I searched high and low for a good cookie cutter recipe and couldn't find one, so I pieced together parts from various sources to come up with one that I have used for 4 Ubuntu linux servers, and which continues to work for me.

These instructions assume your domain information is DOMAIN (old style domain name) and the DNS resolvable one is DOMAIN.INTERNAL. Our Active Directory environment is running on Windows 2000, but I have tested these instructions in a VMWare Team with Windows 2003 native mode and they worked there as well.

================================================== =======

Installing and Configuring Kerberos, Samba, and Winbind on Ubuntu Server 5

Steps

Step 1: Install the Required Packages

Note: Enter Y when asked if you want to install the additional packages


apt-get install krb5-user
apt-get install winbind samba

Step 2: Edit the /etc/krb5.conf File


[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.INTERNAL
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN.INTERNAL = {
kdc = domainserver.domain.internal
admin_server = domainserver.domain.internal
default_domain = DOMAIN.INTERNAL
}
[domain_realm]
.domain.internal = DOMAIN.INTERNAL
domain.internal = DOMAIN.INTERNAL


Step 3: Edit /etc/samba/smb/conf

Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!!

1) Make the edits. The configuration shown is the bare minimum and doesn't share anything.


[global]
security = ads
netbios name = CMHRG02
realm = DOMAIN.INTERNAL
password server = domainserver.domain.internal
workgroup = DOMAIN
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no


2) Test the configuration with the testparm command

Step 4: Edit /etc/nsswitch.conf to look like the example below


passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis


Step 5: Modify the PAM settings

1) /etc/pam.d/common-account should contain only the following lines


account sufficient pam_winbind.so
account required pam_unix.so


2) /etc/pam.d/common-auth should contain only the following lines


auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass


3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below


password required pam_unix.so nullok obscure min=4 max=50 md5


4) Make sure the /etc/pam.d/common-session file contains the following line


session required pam_mkhomedir.so umask=0022 skel=/etc/skel


Step 6: Make a directory to hold domain user home directories

Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file

mkdir /home/DOMAIN

Step 7: Initialize Kerberos

1) kinit domain_admin_account@DOMAIN.INTERNAL

Next check to be sure you got a ticket from the domain controller

2) klist

Step 8: Join the system to the

net ads join -U domainadminuser@DOMAIN.INTERNAL

Step 9: Restart Samba-related Services (Or reboot the server)

Note: The order is important


/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start


Step 10: Restart SSH and Test Connectivity

Note: If you rebooted the server in the previous step, just try and login.


/etc/init.d/ssh restart

ssh useraccount@server


If you can login using your active directory username and password then everything is working!

Step 11: Configure SUDO

1) First create a group in Active Directory called UnixAdmins and add the names of people whom you want to be able to use sudo to admin the server.

2) Next, add the UnixAdmins group to the /etc/sudoers so these users can use sudo

%UnixAdmins ALL=(ALL) ALL



HELPFUL COMMAND LINES

1) List the derived UNIX GID values for Active Directory groups

for gid in $(wbinfo -r <username>); \
do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done

2) See the Active Directory SID for a particular named user

wbinfo –n <username>

will these intructions allow me to have access to my windows 2003 server shares??? i am thinking of making the ubuntu desktop a viable option at my workplace...

will these intructions allow me to have access to my windows 2003 server shares??? i am thinking of making the ubuntu desktop a viable option at my workplace...

You should be able to access the shares with the default Samba config. I used to use my laptop with Hoary at work, and it was fine. Go to Places->Connect to Server and choose Windows Share and you'll need to save your user name and password and stuff.

This howto is great, I tried this like a year ago unsuccessfully. I wasn't using Winbind, however, so maybe that will make the difference. I can't wait till I get a chance to test some new machines on the network. Thanks a lot.

HI Sir!

I apologize for being so ignorant but here is my situation. I was just promoted to System Admin from a Technical Support agent (due to the lack of IT personel left). And one of the task delegated to me is setup a centralized username/password authentication for all our workstations. our network is currently composed of around 20 Windows XP and 10 Ubuntu Linux (breezy).

I imagine that i should use Microsoft's Active Directory for the windows xp workstations. However i am not too sure if i am to use your HOWTO so that my Ubuntu Linux workstations will authenticate using Active Directory. Can I use your Howto so that all of our windows xp and ubuntu linux workstations to authenticate with a single active directory server?

Please help or atleast point to some reference I can use.

Thanks.

I have already set up my Linux boxes manually to join the domain, but I was wondering if anyone has had any luck with this tool: http://sadms.sf.net ? It looks like the perfect tool to do all this with a gui instead of manually, and they have a Ubuntu package :D

great tutorial! i have now joined my ubuntu server into my domain. i do have a question.

how do i setup multiple groups in a folder in linux?

i want groups that can read/write and groups that can only read.

so far i have setup a group in active directory and made to be able to read and write to the samba share, but i do not know of anyway to make another one that can only read.

Replying to my own question.

ACL was the answer!

If you're using ACLs, check out this, love the intergration with nautilus: http://rofi.pinchito.com/eiciel/

sudo apt-get install eiciel

http://packages.ubuntu.com/breezy/gnome/eiciel

Hi,
I dont know what's my DOMAN or my DOMAIN.INTERNAL. Im on the uinimaas.nl Active direcory. Which should It try?
thx

Greetings,

I followed the howto step by step but I'm getting "kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials" when I run "kinit Administrator@home.brr". However, I can nslookup the computer I specified on "[realms] kdc" (it's both the AD PDC and DNS server). What can I be doing wrong? :confused:

Thanks in advance :)



I dont know what's my DOMAN or my DOMAIN.INTERNAL. Im on the uinimaas.nl Active direcory. Which should It try?

In your case DOMAIN is uinimaas and DOMAIN.INTERNAL is uinimaas.nl

Greetings,

I followed the howto step by step but I'm getting "kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials" when I run "kinit Administrator@home.brr". However, I can nslookup the computer I specified on "[realms] kdc" (it's both the AD PDC and DNS server). What can I be doing wrong? :confused:

Thanks in advance :)



In your case DOMAIN is uinimaas and DOMAIN.INTERNAL is uinimaas.nl


Are you using home.brr or HOME.BRR. Caps is required.

Yes, all references of "home.brr" on the krb5.conf file were on capital letters as shown by the HOWTO, I keep getting that error :confused:
I can ldapsearch the AD server and obtain user info without any problem.

There were two things not mentioned in this how to that could possibly cause isssues for some people. Derelict, can you check the below out.

1) /etc/hosts isn't edited. The default ubuntu installation would give you
127.0.0.1 localhost.localdomain localhost ubuntu
That should be modified to include the domain that you are joining. It should look more like this
127.0.0.1 FQDN localhost pc name
Example using domain from the how to with pc name of "test"
127.0.0.1 test.domain.internal localhost test

suggest a reboot after that to ensure no naming conflicts anywhere.

2)syncing time with the domains NTP server
the /etc/default/ntpdate file should be edited to reflect the FQDN of your ntp server (usually your domain controller)

Again using the domain from the how-to, modify as needed.

# servers to check
NTPSERVERS="domainserver.domain.internal"
# additional options for ntpdate
NTPOPTIONS="-u"


Then restart the service
sudo /etc/init.d/ntpdate restart

Kerberos won't give you a ticket if the times are too far apart between the DC and the PC

OK, it looks like it's making progress :)
I changed the hosts file to
"127.0.0.1 ubuntu.home.brr localhost ubuntu"
and I'm now getting
"kinit(v5): KDC has no support for encryption type while getting initial credentials"

Here's the [libdefault] section of my krb5.conf, up to the [realms] section:

ticket_lifetime = 24000
default_realm = HOME.BRR
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc


I'm running AD on a 2003 Server, should I change the enctypes? The time difference between hosts was already below 30 seconds, it had occured to me before that Kerberos needed some time sync.

I'm now getting
"kinit(v5): KDC has no support for encryption type while getting initial credentials"


I solved it by resetting the Administrator password :) It looks like I now have a Kerberos ticket already, I'll post back the whole result (hopefully successful!)

Thanks steve :)

OK, I successfuly added the computer to the realm, thanks for all the help so far! However, I was aiming at being able to login with an AD user via the graphical startup prompt; do I have to edit /etc/pam.d/gdm?

Thanks in advance! :)

Following this how to should allow you to log in with an AD account. There are three main ways to login, based on editing the smb.conf.
As it is set now, you should be able to login with just username password. The line
winbind use default domain = yes
will have winbind assume all logins are from the default domain.

If you set that to no, or comment it out, you would need to prepend the username with the domain. The winbind seperator determines which character goes between the domain and username.
winbind separator = +

If you copied this smb.conf, it would be:
DOMAIN+username (ensure caps in domain)

The default (read, commenting out that line with a #) is backslash, so it would be:
DOMAIN\username (caps again).

BTW you're welcome, love to help when I can.

Once again you got it :)
It's logging in perfectly, I'm now working on changing the AD password via Linux (smbpassword, correct?) and getting it to create the user directory (/home/domain/user) with 700 permissions. Thanks! :)

Just to add I used SADMS to successfully do all the legwork on the .conf files and it works fairly well. You have to read the documentation very carefully and follow everything to the letter, but you will end up with a Ubuntu box that can log in to the domain just like any XP machine.

It will also configure the previously unmentioned pammount file to allow each user to automatically link to shares on the Windows server. This works best if your user files are all in one directory and are all named after the login name.

Edited to add:
After updating the Linux kernel image, the AD logins refused to work. Running the SADMS configuration did the trick, but it was a scary moment.

Your SADMS settings file should read like the following:

# My Settings

realm=MY.FQDN.IN.CAPS
dns=your.dns.server.with.FQDN
kdc=yourkerberosservername (must be DNS resolvable)
domain=DOMAINNAMEINCAPS (just the root name, eg for google.com you would just enter GOOGLE)
server=localhost NETBIOS name, default is ubuntu or linux
hostOu=Computers (or whichever AD unit you want the system to be listed)
administrator=administrator
administratorPassword=yourpassword (no need to save this in plain text, you can enter it within SADMS!)
users=domain users (or whatever you prefer the default users to be)
hostsAllow=10.
winsServer=IP.address.of.yourWINSserver

Thanks for this great howto, exactly what I needed!

Arie

Hi,

I am interested in trying out SADMS but I cannot get it to install. I am fairly new to Ubuntu and Linux in general. I've been on the SADMS website and downloaded, what I think is, the correct package: sadms-install-ubu-2.0.1.tar.gz
I've unpacked it and I now have a folder called sadms-2.0.1. When I try doublicking the start script I run it in terminal and I can see lots of errors flicking past. I have winbind and samba installed.

How do I install sadms? Have been thick about something?

I've been all over the sadms project pages and there's not much help.

Any help would be much appreciated.

Thanks

PS - I don't think that there is anything wrong with SADMS - it's just my newbieness.

I'm having a problem, everything worked fine, i was able to join the domain but i log in...using domain logins or locals.

I get this error message in my auth.log

Feb 1 16:29:43 testws sshd[4090]: (pam_unix) auth could not identify password for [MYUSERNAME]
Feb 1 16:29:45 testws pam_winbind[4090]: user 'MYUSERNAME' granted access
Feb 1 16:29:45 testws sshd[4085]: error: PAM: Authentication information cannot be recovered for MYUSERNAME from testws.mydomain.com



Feb 1 16:44:08 testws login[4096]: (pam_unix) auth could not identify password for [MYUSERNAME]
Feb 1 16:44:10 testws pam_winbind[4096]: user 'MYUSERNAME' granted access
Feb 1 16:44:14 testws login[4096]: FAILED LOGIN (1) on `tty1' FOR `MYUSERNAME', Authentication information cannot be recovered



Any ideas??

PS. I'm authenticating to a win2k3 dc

:( I think this Active Directory login is too difficult for me. I have no clue as to what im doing, and what I doe doenst work. Ill just wait for an automix like script, if ever...
Thanx anyway

tfiedler,

Wow, got this working, but had to alter the steps slightly. This is way cool stuff here!!! It's sensational that you figured all this out, though. Perhaps things have changed in Ubuntu 5.10 or something. What's cool about this is that my PC is now a member of the AD domain and if I add a unix account with useradd and don't specify a password or use passwd, I can use the password from the AD domain instead of the password on the Unix account. Note that you do not need to use smbpasswd anymore! That's one less admin chore -- and you won't have to worry about password synchronization again with Samba because it passes on to the AD domain.

Here's what I had to do that was so special.

1. Had to put my FQDN in /etc/hosts on the 127.0.0.1 line before localhost. (For noobs -- do hostname to find your hostname. Then, tack on the domain on the end. In my case it was something like UBUNTU.MY_AD_DOMAIN.COM.)

2. Had to turn on Ubuntu Universe option in /etc/apt/sources.list, then do this:

apt-get update
apt-get install krb5-user

...Note that when you do this and it begins to install it, a blue screen will pop open and ask you for the IP address of your closest domain controller for the domain you want to authenticate against.

apt-get install winbind samba

3. Had to use a variation on your /etc/krb5.conf file:

[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = MY_AD_DOMAIN.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
MY_AD_DOMAIN.COM = {
# The "kdc" should be the IP addr of your closest domain controller.
kdc = 192.168.0.2
}

[domain_realm]
.my_ad_domain.com = MY_AD_DOMAIN.COM
my_ad_domain.com = MY_AD_DOMAIN.COM
# end

Note that I did not use admin_server or default_domain because I was getting errors. I commented them out and to my surprise my kinit statement was working.

4. In reference to all those files in /etc/pam.d that you had us edit, if you get one character wrong, you will blow your authentication! Warning! Therefore, I cut and paste from your post and was back in business again.

5. My smb.conf was almost exactly the same. I just want to comment that my password server line reflects the IP address of the closest domain controller. This should match what's in krb5.conf

[global]
unix charset = LOCALE
workgroup = MY_AD_DOMAIN
realm = MY_AD_DOMAIN.COM
netbios name = UBUNTU
server string = Samba
security = ADS
password server = 192.168.0.2
winbind use default domain = yes
client use spnego = yes
domain master = no
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
printcap name = CUPS
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group = "Domain Users"
template shell = /bin/bash
winbind separator = +
printing = cups

[public]
path = /tmp/public
available = yes
browseable = yes
public = yes
writable = yes
create mode = 0755
directory mode = 0755
read only = no

6. I think I had to backup and remove all my /var/lib/samba/*.tdb files and bounce winbind and samba like you mention in order for this to work properly, not caching stuff generated from my previous tests.

7. I found I had to play with chmod on /tmp/public to let other users in. You could do it the world-read-writable way (your security experts will have a cow) with chmod a+x /tmp/public, but you're better off mapping the Linux user account to a folder with chown and setting perms with chmod u+x /tmp/public/my_user_folder

Hope this helps everyone!

Some oddities about Samba that I found are these. I don't know if it's just this version, or if it's Ubuntu, or what.

* The shares act funny in Windows 2000 and XP. If you do Start, Run, \\<server and doubleclick the share, then create a new folder, it appears properly and you are given a chance to rename it. But if you close that window and repeat this step, you can create folders but not have a chance to rename them until you refresh your window with F5 key. The same goes for renaming them, creating new files, etc. I can see people getting fairly aggravated by this. I don't know how to fix that.

* Another way the shares act funny is that you cannot edit the NTFS perms from Windows. It will let you start it, but then it won't let you apply those changes. Instead, these must be applied with chown and chmod on the Linux server. This is to be accepted, of course. Just wanted to make you aware of this in case you were a noob and were assuming you can just edit the NTFS permissions from within Windows.

* I had to turn off my firewall for now to get this going. I'm not really sure what all ports need to be opened up to make this work.

* I tried editing the /etc/pam.d/common* files to see if I could trick my Linux so that it only authenticated to the company domain. I wanted to not have to use useradd for every new Samba account I wanted to add to the system. Unfortunately, this almost worked, but not completely. I noticed that it caused the passwords to lockout on the domain controller, but it still wouldn't let me have access to the session. I would imagine with some tweaking in these files I just might get it to work.

Great howto since it solved all my problems. However, I have one problem and can't seem to quite figure out the correct way to do it.

The user logged on will be a 'domain user' and as such is NOT part of the cdrom, audio, video groups for instance.

Assume I have a user 'foo' that logs in correctly. How do I 'attach' this domain user to the audio group?

Hi, I am trying the sadms app, and here is what i get:

could not acquire Kerberos ticket
+WARNING
Kerberos requires administrator's password
to have been reset once since domain install
in order to add DES encryption keys to user
account which only has a RC4 key when
initially created.
[ERROR]
returned error code 4
command line was <./_install.sh 'FROOT.NAU.EDU' 'nau.froot.nau.edu' 'froot.nau.edu' 'FROOT' 'ucc123' 'Computers' 'fg32' '*****' 'Domain Users' '134.114.70.0/255.255.255.0' ''>

Hi, I am trying the sadms app, and here is what i get:

could not acquire Kerberos ticket
+WARNING
Kerberos requires administrator's password
to have been reset once since domain install
in order to add DES encryption keys to user
account which only has a RC4 key when
initially created.
[ERROR]
returned error code 4
command line was <./_install.sh 'FROOT.NAU.EDU' 'nau.froot.nau.edu' 'froot.nau.edu' 'FROOT' 'ucc123' 'Computers' 'fg32' '*****' 'Domain Users' '134.114.70.0/255.255.255.0' ''>

I have read on some sites that the admin password on the DC needs to be reset before it will work. I think this was ties to win 2k, but I could be remembering incorrectly. Reset the admin account password, then reset it again to what it was previously (for convenience). Then try it again.

Great howto since it solved all my problems. However, I have one problem and can't seem to quite figure out the correct way to do it.

The user logged on will be a 'domain user' and as such is NOT part of the cdrom, audio, video groups for instance.

Assume I have a user 'foo' that logs in correctly. How do I 'attach' this domain user to the audio group?

I had the same problem. I wrote a down and dirty script to add domain users to local groups on the linux box. Here is the link
http://ubuntuforums.org/showpost.php?p=458664&postcount=6

Give that a try, it should take care of it. You can add users to audio, as well as any other needd groups using it.

Some oddities about Samba that I found are these. I don't know if it's just this version, or if it's Ubuntu, or what.

* Another way the shares act funny is that you cannot edit the NTFS perms from Windows. It will let you start it, but then it won't let you apply those changes. Instead, these must be applied with chown and chmod on the Linux server. This is to be accepted, of course. Just wanted to make you aware of this in case you were a noob and were assuming you can just edit the NTFS permissions from within Windows.



Make sure the partition on the samba server is mounted with acl. Below is a line from my /etc/fstab. Note the acl in it.

/dev/hdc1 /netshares ext3 acl,defaults 0 1

Aftr editing fstab, remount the drives
sudo mount -a

That should fix the inability to edit acl's from windows.

I have read on some sites that the admin password on the DC needs to be reset before it will work. I think this was ties to win 2k, but I could be remembering incorrectly. Reset the admin account password, then reset it again to what it was previously (for convenience). Then try it again.

domain admin will not change password to help me with this. doesnt want to risk it. is there no other way? I have rights to add computers and users to domain, and I just reset my password.

domain admin will not change password to help me with this. doesnt want to risk it. is there no other way? I have rights to add computers and users to domain, and I just reset my password.

After resetting your password, did you try it again?
When you are trying to get your ticket, are you using your username/password
(since your password was just reset)?

AFAIK, each place I read about the admin password needing reset, that was always the solution. I don't know of another way around it. I'm not saying it isn't possible, just that I haven't heard of any.

Another option is to try to swet talk the admin on how joining your Ubuntu box to the domain will aid in blah blah. It will make his life blah blah. What's the worst that can happen?

I completed all the steps up to joining the domain. I thought I should be logged in as an actual AD user when I did that, so I created a new user for my username in AD, and then logged in as that user. But then, when I try to do the 'net ads join' command I get this error:
Failed to open /var/lib/samba/secrets.tdb

Is this because I set everything up as a different user (who isn't a domain user)?

EDIT: Actually I get this error no matter which user I'm logged in as, when I try to join the domain. Any ideas what's wrong? File permissions maybe?

I completed all the steps up to joining the domain. I thought I should be logged in as an actual AD user when I did that, so I created a new user for my username in AD, and then logged in as that user. But then, when I try to do the 'net ads join' command I get this error:
Failed to open /var/lib/samba/secrets.tdb

Is this because I set everything up as a different user (who isn't a domain user)?

EDIT: Actually I get this error no matter which user I'm logged in as, when I try to join the domain. Any ideas what's wrong? File permissions maybe?

It is the permissions on /var/lib/samba/secrets.tdb. I had that issue also. I chmoded mine to 777, which may be (and probably is) overkill. I wasn't sure if all users needed read/write/execute on it, but that did fix the issue.

sudo chmod 777 /var/lib/samba/secrets.tdb

BTW, this is for my home network, not a corporate environment, so a few 777's isn't as big of a risk as in a corporate setting. If anyone knows what the actual NEEDED permissions on this are, I would be all ears.

I had the same issue but instead of chmod'ing I simply ran
sudo net ads join
and that worked great.

Thanks for all the info in this thread. It truly is a great one.\\:D/

Followed the guide and everything is working, however each time I log in as a domain user I have to manually issue the kinit command to get a ticket... does anyone have a way around this?

replace pam_winbind.so with pam_krb5.so

Thanks, I'll try that on Monday!

Hi all. I am able to log on using a active directory user and pass. But when i try to connect to any shares via "Connect to Server...", it prompts me for a username and pass. The logged on user and domain is there, its wanting a password. If i type in a password, i am to sucessfully browse the share.Is this normal behaviour? I thought that since i am logging on as a ad user, i would be able to view any shares that the user had permission for? The user is a new user i created on my 2K3 server, and i added them to UnixAdmins. The user works from a XP machine and is able to browse shares, but just not from the Ubuntu box. I can do all this sucessfully too...

* Test domain computer account: net ads testjoin.
* Test winbindd: wbinfo -u to list AD users and wbinfo -g for groups.
* Test kerberized Samba: net ads user and net ads group should show you your AD users and groups (i.e. same as above).
* Test kerberized connection to a remote Windows server: smbclient -L //WINSERVER -k from the Samba server. While you're at it, connect locally to the Samba server the same way.
* Finally, test connectivity from a Windows box: Start -> Run -> \\SAMBASERVER.
* Run wbinfo -t it should return: checking the trust secret via RPC calls succeeded, otherwise you have done somthing wrong (use the command testparm -v to check your samba configuration).

So what am i missing? Thanks in advance. I thought i triple checked all the config changes that this thread called for...

I found that i am actually having the same trouble as Swab, where i have to manually enter the Kinit command. Scav, you said to replace pam_winbind.so with pam_krb5.so, and i have tried in both the common-auth and common-account and neither seemed to work...

$wmarchewka:
Is this the line you put in your /etc/pam.d/common-auth?
auth sufficient pam_krb5.so
instead of having
auth sufficient pam_winbind.so

Of cource after installing libpam-krb5.

I wasn't getting a ticket at logon either, and making the above changes took care of it for me. I now get one at each logon. BTW, I didn't touch my common-account for this.

Just trying to get the base packages for binding to AD. I get an error, any ideas? Clean install of 5.10. I also updated the system with apt-get update, and upgrade.

root@cslinux4:~# apt-get install winbind samba
Reading package lists... Done
Building dependency tree... Done
Package winbind is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package winbind has no installation candidate
root@cslinux4:~#

root@cslinux4:~# apt-get install krb5-user
Reading package lists... Done
Building dependency tree... Done
Package krb5-user is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
krb5-doc
E: Package krb5-user has no installation candidate

Just trying to get the base packages for binding to AD. I get an error, any ideas? Clean install of 5.10. I also updated the system with apt-get update, and upgrade.

root@cslinux4:~# apt-get install winbind samba
Reading package lists... Done
Building dependency tree... Done
Package winbind is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package winbind has no installation candidate
root@cslinux4:~#

root@cslinux4:~# apt-get install krb5-user
Reading package lists... Done
Building dependency tree... Done
Package krb5-user is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
krb5-doc
E: Package krb5-user has no installation candidate


I think winbind and krb5-user are both in the universe repository

I am well versed in Gentoo and Redhat/Fedora/CentOS, but I must state that I have no clue how to use apt-get. How do I switch to the "universe repository"?

I am well versed in Gentoo and Redhat/Fedora/CentOS, but I must state that I have no clue how to use apt-get. How do I switch to the "universe repository"?

You can add repositores by following either of these wiki pages... should get you up and running.

https://wiki.ubuntu.com/AddingRepositoriesCliHowto
https://wiki.ubuntu.com/AddingRepositoriesHowto

OK, all 6 of my client systems are up and running with graphical log in and pam_mount running. Now I am stuck on a new issue. When ever I log into a different system my UID & GID changes. Any ideas?

No great ideas other than modifying the
idmap uid = 500-10000000
idmap gid = 500-10000000
values a bit.

You could probably get different uid/gid values if you have a different amount of local users on the different systems. You could try to set
idmap uid = 1000-10000000
idmap gid = 1000-10000000

This is just in theory though as I can not try it right now and I have not tried it before either.

HTH

I have a good one for everybody to see if they can figure out. When I try to join the domain with my box, I get this unique error:

[2006/04/05 21:59:27, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Invalid credentials


This is after I enter my password and hit enter. Now, here comes the wrinkle. :D

When I first did this on my box, it was successful, BUT I had misconfigured my smb.conf file in a major way. For the NETBIOS name, I stupidly typed in my domain controller's name. DOH!](*,) So it told me the host account already exists, but it was modifying it..blah, blah, blah. Well, I don't seem to have messed up my domain as all my windows boxes can log in.

Now, though, I can't join this machine to the domain. I've changed the smb.conf file to reflect the right netbios name. I've reset the administrator password for the domain admin. Hell, I've even created a new domain admin account and got a ticket for that account and it still doesn't work. I've renamed all the /var/lib/samba/*.tdb files and restarted samba and winbind.

At this point, google isn't helping me so I was wondering if any of you have ran into and what the solution is.

Anybody? :)

Manage your active directory and remove delete any references to the old computer name and the new one and then try to rejoin.

Manage your active directory and remove delete any references to the old computer name and the new one and then try to rejoin.

Did that too.

Right now, this isn't a problem because I just rebuilt my box again. The funny thing is that right after I posted that last night, I wanted to try a reboot. Once I rebooted, I COULDN'T login. All my credentials were wrong. It was an odd issue. So, seeing no way around it and since nothing was on it, I just rebuilt.

I'm going to try this again later today and MAKE sure not to screw up my smb.conf file.

Hi,

I've started to implement this howto, but before proceeding I just want to ensure that it covers about what I need.

My scenario:

A W2003 domain controller and DNS server with around 300 user accounts.
Ubuntu 5.10 server with samba as file- and print server.

When a user for the first time log in to the w2003 server,
a personal home folder should be created in ubuntu as described in this howto.
At the same time a personal profile folder should be created in /ubuntuserver//home/<domain>/profiles/<username>
All the above with correct access credientials

Can someone confirm that following this thread gives me the above mentioned personal (samba hosted) home folders for each user logging in to the w2003 dc?

How do I have personal profile folders created automaticaly the same way as the home folders?

Please comment if ths howto does not fit into my scenario and point me in the right direction ;-)

When having this up and running, we're looking for a good and reliable print manager running under ubuntu. We need to keep track of the users' page count etc.. What are you guys using for this purpose?

regards

Tor

I used this a combination of this howto and SADMS to get my park of kubuntu realtime machines authenticating against the university's AD server. Great!

Just two things that are annoying.

1) I can't figure out how to change the shares server based on the login. There are two windows shares here, Poseidon and Atlas. Poseidon is for students and Atlas for researchers. So if bob.student logs in, he should authenticate to Poseidon, whereas fred.researcher should authenticate to Atlas.

2) The IT department tracks printer usage based on user accounts. Right now, the printer installed on the machine uses a generic account for printing. Ideally, the user login/password would be used, instead of the generic account.

I've googled a lot, but am really out of my depth when it comes to AD. Any ideas for how to fix these two problems?

Guys, i got this error message in /var/log/samba/log.winbind
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2240)
cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL

can anyone help me?
I still can't log on the domain after follow the instruction here. Everything seen to be fine and there are no error messages except this on the the log.winbind. Do i have to edit the /etc/pam.d/login ?
Thanks for your time.

Thanks for the great FAQ.

However, I have 2 problems.

First, with sudo. I can get sudo access for single AD users working, but not for groups.

This works:
myadmin ALL=(ALL) ALL

This doesn't:
%UnixAdmins ALL=(ALL) ALL



Secondly, can anyone tell me how I can add AD users as members to local unix groups?
I can run this command OK with the expected results:
for gid in $(wbinfo -r <username>); \
do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done
However, running 'getent passwd' (which I found from the winbindd guide on the Samba website) does not return the logged in AD user like it should according the Samba guide.

Hi,

Can I set this up so that the user logs in with her home directory on a samba share? I want everything the user saves to be on the server where everything is backed up, as well as one place to administer user accounts, and the most user friendly way to do this is to make the home directory lie on a samba share.

I also want the directories on the samba share to be accessible from a terminal window, and not just from the GUI. When I use "Places" > "Connect to Server..." I just get an icon on the desktop, it doesn't seem like the share is mounted locally.

I'm running 6.06. When I try to install krb5-user, it says the package is no longer available. Does anyone have suggestions?

Assume I have a user 'foo' that logs in correctly. How do I 'attach' this domain user to the audio group?

Take a look at "Giving power to the user in front of the screen" (http://www.debian-administration.org/articles/308), from debian-administration.org (http://www.debian-administration.org/). It shows how to configure pam_group to let the local user be in audio/cdrom/floppy/video/etc. without messing up /etc/group.

By "reset" the password, do you mean you had to give the administrator account a completely new password?

hello all,

I've been following this thread for a few days and I have to say is thank you for the documentation. It helped me out a lot. I've been creating a little GUI to help those who are new to linux or not comfirtable on editing conf files from the cammd prompt or using gedit or whatever. For those who want to test out the app I'll post it below.

Note: this application is still alpha and could mess up your linux box so make sure you backup everything so if somthing does happen you can go into rescue mode log in as root then copy back the files. This application does backup the conf files before writing to them but if you dont save the _BACKUP it will over write the back file if you try to reconfigure the conf files with the GUI.

Also you will need to install lib to run this. I am in the proccess of installing ubuntu on vmware so I can make a better howto and what libs you need to install.

http://www.daemonprojects.com/xantar/Screenshot-1.jpg

http://www.daemonprojects.com/xantar/Screenshot-3.jpg

Remember to run the application as root.
File Download: http://www.daemonprojects.com/xantar/Xantar.run

you will need to run the following before running Xantar

apt-get install libstdc++5

I'm running 6.06. When I try to install krb5-user, it says the package is no longer available. Does anyone have suggestions?

Yes I have just got it working about 10 minutes ago, what you need to do is install kerberos manually. This means you need to install the bits and bob's needed to compile packages from source as far as I remember these are:
make,
gcc-base
gcc

You will also need to install the cursors/ncursors libary and the C developers version (again in the package manager) and something to do YaST (there are a few tools in the package manager).

Now go here: http://www.mit.edu/~kerberos/dist/index.html and download the Kerberos source and extract it. Then fire up konsole (or equlivant) in Super-User mode and cd to the src directory in the extracted kerberos folder. Type "./configure" and let it run (it might stop with an error code because you dont have a dependancy, you should be able to find one to cover that in the package manager just have a hunt arround). After configure has done type "make" (again you might have some dependancy problem) and once thats done type "make install". Kerberose will now be installed and working so you can follow the steps in the first post to get it to work.

Just a warning, I have only tried this on a windows 2000 active directory domain.

Have fun!

Ok, when I join a win2k machine to my Win2k AD Domain it joins within a few seconds.

My linux boxes take anywhere from 10 to 45 minutes when I do net ads join!!

As root:

kinit adminuser@ABCDEF.XYZ

<type in password>
klist shows me my tickets (which look ok?)

net ads join

(wait forever)](*,)

command completes

net ads testjoin shows that my join is complete. It just took forever.

I can login just fine after it joins, it just takes way too long to be anything efficient during install.

Ideas?

Here are some files for you to view
krb5.conf
[logging]
default = FILE:/var/log/krb5.log

[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = ABCDE.XYZ
# dns_lookup_realm = false
# dns_lookup_kdc = true

[realms]
COLSD.ORG = {
kdc = kdc1.abcde.xyz
kdc = kdc2.abcde.xyz
admin_server = kdc1.abcde.xyz
default_domain = ABCDE.XYZ
}

[domain_realm]
.abcde.xyz = ABCDE.XYZ
abcde.xyz = ABCDE.XYZ


smb.conf
[global]
security = ads
realm = ABCDE.XYZ
# password server = kdc1.abcde.xyz
workgroup = ABCDE
winbind separator = +
allow trusted domains = No
idmap uid = 10000-2000000
idmap gid = 10000-2000000
winbind enum users = No
winbind enum groups = No
winbind cache time = 15
template homedir = /home/%D/%U
template shell = /bin/bash
# spnego disabled due to bug
client use spnego = No
encrypt passwords = Yes
winbind use default domain = Yes
winbind nested groups = Yes
restrict anonymous = 2

I followed your instructions and it worked perfectly on Ubuntu Server 6.06.1. Thanks for the awesome howto!

Try configuring your linux box to use the AD DNS server for domain name lookups. I know that if you don't do that with 2000 and XP boxes that joining and logging into the domain will be super slow. I'm not positive that it will help you but it is worth a shot.

Try configuring your linux box to use the AD DNS server for domain name lookups. I know that if you don't do that with 2000 and XP boxes that joining and logging into the domain will be super slow. I'm not positive that it will help you but it is worth a shot.


Ok, when I join a win2k machine to my Win2k AD Domain it joins within a few seconds.

My linux boxes take anywhere from 10 to 45 minutes when I do net ads join!!

As root:

kinit adminuser@ABCDEF.XYZ

<type in password>
klist shows me my tickets (which look ok?)

net ads join

(wait forever)](*,)

command completes

net ads testjoin shows that my join is complete. It just took forever.

I can login just fine after it joins, it just takes way too long to be anything efficient during install.

Ideas?

Here are some files for you to view
krb5.conf
[logging]
default = FILE:/var/log/krb5.log

[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = ABCDE.XYZ
# dns_lookup_realm = false
# dns_lookup_kdc = true

[realms]
COLSD.ORG = {
kdc = kdc1.abcde.xyz
kdc = kdc2.abcde.xyz
admin_server = kdc1.abcde.xyz
default_domain = ABCDE.XYZ
}

[domain_realm]
.abcde.xyz = ABCDE.XYZ
abcde.xyz = ABCDE.XYZ


smb.conf
[global]
security = ads
realm = ABCDE.XYZ
# password server = kdc1.abcde.xyz
workgroup = ABCDE
winbind separator = +
allow trusted domains = No
idmap uid = 10000-2000000
idmap gid = 10000-2000000
winbind enum users = No
winbind enum groups = No
winbind cache time = 15
template homedir = /home/%D/%U
template shell = /bin/bash
# spnego disabled due to bug
client use spnego = No
encrypt passwords = Yes
winbind use default domain = Yes
winbind nested groups = Yes
restrict anonymous = 2

However, running 'getent passwd' (which I found from the winbindd guide on the Samba website) does not return the logged in AD user like it should according the Samba guide.

Did anyone ever resolve this? I have the same problem - although I can use chmod, chown, etc to assign permissions using the Windows usernames and groups and that does work.

I would prefer to see the results show up in 'getent passwd' and 'getent group' though.

Did anyone ever resolve this? I have the same problem - although I can use chmod, chown, etc to assign permissions using the Windows usernames and groups and that does work.

I would prefer to see the results show up in 'getent passwd' and 'getent group' though.


Nevermind...I found this post (http://www.elwoods.org/home/2006/07/18/follow-up-thoughts-on-ubuntu-plus-active-directory/) which changed these settings in /etc/samba/smb.conf:

winbind enum users = yes
winbind enum groups = yes

and now both 'getent' commands work as I wanted them too.

Oh, and in addition - at least in my testing environment using Windows 2003 Server R2 and Ubuntu 6.06 fully updated - I had to remove these lines from /etc/krb5.conf before I could get a Kerberos ticket:

default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

I hope this helps someone out in the future!

Great Howto by the way!

Hi,
I am a complete newbe. So please bear with me.

I am trying to follow the tutorial using ubuntu 6.10 (edgy eft). I want to connect the linux box to a Windows 2003 Active Directory server.

I had to make a small change in /etc/pam.d/common-auth as below
auth required pam_unix.so nullok_secure
because it would not let me do sudo if I used the original code
Original Code
auth required pam_unix.so nullok_secure use_first_pass

. After I made that change when I do a kinit I get the following error message after I enter my password.
KDC reply did not match expectations while getting initial credentials
What am I doing wrong ? Any help or suggestion is greately appreciated.

Prahalad

I too was struggling with this problem but was able to get it to work. While the base article was a GREAT start it does leave some items out that I will try to spell out below.

The /etc/pam.d/common account needed the following info
# account-required pam_unix.so
account-required pam_winbind.so

Also here are some links that really helped on my quest.

http://www.linuxquestions.org/questions/showthread.php?t=313520
http://www.justlinux.com/forum/showthread.php?threadid=118288
http://developer.novell.com/wiki/index.php/HOWTO:_Configure_Ubuntu_for_Active_Directory_Authe ntication
http://lists.samba.org/archive/samba/2005-May/105985.html
http://www.mail-archive.com/samba@lists.samba.org/msg80201.html

I know that this is frustrating for many users, but as you can see, it can be done and is VERY rewarding when completed. Best of luck to you all.

Hey all, I followed the directions and was able to setup the pc to join the domain and it worked, there was no problem. But I knew everything was going too well becasue I cant seem to login with my AD username. I set the separator to \ and it wont login. also when i login with the account that I setup when i installed the system, it will not keep the ticket and i have to issue a new kinit statement when i login. I can ssh user@DOMAIN perfectly but i want to be able to login with a AD name on the GUI. can anyone help me make this happen? also if i change pam_winbind.so to pam_krb5.so it killed the box and i had to re-image the machine becasue i would get an auth failed error with any username. I really want this to work. any help is appreciated

I solved it by resetting the Administrator password :) It looks like I now have a Kerberos ticket already, I'll post back the whole result (hopefully successful!)

Thanks steve :)

Hi sorry to bother you was wondering if you can remember the cammand to reset the administrator password I am having the same problem have tried most of the other things and none have worked so far.

Thanks in advance

Hey,

Just wanted to post to say that I got this working perfectly using the directions in the first post. I have a VMWare install of Windows 2003 SP1, all default + an install of AD. Then I'm using the latest Ubuntu Server release in another VM to test the authentication. Works like a charm!

Hi sorry to bother you was wondering if you can remember the cammand to reset the administrator password I am having the same problem have tried most of the other things and none have worked so far.

By "Reset the Administrator Password" we mean to change the main administrator password on the Windows Server machine. You can do this via Active Directory Users and Computers tool.

-Richard

HI All,
I got this working great on my Ubuntu Edgy box. However when a users password expires it does not prompt me to change my password. Is this possible while using GDM and Ubuntu? I got this working using Novell SLED 10 (configure was done differently) so I believe it is possible. Any help would be great as I like Ubuntu over SLED and will need to install 10 new Linux Systems that will be Authenticating via M$ AD Windows Server 2003.

I really need some help configuring this. No matter what I change, I am unable to *properly* join the domain. I always end up with this error:

root@LS-001:/home/me# kinit me
Password for me@HATCON.LOCAL:
root@LS-001:/home/me# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: me@HATCON.LOCAL

Valid starting Expires Service principal
02/09/07 16:06:56 02/09/07 22:46:56 krbtgt/HATCON.LOCAL@HATCON.LOCAL


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
root@LS-001:/home/me# net ads join
[2007/02/09 16:07:14, 0] libads/ldap.c:ads_add_machine_acct(1414)
ads_add_machine_acct: Host account for ls-001 already exists - modifying old account
Using short domain name -- HATCON
Joined 'LS-001' to realm 'HATCON.LOCAL'
root@LS-001:/home/me# net ads testjoin
[2007/02/09 16:07:35, 0] libads/kerberos.c:ads_kinit_password(164)
kerberos_kinit_password HATCON@HATCON.LOCAL failed: Client not found in Kerberos database
[2007/02/09 16:07:35, 0] libads/kerberos.c:ads_kinit_password(164)
kerberos_kinit_password HATCON@HATCON.LOCAL failed: Client not found in Kerberos database
[2007/02/09 16:07:35, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Client not found in Kerberos database
Join to domain is not valid
root@LS-001:/home/me#


my krb5.conf file looks like this:

[logging]
default = FILE10000:/var/log/krb5lib.log

[libdefaults]
ticket_lifetime = 24000
default_realm = HATCON.LOCAL
[realms]
HATCON.LOCAL = {
kdc = pc-001.hatcon.local
admin_server = pc-001.hatcon.local
default_domain = HATCON.LOCAL
}
[domain_realm]
.hatcon.local = HATCON.LOCAL
hatcon.local = HATCON.LOCAL


My AD Server running Windows 2003 Server R2 is 'PC-001.HATCON.LOCAL', and the local ubuntu machine is LS-001. If anyone has any suggestions, please help - I'm thrown for a loop on this one.

Any ideas?

I managed to get it to work, after using SADMS, and then modifying the pam.d files according to the directions on the first page. I'm still not sure where the discrepancy between this config and the one I did manually is, but I'm very happy that it works ;)

First off thank you to everyone that has helped with this How-To. It is wonderful and works right out of the box so to say. So moving forward to transition my old samba server to this one I am having a bit of trouble and I don't know how to get it solved. When providing a share, I need people to be able to read/write, and just read from the share. Because it is using AD, I am unclear how to make this work. Typcially it would go:

[share1]
path = /home/share1
valid users = user1, user2, user3, @somegroup, @anothergroup
read list = user1,@anothergroup
write list = user2,user3,@somegroup
create mask = 0777
directory mask = 0777

I have the permissions set like so:

drwxrwsrwx 2 user2 somegroup 4096 2007-02-22 10:39 share1

This setup doesn't work in my new AD aware Samba Server. Help please?

Secondly, can anyone tell me how I can add AD users as members to local unix groups?

I have the same question. Users can log in just fine, however for them to have permissions to cdrom and audio groups, I have to add their AD users directly to the /etc/group file.

Imagine if you will one hundred users, and you will see what a pain it is. There has to be a more eloquent way of doing this. Frankly, there is little security problem with changing permissions on sound /dev, that is pretty clunky too.

I have tried unsuccessfully to use pam_group.so, but I can't seem to get it to recognize AD users. Though that would seem to be the ideal way.

Anyone have a good way of doing this?

domain admin will not change password to help me with this. doesnt want to risk it. is there no other way? I have rights to add computers and users to domain, and I just reset my password.

Good Admin...

No reason to change the AD Domain Admin password just to get a linux box on the domain!

Yes I have just got it working about 10 minutes ago, what you need to do is install kerberos manually. This means you need to install the bits and bob's needed to compile packages from source as far as I remember these are:
make,
gcc-base
gcc

You will also need to install the cursors/ncursors libary and the C developers version (again in the package manager) and something to do YaST (there are a few tools in the package manager).

Now go here: http://www.mit.edu/~kerberos/dist/index.html and download the Kerberos source and extract it. Then fire up konsole (or equlivant) in Super-User mode and cd to the src directory in the extracted kerberos folder. Type "./configure" and let it run (it might stop with an error code because you dont have a dependancy, you should be able to find one to cover that in the package manager just have a hunt arround). After configure has done type "make" (again you might have some dependancy problem) and once thats done type "make install". Kerberose will now be installed and working so you can follow the steps in the first post to get it to work.

Just a warning, I have only tried this on a windows 2000 active directory domain.

Have fun!


Quick question.

Will this manual install of Kerberos work on a Ubuntu server running 6.10 as well as it does on the 6.06 version?

Thanks in advance,

Matt

Hi
Thank you for reading my post
Does any one tried and become successfull in using Ubuntu 7.04 (feisty fawn) with windows 2003 ?

I will be very grateful if you share your step to integrate Feisty Fawn with Windows server 2003.



Thanks

Can someone explain me the difference between nsswitch and pam ?
they both use winbind but what is the connection between nsswitch.conf and pam ?

all answers appreciated

Hi
Thank you for reading my post
Does any one tried and become successfull in using Ubuntu 7.04 (feisty fawn) with windows 2003 ?

I will be very grateful if you share your step to integrate Feisty Fawn with Windows server 2003.



Thanks

I don't know if anyone has tried this yet but if I find the time later this week I'll probably try it just to see.

-Richard

Hi
It is very nice of you.

I am looking forward to see the result of your try

Thank you very much.

I just tried to quickly do it tonight but it failed... not sure exactly why, still need to look into it a little more. When we got to the point of joining the computer to the domain it would come back with an error (didn't write it down) and the computer account would be disabled in Active Directory. I will try this again tomorrow most likely.

-Richard

thank you very much, looking forward to read your steps.

thanks

I have confirmed that Ubuntu Server 7.04 will indeed connect to an Active Directory domain. I followed all the steps from the first post and confirmed that it works. Following is the description of my environment.

Environment
Our environment consists of a Windows 2003 Standard Server configured as a domain controller, DNS server, and file server. It has the latest service pack, SP2, installed. It is configured using the following information:
* Domain: contoso.com
* Netbios Domain: CONTOSO
* Hostname: server01
* FQDN: server01.contoso.com
* IP: 192.168.1.253

There have been small changes to group policy settings (roaming profiles, redirected My Documents, etc…) If the experiment continues to fail I will reinstall and leave all settings as default.

The Ubuntu Server is version 7.04 with all available updates installed in the beginning. I will configure the hostname and domain configuration files, along with pointing the server to the Windows server for its DNS.
* Domain: contoso.com
* Hostname: server02
* FQDN: server02.contoso.com
* IP: 192.168.1.252

Configuration on Ubuntu Server 7.04
During the installation I assigned the hostname of “server02” and had the installer use the entire disk for the partitioning scheme. For the main user I used my name, richard, as the username. I used my normal password. Please note that I am creating a different username than that of which exists on my Active Directory domain. I did not install the DNS server or LAMP stack. Once the system was installed I made a backup of /etc/apt/sources.list and edited the original so that it did not use the install CD. That is the only change that I made. I then performed an update and then upgrade for the packages. I then installed the SSH server via sudo apt-get install openssh-server. All the other commands will be done via Putty. The next thing that I did was edit the network interfaces file for a static IP address. All the commands are typed into a root bash shell (sudo bash). I edited hosts to include server02.contoso.com and I also edited hostname to show server02.contoso.com. Next I edited the resolv.conf file to point to my domain controller. I have verified that DNS works – I can ping the FQDN for server01. Now I’m going to reboot the Ubuntu server to make sure that the new hostname is correctly configured. Now I’ll follow the directions from the beginning of this thread. Following all the steps exactly allowed me to join the domain. On reboot I tried to SSH in using domain_user@DOMAIN.LOCAL and it did not work. Will reboot and try it again using just the username, not the full username. That worked!

Hope that helps everyone!

-Richard

Alright, now that I have this working I'm wondering if someone will be able to assist me to push this project a little further.

Here is the scenario: A small company has approximately 10 client workstations, all Windows XP Professional. In order to streamline administration and to centralize a lot of the information the management (including IT) have decided to implement a Windows 2003 Standard Server. This server will be responsible for Active Directory, DNS, and printing. Because it is not best practice to use the domain controller as a network file server, IT has recommended installing an Ubuntu 7.04 file server for the network. IT has determined that it is feasible to join this computer to the domain, therefore allowing network users to log into this machine. However, management has declared that shared folders on this file server must be locked down. User home directories must be accessed only by those users and the associated managers. The logical way to do this is to assign security rights using Windows ACLs.

How do we do ACL support using Samba? I'm completely stuck on this point. My smb.conf file contains the following (for the share only):


[data]
comment = Data
path = /data
use nt acls = yes


From the domain controller I can access the folder but cannot create new folders or files in it. I am unable to edit the security permissions. On Ubuntu I chmodded the /data folder as 777 for testing. This had no effect.

Any ideas guys?

Thanks,

-Richard

Hi Richard.
Thank you for your steps.
Will it work with ubuntu desktop edition?
I do not have server edition and i just need to login into domain using my domain username/password and also i need to have a shared folder and access to other colleague shared folders.

I have ubuntu Desktop edition DVD and i will install all of its packages next day, Thank you very much for your steps, i will share the result.


Thanks

I don't see why it wouldn't work with Ubuntu Desktop... I will try to test that later on tonight.

-Richard

I built a laptop with Ubuntu v7.04 and started to follow these instructions to get it to join my 2003 domain. Like someone earlier, I got this error: "KDC reply did not match expectations while getting initial credentials".

Before resolving it, I closed the lid on my laptop and after reopening it, it seemed to have crashed. The screen was black, with only the mouse pointer visible. It responded to the mouse but no amount of key-pressing and button-clicking could coax it to wake. (Previously, closing the lid and re-opening had just required me to re-enter my ubuntu creds. So, I powered off and on and it came up to the login screen. And there was my problem.

It would no longer allow me to login. Entering the same userid and hitting enter or tab resulted in a denial of access without an attempt to enter my password - I'm guessing it was trying to do an AD lookup first.

Anyway, the short version is: can you do a "local login" to an ubuntu box - whatever is the equiv of using the local SAM database on Windows. In Windows, it would be COMPUTER\User instead of DOMAIN\User. Is there an ubuntu equivalent?

Otherwise, I'll have to rebuild it!

I built a laptop with Ubuntu v7.04 and started to follow these instructions to get it to join my 2003 domain. Like someone earlier, I got this error: "KDC reply did not match expectations while getting initial credentials".

Before resolving it, I closed the lid on my laptop and after reopening it, it seemed to have crashed. The screen was black, with only the mouse pointer visible. It responded to the mouse but no amount of key-pressing and button-clicking could coax it to wake. (Previously, closing the lid and re-opening had just required me to re-enter my ubuntu creds. So, I powered off and on and it came up to the login screen. And there was my problem.

It would no longer allow me to login. Entering the same userid and hitting enter or tab resulted in a denial of access without an attempt to enter my password - I'm guessing it was trying to do an AD lookup first.

Anyway, the short version is: can you do a "local login" to an ubuntu box - whatever is the equiv of using the local SAM database on Windows. In Windows, it would be COMPUTER\User instead of DOMAIN\User. Is there an ubuntu equivalent?

Otherwise, I'll have to rebuild it!
After joining it to the domain you should still be able to use local logins unless there is an issue with your configuration. I can login to my domain-joined Ubuntu servers with my original login without issue.

-Richard

ok here goes,

I have got 200+ computers on a network, and they are running win2k and winxp.
This is a school environment.
We are trying to create a test machine to test if ubuntu will work on the current win2k domain controllers.

I have followed the instructions, and got it on the domain, and it can tell me if there is an error in the password or not. and it attempts to login,
it brings up the ubuntu login banner telling you you've logged in, and then it takes me back to the login screen.

I then installed gnome, and it tells me the account has been disabled, also I can't see the contents of that home directory to tell if it has copied the profile correctly, either that or the directory is empty.

I can log into that account on the windows machines fine, and the Active Directory tells me the account is not disabled, any ideas?

After joining it to the domain you should still be able to use local logins unless there is an issue with your configuration. I can login to my domain-joined Ubuntu servers with my original login without issue.

-Richard


Great. So, how do you distinguish between doing a local login and doing a network login? How does ubuntu know which to do?

Great. So, how do you distinguish between doing a local login and doing a network login? How does ubuntu know which to do?

Correct me if i'm wrong, but I believe it is to do with the list of where to check and what order they are in.
When you set it up as far as I am aware you tell it which order of authentication methods to check sort of like the dns order where it checks the host file, then the dns servers and stuff.

I believe if you have set your ubuntu machine up as documented here, it should check the local machine first then check against your Active Directory afterwards.

So you just type in the ID the same way? I take it that means if you've been foolish enough to build your ubuntu machine with the same ID that you use to log into AD that it won't be able to tell the difference?

I used my network ID as my login name when I created the first set of creds during the build - figured it might save time later.

Speaking of foolish...

I followed the directions right up to step 10. At Step 11, I type sudo nano /etc/sudoers to add my newly created AD group to the list. PRB. It asks me for my root password, which I enter. Doesn't work.

I am a wee bit concerned and I think it is looking for network authentication of root rather than local. Did I do something wrong in the config? How can I recover the password? Ideas?

Without root, I obviously can't do much. I made backups of all of the conf files I touched, but since I don't have su, I can't restore them. I am wondering if I have to boot from live cd, mount the hard drive and manually restore...

ideas?

Finally, I wonder if the documentation should be modified to move step 11 up in the list prior to the samba/winbind restart...

Tim

Speaking of foolish...

I followed the directions right up to step 10. At Step 11, I type sudo nano /etc/sudoers to add my newly created AD group to the list. PRB. It asks me for my root password, which I enter. Doesn't work.

I am a wee bit concerned and I think it is looking for network authentication of root rather than local. Did I do something wrong in the config? How can I recover the password? Ideas?

Without root, I obviously can't do much. I made backups of all of the conf files I touched, but since I don't have su, I can't restore them. I am wondering if I have to boot from live cd, mount the hard drive and manually restore...

ideas?

Finally, I wonder if the documentation should be modified to move step 11 up in the list prior to the samba/winbind restart...

Tim

Try running "visudo" as root - this launches a specific instance of nano to edit the sudoers file.

-Richard

Thanks Richard, I will give it a try. Its not looking good for me though. I had made backups of all of the files which were modified. I attempted to restore those files by mounting it from Ubuntu LiveCD and using its root to make the changes.

After regressing, its worse. Now I can't login at all from local or network accounts. Its strange, it prompts for a password twice...

Tim

Does anyone know what kind of permission I would need? Domain Admin?

$ sudo net ads join -U username@DOMAIN.COM
username@DOMAIN.COM's password:
[2007/05/14 16:37:50, 0] libads/ldap.c:ads_add_machine_acct(1414)
ads_add_machine_acct: Host account for computername already exists - modifying old account
[2007/05/14 16:37:50, 0] libads/ldap.c:ads_join_realm(1772)
ads_join_realm: ads_add_machine_acct failed (dlee3): Insufficient access
ads_join_realm: Insufficient access

Does anyone know what kind of permission I would need? Domain Admin?

$ sudo net ads join -U username@DOMAIN.COM
username@DOMAIN.COM's password:
[2007/05/14 16:37:50, 0] libads/ldap.c:ads_add_machine_acct(1414)
ads_add_machine_acct: Host account for computername already exists - modifying old account
[2007/05/14 16:37:50, 0] libads/ldap.c:ads_join_realm(1772)
ads_join_realm: ads_add_machine_acct failed (dlee3): Insufficient access
ads_join_realm: Insufficient access

You will need domain admin status to modify an existing computer account. A regular user can join a computer to the network but cannot modify the computer account.

-Richard

Great guide! I just have one problem and I'm not sure how to fix it. I have set up my Ubuntu box just like the guide and I can sign onto it locally and with AD accounts. When I setup AD users with their home folders (via ssh user@ubuntupc) the home drives are created.

My problem is that users can map to their Ubuntu-based home folders as a network drive from a Windows XP machine but they can not add files or edit any existing files. When users try, they get a Windows pop stating Access Denied. But if they sign on locally to the Ubuntu box, they can add files and edit existing ones in their home folder. My goal is to redirect my users "My Documents" to this Ubuntu box and eliminate the Windows 2K server that currently fulfills this role. To do this, they need to be able to write to the folde. So did I miss a step? Is what I want to do possible? Any ideas?

The home folders all reside in /home/DOMAIN/ which is listed in the smb.conf below


SMB.CONF

[global]
security = ads
netbios name = UBU
realm = DOMAIN.COM
password server = SERVER.DOMAIN.com
workgroup = DOMAIN
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
preferred master = no
local master = no
nt acl support = yes
[SHARE]
path = /home/DOMAIN/
read only = Yes
browseable = No


EDIT - NVM. I fixed it. I freed up my [SHARE] so it's not read only and locked down the home dirs. It worky now.

Is there a way to login via gnome using AD account? as for right now I have everythign setup but only to be able to login in via ssh

Following the guide should allow you to sign on via gnome with AD accounts or local accounts. Any errors?
Can you post your smb.conf file and krb5.conf file?

all the DOMAIN and domain were replaced with the actual name.

krb5.conf
[logging]
default = FILE10000:/var/log/krb5lib.log

[libdefaults]
default_realm = DOMAIN.COM
ticket_lifetime = 24000
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]
DOMAIN.COM = {
kdc = nascdca01.domain.com
admin_server = nascdca01.domain.com
default_domain = DOMAIN.COM
}

[domain_realm]
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM

[login]
krb4_convert = true
krb4_get_tickets = false


smb.conf
[global]
security = ads
netbios name = computer_name
realm = DOMAIN.COM
password server = nascdca01.domain.com
workgroup = DOMAINAD
idmap uid = 500-10000000
idmap gid = 500-10000000
#winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
encrypt passwords = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0


I just checked the auth.log and notice this
May 16 08:01:02 COMPUTER_NAME pam_winbind[20446]: user 'USERNAME' granted access
May 16 08:01:02 COMPUTER_NAME gdm[20446]: (pam_unix) could not identify user (from getpwnam(USERNAME))
May 16 08:01:02 COMPUTER_NAME gdm[20446]: Couldn't set acct. mgmt for USERNAME

I haven't played too much with the winbind seperator but I would allow it to be read, so I would remove the # in front of it. What happens when you type in kinit user@DOMAIN.COM? Does it some back with a response? What about wbinfo -g and wbinfo -u?Also, your nsswitch.conf and all your pam.d/common-* are similiar to the guide, correct?

I haven't played too much with the winbind seperator but I would allow it to be read, so I would remove the # in front of it. What happens when you type in kinit user@DOMAIN.COM? Does it some back with a response? What about wbinfo -g and wbinfo -u?Also, your nsswitch.conf and all your pam.d/common-* are similiar to the guide, correct?

kinit works fine, I was about to use klist as well
wbinfo -g and -u works fine

I had everything configured as it said in the guide, even tried to use
winbind separator = \
winbind separator = +

I have tried to make this work for soon a year and I finally gave up. I installed 2XApplicationServer instead and I am once again happy with Ubuntu in a business environment.

As much as I hate to do this, I'm going to post a link to another guide. Linky (http://www.infosecwriters.com/text_resources/pdf/ AD_and_Linux_TMunn.pdf).
I used this guide to further my configuration on my Ubuntu server. It might be useful.

I was able to come up with a similiar error in my auth.log as yours by messing with my /etc/pam.d/gdm file. I altered the path of the *.so files and it was not happy. In all my /etc/pam.d/common-* files and now in my gdm file, I have /lib/security/ in front of the *.so files. Like this -

common-auth -

auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_krb5.so use_first_pass
auth sufficient /lib/security/pam_winbind.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so broken_shadow
account sufficient /lib/security/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/pam_krb5.so
account [default=bad success=ok user_unknown=ignore] /lib/security/pam_winbind.$
account required /lib/security/pam_permit.so
#account requisite /lib/security/pam_succeed_if.so user ingroup un$
password requisite /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md$
password sufficient /lib/security/pam_krb5.so use_authtok
password sufficient /lib/security/pam_winbind.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_mkhomedir.so skel=etc/skel/ umask=0007
session optional /lib/security/pam_krb5.so

It might be worth a try to add the full path, at least with the gdm file.

Also, my krb5.conf looks like this -

krb5.conf -


[logging]
default = FILE10000:/var/log/kr5lib.log
[libdefaults]
default_realm = DOMAIN.COM
ticket_lifetime = 24000
default_tkt_enctypes = des3-hmac-shal des-cbc-crc
default_tgs_enctypes = des3-hmac-shal des-cbc-crc

[realms]
DOMAIN.COM = {
kdc = myserver.domain.com
admin_server = myserver.domain.com
default_domain = DOMAIN.COM
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM


Of course, DOMAIN replaces what is actually there and I removed a few things from the file that I wouldn't be needing.

I'm locked out from my system after a restart. Tried both the local and the domain name and it doenst accept it. Any idea what happend?

depends on what you changed. But this happened to me and PAM was locking me out. Bootup with a system rescue CD Linky (http://www.sysresccd.org/Screenshots) and mount your partition. Change the common-* files back and you'll be able to sign back on, as long as it's PAM locking you out.

were you able to resolve the problem and not get lock out again?

Thanks to everyone who has contributed to this thread. I've followed the instructions and have managed to set up a (mostly) working samba file share using my Windows 2003 Active Directory to authenticate users.


The only problem I still have is that when users create files on the share, the username that they are created under is always listed as 'root', instead of their actual username. This seems to be resulting in some files being not writable by the same user that created them.

All of the users who have access to the smb share are members of the same AD Group 'HCLOffice', and any file created by a member of that group should be readable and writable by other members of the group.

The relevant section of my smb.conf file is as follows:


[GIS]
path = /shared/GIS
comment = GIS Data
browseable = yes
writable = yes
; public = yes
valid users = @"HATCON/Domain Users"
admin users = @"HATCON/HCLOffice"
read list @"HATCON/Domain Users"
write list = @"HATCON/Domain Users"


If anyone has any suggestions about how I should change this section, I would be eternally grateful!

Yes. I was playing with the common-auth (commenting things out do to issues I thought were related to PAM) and suddenly after a reboot, I couldn't sign on. So I booted up with the system rescue cd and changed everything back. Voila! I was able to sign back on.

Yes. I was playing with the common-auth (commenting things out do to issues I thought were related to PAM) and suddenly after a reboot, I couldn't sign on. So I booted up with the system rescue cd and changed everything back. Voila! I was able to sign back on.

but where u able to log in using an AD account still though?

got it fixed... does the order of lines make a differnece?

whew....I started as a total linux/ubuntu noob to connecting to AD :)

Everything went fine.

I can see my server in Network Places except I have domain and domain.org listed where domain contains all my Windows machines and domain.org which contains samba. It prompts for a login but nothing works

I've tried:

user
domain\user
host\user
user@domain.org
local\root
local\localuser

I changed the winbind from + to \ and tried all the above

can't get'er logged in

I can see my server in ADUC.

btw.....SBS2003 as my PDC

trying to connect Fiesty on an ooooold compaq proliant so no gnome gui

do I even need to connect samba to AD in order to use this as a simple print server? I already have CUPS configured. I just want to be able to use hte printer directory in XP to pick a printer.

does anyone know if the domain functional level in 2003 server has to be left at default "2000 mixed" mode? i am running "2003 mode" as all my servers are 2003. anyone that has successfully joined their ubu svr can you check your level in 2k3 server? (goto admin tools --> active directory domains and trusts --> right click domain name and click on "raise functional level and it tell you current mode and give upgrade options)

i am getting an error when i try to add the ubu server in step 8 "Join the system to the; net ads join -U domainadminuser@DOMAIN.INTERNAL"

i get error:
" sudo net ads join -U admin@DOMAIN.INTERN
Password:
admin@IDOMAIN.INTERN's password:
Using short domain name -- DOMAIN
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'UBUSVR1' in realm 'DOMAIN.INTERN'

i look on the AD server and find the computer name for the ubu server and it is indeed DISABLED. i enable, and then run the command again from ubu svr to add and AD disabled again.

obviously its something on the micro$haft side in AD disabling the account. off the top of my head i would think it is perhaps because i am running in 2003 mode instead of mixed mode for compatibility with 2k and NT servers...

any thoughts?

thanks!

ok figure out my problem.

DNS on the w2k3 machines didnt have any A or PTR for the ubu machine, even though DHCP on a w2k3 machine handed it out (and we have DNS set to update both secure and nonsecure, woudl figure it would have entered it in when DHCP gave out the address)

EDIT: Didn't enable the correct repository. Disregard my post below ...

Hey this is going to sound goofy but I followed the guide for installing the Kerberos portion last week on a test box and now repeating the same process today to move into production, I'm not able to get the krb5-user package installed.

I have allowed the universe and multiverse in /etc/apt/sources.list but when I attempt the install with sudo apt-get install krb5-user I get this :

bensode@samba1:~$ sudo apt-get install krb5-user

Reading package lists... Done

Building dependency tree... Done

Some packages could not be installed. This may mean that you have

requested an impossible situation or if you are using the unstable

distribution that some required packages have not yet been created

or been moved out of Incoming.



Since you only requested a single operation it is extremely likely thatEDIT: Didn't enable the correct repository. Disregard my post below ...

the package is simply not installable and a bug report against

that package should be filed.

The following information may help to resolve the situation:



The following packages have unmet dependencies:

krb5-user: Depends: libkrb53 (= 1.4.3-5) but 1.4.3-5ubuntu0.3 is to be installed

Depends: libkadm55 (= 1.4.3-5) but 1.4.3-5ubuntu0.3 is to be installed

E: Broken packages

EDIT: Didn't enable the correct repository. Disregard my post aboce ...

I just wanted to post to let everyone know that I just finished a VMWare test of the AD/Ubuntu integration. I created a Windows 2003 Enterprise server install and updated it to Service Pack 2. I installed Active Directory and left it as-is. I then installed Ubuntu 7.04 Desktop (latest downloaded ISO) in another VMWare disk. Using the directions from page 1 I have this server authenticating perfectly against the active directory. I can log in at the GDM just fine.

Thanks,

-Richard

check out http://sadms.sourceforge.net/

It automates the process of configuring samba and PAM/kerberos with a GUI and works great!

SADMS = Samba as Active Directory Member Server

check out http://sadms.sourceforge.net/

It automates the process of configuring samba and PAM/kerberos with a GUI and works great!

SADMS = Samba as Active Directory Member Server

Have you had a chance to use this? I'd be interested in hearing some first hand experience - It'd save me the trouble of having to write my own script to do it. :).

I have used sadms successfully on 2 ubuntu workstations and 1 server on which I put a GUI (Xorg). Let me know if you have any questions, and I'll try to be as helpful as I can.

When I have the time I'll try to look at it as well :). Might just be a ton easier than writing scripts to do it...

Thanks for the heads up!

-Richard

Tested working on ubuntu server 7.04 with acticve directory on win2000

except need to change /etc/hosts

IP_ADDRESS server_name.domain.internal domain
#example 192.168.1.1 dns.domain.com domain.com

have a problem same as some had before

Using short domain name -- QQQ
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'SSS-DESKTOP' in realm 'QQQ.XX'

Any solutions?

Try use sadms - same problem

In sadms, stage 1 is to install SADMS itself (Samba server) and stage 2 is to install the PAM modules (for authentication to Active Directory).

1. Sadms must be run as root (i.e. invoke with sudo).

2. For kerberos authentication to work, you will probably need to reset the password of the 'Domain Admin' account in 'Active Directory Users and Computers' (not to worry, because you can set it back again right away even before running Sadms). Do this for the Domain Admin account being used to add the Ubuntu machine to the Window$ domain.

3. See attached png of my working sadms configuration.

Hope this helps.

### just ignore my entire post unless you're bored. I solved my own problems and am leaving it here in hopes it will help others.

#### edit: regarding 1) below, as with SAMBA in LInux, you specific user lists with @ in the smb.conf. For example, valid users = @users. However, to create ACL's from the Windows Server AD, you have to specific the domain name (workgroup or netbios??) and the group. For example, valid users = @"domainname\users". That seems to do the trick after using SADMS to join my samba server to the AD.

1) if I do everything manually by hand on the first page of this tutorial, I get it working fine. However, since I grab a kerberos ticket as an administrator, all my users are able to map any of the samba shares, regardless of permission on the LInux box. I believe this is because it is passing my administrator kerberos ticket. If I destroy the administrator kerberos ticket (kdestroy), then I am unable to access any shares from the Windows machine to the samba server unless I create another kerberos ticket as administrator (kinit administrator@DOMAIN.NAME)


### Edit: Regarding 2) below, it turns out that the information SADMS is asking for is the samba server, NOT the Windows Server AD. Once i set that up correctly, the Winbind service started up correctly.

2) if I use SADMS, I cannot get the winbind service to start. It always shows up red colored, even if I try to start it manually with /etc/init.d/winbind start. It starts for a second, and then just shuts itself down. I have tried rebooting but winbind still does not run. I think initially when I installed SADMS I had it going, but I accidentally clicked the STOP button on the Winbind and now I cannot get it restarted for whatever reason. I also get this error, which I believe is related to winbind not being able to start, saying that I need to reset my administrative password on the windows server for some kind of encryption. However, no matter how many times I have reset it, the same error keeps popping up. Again, I believe it is because Winbind is not running.

The problem with Failed to set servicePrincipalNames solved.

Just add a string to /etc/hosts

192.168.111.111 myhost.my.ru myhost

I have the same question. Users can log in just fine, however for them to have permissions to cdrom and audio groups, I have to add their AD users directly to the /etc/group file.

Imagine if you will one hundred users, and you will see what a pain it is. There has to be a more eloquent way of doing this. Frankly, there is little security problem with changing permissions on sound /dev, that is pretty clunky too.

I have tried unsuccessfully to use pam_group.so, but I can't seem to get it to recognize AD users. Though that would seem to be the ideal way.

Anyone have a good way of doing this?

Hi, I'm using ubuntu 7.04 feisty on a Windows 2003 Server Domain. I added a linux-devices group to the AD. This group is always mapped to the same gid on linux. So I added a group linux-devices with the groupadd command to the linux-machine. I used the same gid samba uses when it maps linux-devices group from the AD at login. groupadd complained about a duplicate group entry, so I forced groupadd with -f to ignore it. Afterwards I set the linux-devices group as ownergroup of the desired devices in udev. I think /etc/udev/rules.d/40-permissions and restarted udev. Now every Domain-user in the linux-devices group could access /dev/dsp,/dev/floppy ...
Afterwards I added the AD-admin users directly to the admin group in /etc/group. They now could do administrative tasks like sudo ...:guitar:

Greetings

I've been trying to get this running, but I still cannot log on with an Active Directory Domain account.

By following the directions from this topic, plus other postings, I've been able to accomplish the following:

kinit user account: I'm able to get ticket from the Domain Controller
klist: I can view the ticket
net time set: Sync the time up with the network
net ads join -U Administrator: Join the AD Domain

The following commands work as well
getent passwd
wbinfo -u
wbinfo -g
testparm

However when I try the following, the give me the following errors:
SSH user@domain
Permission Denied

SSH user@Server IP Address
Connection Refused

When I try to log on with a domain account, I get bad user name or password and/or Authentication failed.

Can anyone help point me in the right direction of possible sources of the problem?

Thanks in advance.

Try logging in as just the user. Example: instead of USER@DOMAIN try just USER. It should log you in. That is how mine works at least.

-Richard

Thanks for the quick response. Unfortunately, I tried just the User name, in both capital letters and lower case, without any reference to the Domain and I received 'Authentication Failed'.

I ran klist to make sure the ticket was still there and it is.

Thanks for the quick response. Unfortunately, I tried just the User name, in both capital letters and lower case, without any reference to the Domain and I received 'Authentication Failed'.

I ran klist to make sure the ticket was still there and it is.

With Windows it should be case in-sensitive.

Have you tried logging onto a Windows client with the same un/pw? If it works then try resetting the password on the domain and trying again.

-Richard

It does work on a windows client no problem.

Just to be clear, when you say try 'resetting the password on the domain', are you referring to the specific account I am trying?

For reference, a year ago I was able to get this to work, but that box got messed up and I've started again. Plus I lost my notes I had. At that time to get it to work I did reset the Administrator password in order to get a Kerbos ticket.

This time around I'm trying it on Fiesty Fawn.

Just to be clear, when you say try 'resetting the password on the domain', are you referring to the specific account I am trying?


Yes, reset the password for the account that you are trying. Also, check your domain controller's event logs, specifically the security log, for any events that might give us a clue to help solve this problem. :)

Thanks,

-Richard

I reset the password and still received the 'Authentication Failed' message.

In reviewing the Domain Controller's event logs, the following was recorded:

Pre-authentication failed:
Event ID: 675
User Name: Administrator
User ID: DOMAIN\administrator
Service Name: krbtgt/domain

This was followed by the following:
Logon Failure
Event ID: 529
Reason: Unknown user name or bad password
User Name: administrator
Domain: domain
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate

I reset the password and still received the 'Authentication Failed' message.

In reviewing the Domain Controller's event logs, the following was recorded:

Pre-authentication failed:
Event ID: 675
User Name: Administrator
User ID: DOMAIN\administrator
Service Name: krbtgt/domain

This was followed by the following:
Logon Failure
Event ID: 529
Reason: Unknown user name or bad password
User Name: administrator
Domain: domain
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate

I'm not positive on what the problem is at this point. Have you tried to rejoin the computer to the domain after deleting it's computer object from AD? I'd have to look at my setup at home to see what you should normally see in the event logs.

Sorry, I wish I could be more help right now!

-Richard

I've removed the computer from the AD domain and then