uylug
August 28th, 2009, 10:14 PM
Setting up Samba to authenticate against a Windows Domain
This guide aims to help those people who are interested in configuring their Ubuntu boxes to login using an account from a Windows Domain. This is particularly important to integrate Ubuntu computers in large Windows networks. I have got this to work using a Windows 2003 Server with an Ubuntu Server 9.04.
It is recommended that you login as root during the process. To login as root run
sudo bash
1. Getting the necessary packages
Install the necessary packages by running the following command in a terminal:
apt-get install samba winbind krb5-user
This will install Samba, Winbind and Kerberos, which are needed to configure our domain member server.
This should not be a problem... as long as you have a working internet connection.
2. Configuring your DNS server
You'll need to make Ubuntu use your windows server as DNS. This is essential as this will make it possible to resolve names of computers under your domain.
Before start, make sure you can ping your domain server by ip address, like this:
ping 192.168.1.20Replace the ip, according to your domain server settings. If this works, we can then continue and configure the DNS server.
The DNS settings are stored in the /etc/resolv.conf file. We can edit this file by doing:
nano /etc/resolv.conf
Make sure it looks like this:
search domain.local
nameserver 192.168.1.20
The search keyword adds the given address to the name of the host you're resolving. For example, if you ping myubuntuserver it will actually ping myubuntuserver.domain.local using the ip provided as the Domain Name Server (DNS). Instead of typing domain.local you'll need to get your FQDN which can be done from the Windows Domain server. In this case (http://www.bloggix.com/blogs/microsoft/w2k8install/w2k8_62.jpg) development.local is what you're looking for. So in that case, you would replace domain.local by development.local. There are several guides which can help you find your Fully Qualified Domain Name.
Save the file using CTRL+O and then exit CTRL + X and see if you can ping your Windows server by name, like this:
ping domainserver
You should get your server name resolved and see its ip address. Otherwise something is not working. Also, if you're having problems while resolving names, double check whether the /etc/resolv.conf still reflects the changes you have made since it gets reset by network managers.
3. Configuring Kerberos
Updated: Some people have found problems while configuring Kerberos.
We will be editing the /etc/krb5.conf file so make sure you make a backup copy before proceeding, this way.
cp /etc/krb5.conf /etc/krb5.conf.original
That should be enough to undo any changes.
Replace the contents of the krb5.conf file with the following:
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.LOCAL
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN.LOCAL = {
kdc = windows_server_name
admin_server = windows_server_name
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
If everything goes ok so far, you should be able to check whether Kerberos is working by issuing the following command. You will need an account with administrative privileges on the Windows side to make this work.
kinit Administrator@DOMAIN.LOCAL
If it fails to resolve the host name, you've got a DNS problem right there. If your DNS settings are working just fine, you will be prompted for the password of the account you just entered and if everything goes fine, you will get no output after you enter your password. If an error occurs you will be notified.
If you get an error saying that the encryption is not supported, then remove these two lines in the /etc/krb5.conf file and try again.
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
If you did not get any errors or messages, it probably worked. In order to know exactly what happened, run the command:
klist
This should provide details on the Domain Server Kerberos is configured to use. It should look like this:
root@lampsrv:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@DOMAIN.LOCAL
Valid starting Expires Service principal
08/27/09 23:22:52 08/28/09 09:22:57 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
renew until 08/28/09 23:22:52
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
4. Configuring Samba
In order to configure samba, edit the /etc/samba/smb.conf file. You can do it by running
nano /etc/samba/smb.conf
Replace and/or add the following lines to the samba configuration file:
[global]
workgroup = DOMAIN_NAME
realm = DOMAIN.LOCAL
netbios name = ubuntu_server_name
server string = %h server (Samba %v, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ADS
domain master = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
winbind separator = +
usershare allow guests = yes
This will configure Samba with some generic settings. Make sure you change DOMAIN_NAME to the domain name you're connecting to and DOMAIN.LOCAL should be your FQDN. You can later customize it according to your needs but lets get it working first.
Now, check whether the samba settings are correct by running
testparm
Restart the Winbind and Samba services by running
/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start
5. Join the Windows Domain
You should now be able to join the Windows domain by running the following command:
net ads join -U Administrator@DOMAIN.LOCAL
If it works, your Ubuntu server should now appear in the Windows Domain Server as a Domain Computer. If you get an error like
Malformed representation of principalTry to do it like this:
net ads join -U Administrator
6. Configure Winbind
Edit the /etc/nsswitch.conf file and make it look like this:
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns wins
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nisRestart Samba and Winbind
/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start
If everything is alright you should be able to retrieve information from your Windows Domain.
To get a list of users run
wbinfo -u
To get a list of groups run
wbinfo -g
To get details about the domain run
net ads info
You will probably notice everythings great but... still cannot login using a user from the domain. So continue to step number 7.
7. Enabling login from domain accounts
Edit the file /etc/pam.d/common-auth and add the following line at the start of the file:
auth sufficient pam_winbind.so
This basically means that if a user successfully logins using a domain account that is enough to login to the system.
Edit the /etc/pam.d/common-session file and add the following line to enable automatic creation of home folder when a new user logins to the linux box:
session required pam_mkhomedir.so
The folder will be created according to the parameter in the smb.conf file
template homedir = /home/%D/%U
Hope that helps! :P
Note: If your /etc/resolv.conf file content keeps getting replaced run this command to make sure no processes can alter its content (not even root will be able to write changes to it):
chattr +i /etc/resolv.conf
This guide aims to help those people who are interested in configuring their Ubuntu boxes to login using an account from a Windows Domain. This is particularly important to integrate Ubuntu computers in large Windows networks. I have got this to work using a Windows 2003 Server with an Ubuntu Server 9.04.
It is recommended that you login as root during the process. To login as root run
sudo bash
1. Getting the necessary packages
Install the necessary packages by running the following command in a terminal:
apt-get install samba winbind krb5-user
This will install Samba, Winbind and Kerberos, which are needed to configure our domain member server.
This should not be a problem... as long as you have a working internet connection.
2. Configuring your DNS server
You'll need to make Ubuntu use your windows server as DNS. This is essential as this will make it possible to resolve names of computers under your domain.
Before start, make sure you can ping your domain server by ip address, like this:
ping 192.168.1.20Replace the ip, according to your domain server settings. If this works, we can then continue and configure the DNS server.
The DNS settings are stored in the /etc/resolv.conf file. We can edit this file by doing:
nano /etc/resolv.conf
Make sure it looks like this:
search domain.local
nameserver 192.168.1.20
The search keyword adds the given address to the name of the host you're resolving. For example, if you ping myubuntuserver it will actually ping myubuntuserver.domain.local using the ip provided as the Domain Name Server (DNS). Instead of typing domain.local you'll need to get your FQDN which can be done from the Windows Domain server. In this case (http://www.bloggix.com/blogs/microsoft/w2k8install/w2k8_62.jpg) development.local is what you're looking for. So in that case, you would replace domain.local by development.local. There are several guides which can help you find your Fully Qualified Domain Name.
Save the file using CTRL+O and then exit CTRL + X and see if you can ping your Windows server by name, like this:
ping domainserver
You should get your server name resolved and see its ip address. Otherwise something is not working. Also, if you're having problems while resolving names, double check whether the /etc/resolv.conf still reflects the changes you have made since it gets reset by network managers.
3. Configuring Kerberos
Updated: Some people have found problems while configuring Kerberos.
We will be editing the /etc/krb5.conf file so make sure you make a backup copy before proceeding, this way.
cp /etc/krb5.conf /etc/krb5.conf.original
That should be enough to undo any changes.
Replace the contents of the krb5.conf file with the following:
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.LOCAL
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN.LOCAL = {
kdc = windows_server_name
admin_server = windows_server_name
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
If everything goes ok so far, you should be able to check whether Kerberos is working by issuing the following command. You will need an account with administrative privileges on the Windows side to make this work.
kinit Administrator@DOMAIN.LOCAL
If it fails to resolve the host name, you've got a DNS problem right there. If your DNS settings are working just fine, you will be prompted for the password of the account you just entered and if everything goes fine, you will get no output after you enter your password. If an error occurs you will be notified.
If you get an error saying that the encryption is not supported, then remove these two lines in the /etc/krb5.conf file and try again.
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
If you did not get any errors or messages, it probably worked. In order to know exactly what happened, run the command:
klist
This should provide details on the Domain Server Kerberos is configured to use. It should look like this:
root@lampsrv:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@DOMAIN.LOCAL
Valid starting Expires Service principal
08/27/09 23:22:52 08/28/09 09:22:57 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
renew until 08/28/09 23:22:52
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
4. Configuring Samba
In order to configure samba, edit the /etc/samba/smb.conf file. You can do it by running
nano /etc/samba/smb.conf
Replace and/or add the following lines to the samba configuration file:
[global]
workgroup = DOMAIN_NAME
realm = DOMAIN.LOCAL
netbios name = ubuntu_server_name
server string = %h server (Samba %v, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ADS
domain master = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
winbind separator = +
usershare allow guests = yes
This will configure Samba with some generic settings. Make sure you change DOMAIN_NAME to the domain name you're connecting to and DOMAIN.LOCAL should be your FQDN. You can later customize it according to your needs but lets get it working first.
Now, check whether the samba settings are correct by running
testparm
Restart the Winbind and Samba services by running
/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start
5. Join the Windows Domain
You should now be able to join the Windows domain by running the following command:
net ads join -U Administrator@DOMAIN.LOCAL
If it works, your Ubuntu server should now appear in the Windows Domain Server as a Domain Computer. If you get an error like
Malformed representation of principalTry to do it like this:
net ads join -U Administrator
6. Configure Winbind
Edit the /etc/nsswitch.conf file and make it look like this:
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns wins
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nisRestart Samba and Winbind
/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start
If everything is alright you should be able to retrieve information from your Windows Domain.
To get a list of users run
wbinfo -u
To get a list of groups run
wbinfo -g
To get details about the domain run
net ads info
You will probably notice everythings great but... still cannot login using a user from the domain. So continue to step number 7.
7. Enabling login from domain accounts
Edit the file /etc/pam.d/common-auth and add the following line at the start of the file:
auth sufficient pam_winbind.so
This basically means that if a user successfully logins using a domain account that is enough to login to the system.
Edit the /etc/pam.d/common-session file and add the following line to enable automatic creation of home folder when a new user logins to the linux box:
session required pam_mkhomedir.so
The folder will be created according to the parameter in the smb.conf file
template homedir = /home/%D/%U
Hope that helps! :P
Note: If your /etc/resolv.conf file content keeps getting replaced run this command to make sure no processes can alter its content (not even root will be able to write changes to it):
chattr +i /etc/resolv.conf