Using Active Directory for Ubuntu: Difference between revisions

From RSWiki
Jump to navigation Jump to search
No edit summary
 
No edit summary
Line 8: Line 8:




apt-get install krb5-user
apt-get install krb5-user
apt-get install winbind samba
apt-get install winbind samba


Step 2: Edit the /etc/krb5.conf File
Step 2: Edit the /etc/krb5.conf File




[logging]
[logging]
default = FILE10000:/var/log/krb5lib.log
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
[libdefaults]
ticket_lifetime = 24000
ticket_lifetime = 24000
default_realm = DOMAIN.INTERNAL
default_realm = DOMAIN.INTERNAL
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
[realms]
DOMAIN.INTERNAL = {
DOMAIN.INTERNAL = {
kdc = domainserver.domain.internal
kdc = domainserver.domain.internal
admin_server = domainserver.domain.internal
admin_server = domainserver.domain.internal
default_domain = DOMAIN.INTERNAL
default_domain = DOMAIN.INTERNAL
}
}
[domain_realm]
[domain_realm]
.domain.internal = DOMAIN.INTERNAL
.domain.internal = DOMAIN.INTERNAL
domain.internal = DOMAIN.INTERNAL
domain.internal = DOMAIN.INTERNAL




Line 39: Line 39:




[global]
[global]
security = ads
security = ads
netbios name = CMHRG02
netbios name = CMHRG02
realm = DOMAIN.INTERNAL
realm = DOMAIN.INTERNAL
password server = domainserver.domain.internal
password server = domainserver.domain.internal
workgroup = DOMAIN
workgroup = DOMAIN
idmap uid = 500-10000000
idmap uid = 500-10000000
idmap gid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind separator = +
winbind enum users = no
winbind enum users = no
winbind enum groups = no
winbind enum groups = no
winbind use default domain = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template homedir = /home/%D/%U
template shell = /bin/bash
template shell = /bin/bash
client use spnego = yes
client use spnego = yes
domain master = no
domain master = no




Line 62: Line 62:




passwd: compat winbind
passwd: compat winbind
group: compat winbind
group: compat winbind
shadow: compat
shadow: compat
hosts: files dns wins
hosts: files dns wins
networks: files
networks: files
protocols: db files
protocols: db files
services: db files
services: db files
ethers: db files
ethers: db files
rpc: db files
rpc: db files
netgroup: nis
netgroup: nis




Line 79: Line 79:




account sufficient pam_winbind.so
account sufficient pam_winbind.so
account required pam_unix.so
account required pam_unix.so




Line 86: Line 86:




auth sufficient pam_winbind.so
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
auth required pam_unix.so nullok_secure use_first_pass




Line 93: Line 93:




password required pam_unix.so nullok obscure min=4 max=50 md5
p assword required pam_unix.so nullok obscure min=4 max=50 md5




Line 99: Line 99:




session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session required pam_mkhomedir.so umask=0022 skel=/etc/skel




Line 106: Line 106:
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file


mkdir /home/DOMAIN
mkdir /home/DOMAIN


Step 7: Initialize Kerberos
Step 7: Initialize Kerberos
Line 118: Line 118:
Step 8: Join the system to the  
Step 8: Join the system to the  


net ads join -U domainadminuser@DOMAIN.INTERNAL
net ads join -U domainadminuser@DOMAIN.INTERNAL


Step 9: Restart Samba-related Services (Or reboot the server)
Step 9: Restart Samba-related Services (Or reboot the server)
Line 125: Line 125:




/etc/init.d/samba stop
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/samba start
/etc/init.d/winbind start
/etc/init.d/winbind start




Line 136: Line 136:




/etc/init.d/ssh restart
/etc/init.d/ssh restart


ssh useraccount@server
ssh useraccount@server




Line 149: Line 149:
2) Next, add the UnixAdmins group to the /etc/sudoers so these users can use sudo
2) Next, add the UnixAdmins group to the /etc/sudoers so these users can use sudo


%UnixAdmins ALL=(ALL) ALL
%UnixAdmins ALL=(ALL) ALL




Line 157: Line 157:
1) List the derived UNIX GID values for Active Directory groups
1) List the derived UNIX GID values for Active Directory groups


for gid in $(wbinfo -r <username>); \
for gid in $(wbinfo -r <username>); \
do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done
do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done


2) See the Active Directory SID for a particular named user
2) See the Active Directory SID for a particular named user


wbinfo –n <username>
wbinfo –n <username>

Revision as of 19:01, 13 May 2006

The original article was found here [1]

Steps

Step 1: Install the Required Packages

Note: Enter Y when asked if you want to install the additional packages


apt-get install krb5-user
apt-get install winbind samba

Step 2: Edit the /etc/krb5.conf File


[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.INTERNAL
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN.INTERNAL = {
kdc = domainserver.domain.internal
admin_server = domainserver.domain.internal
default_domain = DOMAIN.INTERNAL
}
[domain_realm]
.domain.internal = DOMAIN.INTERNAL
domain.internal = DOMAIN.INTERNAL


Step 3: Edit /etc/samba/smb/conf

Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!!

1) Make the edits. The configuration shown is the bare minimum and doesn't share anything.


[global]
security = ads
netbios name = CMHRG02
realm = DOMAIN.INTERNAL
password server = domainserver.domain.internal
workgroup = DOMAIN
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no


2) Test the configuration with the testparm command

Step 4: Edit /etc/nsswitch.conf to look like the example below


passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis


Step 5: Modify the PAM settings

1) /etc/pam.d/common-account should contain only the following lines


account sufficient pam_winbind.so
account required pam_unix.so


2) /etc/pam.d/common-auth should contain only the following lines


auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass


3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below


p assword required pam_unix.so nullok obscure min=4 max=50 md5


4) Make sure the /etc/pam.d/common-session file contains the following line


session required pam_mkhomedir.so umask=0022 skel=/etc/skel


Step 6: Make a directory to hold domain user home directories

Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file

mkdir /home/DOMAIN

Step 7: Initialize Kerberos

1) kinit domain_admin_account@DOMAIN.INTERNAL

Next check to be sure you got a ticket from the domain controller

2) klist

Step 8: Join the system to the

net ads join -U domainadminuser@DOMAIN.INTERNAL

Step 9: Restart Samba-related Services (Or reboot the server)

Note: The order is important


/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start


Step 10: Restart SSH and Test Connectivity

Note: If you rebooted the server in the previous step, just try and login.


/etc/init.d/ssh restart
ssh useraccount@server


If you can login using your active directory username and password then everything is working!

Step 11: Configure SUDO

1) First create a group in Active Directory called UnixAdmins and add the names of people whom you want to be able to use sudo to admin the server.

2) Next, add the UnixAdmins group to the /etc/sudoers so these users can use sudo

%UnixAdmins ALL=(ALL) ALL


HELPFUL COMMAND LINES

1) List the derived UNIX GID values for Active Directory groups

for gid in $(wbinfo -r <username>); \
do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done

2) See the Active Directory SID for a particular named user

wbinfo –n <username>