12.04 LTS - Setting up PAM, Kerberos, WinBind, LDAP, Samba, etc
I've been at this for days, using dozens of guides. Unfortunately I'm at my wits end. I just can't figure out the right combination of points to get all my ducks in a row and use my Domain structure on this Ubuntu box.
Back story
Building a Print Server using CUPS (based on a design my company made back in 2009 with Ubuntu 8.10, CUPS 1.3.9). We want an updated version with Ubuntu 12.04/CUPS 1.6.2 as three have been quite a few bug fixes and Kerberos support enhancements for things like Negotiate authentication method that we had been patching into our 1.3.9 build.
The original server didn't really directly work well with Kerberos/Domain logins. We were using Basic and passing that through something to "pretend" to be Negotiate. It worked, but not very well. Also, at the time, winbind was still extremely slow with large AD's (this was developed between 2006 & 2009).
At some point in this configuration process, I was able to log in using an AD account, and it authenticated correctly to the CUPS :631/admin page as well as our Apache custom management pages (they interface with a MySQL db). Unfortunately, after a reboot, I couldn't even log in with a local account, much less a domain account. My coworker had to catch the boot sequence, go into bash and revert the PAM config so that I could log into a local account. I still can't log into a Domain account.
Guides I've used
Main Guide I followed: https://help.ubuntu.com/community/Ac...ryWinbindHowto
http://askubuntu.com/questions/12738...an-ldap-client
https://help.ubuntu.com/12.04/server...eros-ldap.html
https://help.ubuntu.com/community/Kerberos
https://help.ubuntu.com/community/GnuTLS
The files as they stand now
Assume that the variables $MY_VALUES[$INDEX_...] are my values as they would be in the file. I have these because I'm also writing a big-ass bash script that would write all these files for me on a fresh install if I needed them to.
E.g. - $MY_VALUES[$INDEX_FQDN] would be "this-server.company.com"
I realize this is a lot to go through, but if you see something that is out of place, please let me know.
file: /etc/hostname
file: /etc/network/interfacesCode:$MY_VALUES[$INDEX_FQDN]
file: /etc/hostsCode:auto lo iface lo inet loopback mapping hotplug script grep map eth0 auto eth0 iface eth0 inet static address $MY_VALUES[$INDEX_SERVERSTATICIP] netmask $MY_VALUES[$INDEX_SERVERNETMASK] gateway $MY_VALUES[$INDEX_SERVERGATEWAY]
file: /etc/resolv.confCode:127.0.0.1 localhost.localdomain localhost $MY_VALUES[$INDEX_FQDN] $MY_VALUES[$INDEX_KDCADDRESS] $MY_VALUES[INDEX_DOMAINADDRESS] $MY_VALUES[$INDEX_DOMAINADDRESSSHORT] # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters
file: /etc/custom/smb.conf (For joining to the domain)Code:nameserver $MY_VALUES[$INDEX_DNSSERVER]
file: /etc/krb5.confCode:[global] realm = $MY_VALUES[$INDEX_REALM] workgroup = $MY_VALUES[$INDEX_WORKGROUP] password server = $MY_VALUES[$INDEX_KDCADDRESS] server string = %h server (Samba, Ubuntu) security = ADS kerberos method = system keytab netbios name = $MY_VALUES[$INDEX_SERVERSHORTNAME] allow trusted domains = yes passdb backend = tdbsam obey pam restrictions = yes
file: /etc/samba/smb.confCode:[libdefaults] default_realm = $MY_VALUES[$INDEX_REALM] default_keytab_file = /etc/krb5.keytab dns_lookup_realm = true dns_lookup_kdc = true krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [appdefaults] autologin = true forward = true forwardable = true renewable = true [realms] $MY_VALUES[$INDEX_REALM] = { kdc = $MY_VALUES[$INDEX_KDCADDRESS] admin_server = $MY_VALUES[$INDEX_KDCADDRESS] default_domain = $MY_VALUES[$INDEX_DOMAINADDRESS] } [logging] kdc = FILE:/var/log/krb/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = SYSLOG:NOTICE:DAEMON [domain_realm] .$MY_VALUES[$INDEX_DOMAINADDRESS] = $MY_VALUES[$INDEX_REALM] $MY_VALUES[$INDEX_DOMAINADDRESS] = $MY_VALUES[$INDEX_REALM] [login] krb4_convert = true krb4_get_tickets = false
file: /etc/nsswitch.confCode:[global] workgroup = $MY_VALUES[$INDEX_WORKGROUP] server string = %h server (Samba, Ubuntu) dns proxy = no log file = /var/log/samba/log.%m max log size = 8192 syslog = 0 panic action = /usr/share/samba/panic-action %d ####### Authentication ####### security = ads realm = $MY_VALUES[$INDEX_REALM] client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user restrict anonymous = 2 ############ Misc ############ template shell = /bin/bash template homedir = /home/%D/%U winbind enum groups = yes winbind enum users = yes winbind use default domain = yes winbind refresh tickets = true winbind nested groups = yes winbind trusted domains only = yes usershare allow guests = no #======================= Share Definitions ======================= [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 # Windows clients look for this share name as a source of downloadable printer drivers [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = no read only = yes guest ok = no
The PAM config files are currently at a "sudo pam-auth-update --force" with all options (including Kerberos) selected.Code:passwd: files compat ldap winbind group: files compat ldap winbind shadow: files compat ldap winbind hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
If you need any additional information I will try to answer your questions as best I can.
Bookmarks