Using Active Directory for Ubuntu

From RSWiki
Revision as of 18:59, 13 May 2006 by Robert (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The original article was found here [1]


Step 1: Install the Required Packages

Note: Enter Y when asked if you want to install the additional packages

apt-get install krb5-user apt-get install winbind samba

Step 2: Edit the /etc/krb5.conf File

[logging] default = FILE10000:/var/log/krb5lib.log [libdefaults] ticket_lifetime = 24000 default_realm = DOMAIN.INTERNAL default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] DOMAIN.INTERNAL = { kdc = domainserver.domain.internal admin_server = domainserver.domain.internal default_domain = DOMAIN.INTERNAL } [domain_realm] .domain.internal = DOMAIN.INTERNAL domain.internal = DOMAIN.INTERNAL

Step 3: Edit /etc/samba/smb/conf

Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!!

1) Make the edits. The configuration shown is the bare minimum and doesn't share anything.

[global] security = ads netbios name = CMHRG02 realm = DOMAIN.INTERNAL password server = domainserver.domain.internal workgroup = DOMAIN idmap uid = 500-10000000 idmap gid = 500-10000000 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes domain master = no

2) Test the configuration with the testparm command

Step 4: Edit /etc/nsswitch.conf to look like the example below

passwd: compat winbind group: compat winbind shadow: compat hosts: files dns wins networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis

Step 5: Modify the PAM settings

1) /etc/pam.d/common-account should contain only the following lines

account sufficient account required

2) /etc/pam.d/common-auth should contain only the following lines

auth sufficient auth required nullok_secure use_first_pass

3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below

password required nullok obscure min=4 max=50 md5

4) Make sure the /etc/pam.d/common-session file contains the following line

session required umask=0022 skel=/etc/skel

Step 6: Make a directory to hold domain user home directories

Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file

mkdir /home/DOMAIN

Step 7: Initialize Kerberos

1) kinit domain_admin_account@DOMAIN.INTERNAL

Next check to be sure you got a ticket from the domain controller

2) klist

Step 8: Join the system to the

net ads join -U domainadminuser@DOMAIN.INTERNAL

Step 9: Restart Samba-related Services (Or reboot the server)

Note: The order is important

/etc/init.d/samba stop /etc/init.d/winbind stop /etc/init.d/samba start /etc/init.d/winbind start

Step 10: Restart SSH and Test Connectivity

Note: If you rebooted the server in the previous step, just try and login.

/etc/init.d/ssh restart

ssh useraccount@server

If you can login using your active directory username and password then everything is working!

Step 11: Configure SUDO

1) First create a group in Active Directory called UnixAdmins and add the names of people whom you want to be able to use sudo to admin the server.

2) Next, add the UnixAdmins group to the /etc/sudoers so these users can use sudo

%UnixAdmins ALL=(ALL) ALL


1) List the derived UNIX GID values for Active Directory groups

for gid in $(wbinfo -r <username>); \ do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done

2) See the Active Directory SID for a particular named user

wbinfo –n <username>