbind.so | auth sufficient pam_winbind.so | ||
auth required pam_unix.so nullok_secure use_first_pass | auth required pam_unix.so nullok_secure use_first_pass | ||
Line 93: | Line 91: | ||
password required pam_unix.so nullok obscure min=4 max=50 md5 | password required pam_unix.so nullok obscure min=4 max=50 md5 | ||
Line 99: | Line 97: | ||
session required pam_mkhomedir.so umask=0022 skel=/etc/skel | session required pam_mkhomedir.so umask=0022 skel=/etc/skel | ||
Step 6: Make a directory to hold domain user home directories | ==Step 6: Make a directory to hold domain user home directories== | ||
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file | Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file | ||
mkdir /home/DOMAIN | mkdir /home/DOMAIN | ||
Step 7: Initialize Kerberos | ==Step 7: Initialize Kerberos== | ||
1) kinit domain_admin_account@DOMAIN.INTERNAL | 1) kinit domain_admin_account@DOMAIN.INTERNAL | ||
Line 116: | Line 114: | ||
2) klist | 2) klist | ||
Step 8: Join the system to the | ==Step 8: Join the system to the Active Directory== | ||
net ads join -U domainadminuser@DOMAIN.INTERNAL | net ads join -U domainadminuser@DOMAIN.INTERNAL | ||
Step 9: Restart Samba-related Services (Or reboot the server | ==Step 9: Restart Samba-related Services (Or reboot the server== | ||
Note: The order is important | Note: The order is important | ||
/etc/init.d/samba stop | /etc/init.d/samba stop | ||
/etc/init.d/winbind stop | /etc/init.d/winbind stop | ||
/etc/init.d/samba start | /etc/init.d/samba start | ||
/etc/init.d/winbind start | /etc/init.d/winbind start | ||
Step 10: Restart SSH and Test Connectivity | ==Step 10: Restart SSH and Test Connectivity== | ||
Note: If you rebooted the server in the previous step, just try and login. | Note: If you rebooted the server in the previous step, just try and login. | ||
/etc/init.d/ssh restart | /etc/init.d/ssh restart | ||
ssh useraccount@server | ssh useraccount@server | ||
If you can login using your active directory username and password then everything is working! | If you can login using your active directory username and password then everything is working! | ||
Step 11: Configure SUDO | ==Step 11: Configure SUDO== | ||
1) First create a group in Active Directory called UnixAdmins and add the names of people whom you want to be able to use sudo to admin the server. | 1) First create a group in Active Directory called UnixAdmins and add the names of people whom you want to be able to use sudo to admin the server. | ||
Line 149: | Line 147: | ||
2) Next, add the UnixAdmins group to the /etc/sudoers so these users can use sudo | 2) Next, add the UnixAdmins group to the /etc/sudoers so these users can use sudo | ||
%UnixAdmins ALL=(ALL) ALL | %UnixAdmins ALL=(ALL) ALL | ||
Line 157: | Line 155: | ||
1) List the derived UNIX GID values for Active Directory groups | 1) List the derived UNIX GID values for Active Directory groups | ||
for gid in $(wbinfo -r <username>); \ | for gid in $(wbinfo -r <username>); \ | ||
do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done | do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done | ||
2) See the Active Directory SID for a particular named user | 2) See the Active Directory SID for a particular named user | ||
wbinfo –n <username> | wbinfo –n <username> | ||
[[Category:Linux| ]] |
Latest revision as of 11:14, 27 February 2017
This information is deprecated. It should be considered end of life and should not be used in any production setting
Step 1: Install the Required Packages
Note: Enter Y when asked if you want to install the additional packages
apt-get install krb5-user apt-get install winbind samba
Step 2: Edit the /etc/krb5.conf File
[logging] default = FILE10000:/var/log/krb5lib.log [libdefaults] ticket_lifetime = 24000 default_realm = DOMAIN.INTERNAL default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] DOMAIN.INTERNAL = { kdc = domainserver.domain.internal admin_server = domainserver.domain.internal default_domain = DOMAIN.INTERNAL } [domain_realm] .domain.internal = DOMAIN.INTERNAL domain.internal = DOMAIN.INTERNAL
Step 3: Edit /etc/samba/smb/conf
Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!!
1) Make the edits. The configuration shown is the bare minimum and doesn't share anything.
[global] security = ads netbios name = CMHRG02 realm = DOMAIN.INTERNAL password server = domainserver.domain.internal workgroup = DOMAIN idmap uid = 500-10000000 idmap gid = 500-10000000 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes domain master = no
2) Test the configuration with the testparm command
Step 4: Edit /etc/nsswitch.conf to look like the example below
passwd: compat winbind group: compat winbind shadow: compat hosts: files dns wins networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Step 5: Modify the PAM settings
1) /etc/pam.d/common-account should contain only the following lines
account sufficient pam_winbind.so account required pam_unix.so
2) /etc/pam.d/common-auth should contain only the following lines
auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass
3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below
password required pam_unix.so nullok obscure min=4 max=50 md5
4) Make sure the /etc/pam.d/common-session file contains the following line
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Step 6: Make a directory to hold domain user home directories
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file
mkdir /home/DOMAIN
Step 7: Initialize Kerberos
1) kinit domain_admin_account@DOMAIN.INTERNAL
Next check to be sure you got a ticket from the domain controller
2) klist
Step 8: Join the system to the Active Directory
net ads join -U domainadminuser@DOMAIN.INTERNAL
Note: The order is important
/etc/init.d/samba stop /etc/init.d/winbind stop /etc/init.d/samba start /etc/init.d/winbind start
Step 10: Restart SSH and Test Connectivity
Note: If you rebooted the server in the previous step, just try and login.
/etc/init.d/ssh restart
ssh useraccount@server
If you can login using your active directory username and password then everything is working!
Step 11: Configure SUDO
1) First create a group in Active Directory called UnixAdmins and add the names of people whom you want to be able to use sudo to admin the server.
2) Next, add the UnixAdmins group to the /etc/sudoers so these users can use sudo
%UnixAdmins ALL=(ALL) ALL
HELPFUL COMMAND LINES
1) List the derived UNIX GID values for Active Directory groups
for gid in $(wbinfo -r <username>); \ do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done
2) See the Active Directory SID for a particular named user
wbinfo –n <username>