Page 1 of 12 12311 ... LastLast
Results 1 to 10 of 115

Thread: HowTo : Samba Active Directory Integration: Script tested on win 2003r2 and 2008r2

  1. #1
    Join Date
    Sep 2010
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    HowTo : Samba Active Directory Integration: Script tested on win 2003r2 and 2008r2

    The information in this thread has been moved to https://help.ubuntu.com/community/Sa...egrationScript

    A thread for discussion of the wiki page only can be found here http://ubuntuforums.org/showthread.php?t=2012421

    Thread closed.

    Samba Complete Active Directory Domain Integration
    tested on windows 2003r2/2008r2

    What this procedure will do
    If all runs well you will have a Linux machine completely integrated with your Active Directory server. The shared folders permissions will be managed from your samba server and it will use groups and users taken directly from your AD Domain Controller. Just follow this guide and use the attached script!

    Preface
    This procedure was tested with a Linux machine running Ubuntu10.04 and both Windows Server2003 and WindowsServer2008r2 as AD Server.

    This procedure is taken from a lot of guides but you can find the best guide that I've could find here: http://wiki.samba.org/index.php/Samb...tive_directory

    It's perfectly explicated in all its section and it treats every part more deeply than this one. I really recommend to consult it for every doubt.

    Requirements



    To join your Linux machine to your Active Directory Domain you need:
    • access to a Windows Domain Controller with a Domain Administrator account
    • access to a Linux machine with administrator account (sudoer or root account)
    • the archive provided with this guide extracted in a folder (do not move or edit the “templates” folder or its content)

    For testing I really recommend to use a Linux virtual machine for the first time if it is possible.

    It's important that the name of the machine you will add to domain has a name shorter than 15 characters. If not you must modify it in /etc/hostname and in /etc/hosts file with your preferred text editor (vi,nano,gedit) and restart the machine:
    Code:
    sudo nano /etc/hostname
    user-laptop
    Code:
    sudo nano /etc/hosts
    127.0.0.1 localhost
    127.0.1.1 user-laptop
    Kerberos is time-dependent, so you may have to make sure that the machine time is correct using a protocol like NTP. So synchronize your Linux machine time and date with the same NTP server of your domain with:
    Code:
    sudo ntpdate your.domain.ntp.server
    You can also make this command running regularly with crontab:
    Code:
    sudo crontab -e
    # m h dom mon dow command
    00 12 * * * ntpdate your.domain.ntp.server
    In this way the command will run at 12:00 o'clock every day with root privilege (visit http://www.crontabrocks.org/ for more information about crontab).
    It is also important that your DNS is properly configured as your domain DNS; you can do that using a network manager (like network-manager or wicd) or modifying the /etc/resolv.conf file with the proper configuration. An example:
    Code:
    sudo nano /etc/resolv.conf
    domain yourdomain.local
    search yourdomain.local
    nameserver 10.0.0.5
    nameserver 10.0.0.1
    Note that if you using a network manager program it's probably that your /etc/resolv.conf configuration will be ignored and replaced by an auto-generated one.
    Now test your configuration with the “nslookup” command using both server name and his IP; the result might be something like this:
    Code:
    nslookup 10.0.0.5
    Name: WServer2k3
    Address: 10.0.0.5
    Code:
    nslookup WServer2k3
    Name: WServer2k3
    Address: 10.0.0.5
    If you changed the name maybe it's better to reboot the machine.

    Running
    The first thing to do is to edit AD_join.sh variables: open it with your favorite editor
    Code:
    nano AD_join.sh
    and modify only the variables in the first part of the script editing only between “quotation_marks”:
    SUPER_USER="myusername"
    DOMAIN="MYDOMAIN"
    FQDN_CAPITAL="MYDOMAIN.LOCAL"
    FQDN="mydomain.local"
    DOMAIN_CONTROLLER="mydomaincontroller.domain.local "
    do not modify under the WARNING line unless you know what you're doing (in Italy we say “Cazzi tua!”)
    Be sure that AD_join.sh has the execution bit set. Open a terminal, change location in the containing directory, and run the script with root privilege:
    Code:
    cd /path/of/script/directory/AD_join
    sudo chmod +x AD_join.sh
    Now you can run the script
    Code:
    sudo ./AD_join.sh
    The script will install samba, winbind and kerberos in your machine and will change the original configurations files name in *.bkp in order to preserve them (also the entire /etc/pam.d/ directory will be copied to /etc/pam.d.bkp). Then it puts the new files (smb.conf, krb5.conf, nsswitch.conf, system-auth) in proper directories and restart the necessary services.
    Remember that when kerberos visual configuration appear you have to say just <OK> leaving blank the text field.

    Testing and Joining
    It's time to test your configuration and try to join in your Active Directory domain.
    First of all test your samba configuration file, open a terminal and digit:
    Code:
    testparm
    If all runs well you will see your samba's configuration. If not, the program will say you in which line of smb.conf file there is problem. In this case you can try to correct it or you can comment it out with "#" or ";".
    Note that probably Samba will warn you about "winbind separator = +" line, but that should be okay.
    Now try to join domain with the command:
    Code:
    sudo net ads join -U your_domain_admin
    Change "administrator" with proper domain's administrator name.
    If all runs well the domain's administrator password is requested. If not, it's possible that your network connection parameter for DNS server is not properly configured, modify your network configuration or run:
    Code:
    sudo net ads join -S your_server_IP_or_name -U your_domain_admin
    If all it's right you will see a "SUCCES" message in your terminal.
    Reboot your machine.
    Now you can test the joining with:
    Code:
    wbinfo -u
    this gives the domain's users list
    Code:
    wbinfo -g
    this gives the domain's groups list
    Code:
    sudo  wbinfo -a your_domain_user
    this checks if your_domain_user using password connect to the domain
    You can also check the Winbind nsswitch module with getent:
    Code:
    getent passwd
    getent group
    Note that even if the procedure it's a success, is not sure that "getent" command gives the expected results.
    For testing your Kerberos configuration use this:
    Code:
    kinit your_domain_user@YOUR_DOMAIN.LOCAL
    Replace "your_domain_user" with an existing user name and replace "YOUR_DOMAIN.LOCAL" with your domain name. If all is set correctly your_domain_user's password is requested. If not a kinit error will be prompted in terminal; in this case you might check your Kerberos configuration. Remember it's important CASE SENSITIVENESS.

    That's it!
    Your Linux machine is now joined to your Active Directory.



    Now you can:
    • manage permissions and access to your shared resource from your samba server
    • log on the Linux machine using your domain's credentials
    • browse shares on your Linux machine from your domain computers

    Try to log in trough ssh
    Code:
    ssh your_domain_user@linux_machine
    at “password:” enter your domain user password
    Every time you log on the Linux machine with domain credentials a new home it's created for that user in /home/YOUR_DOMAIN/your_domain_user.
    In order to secure those home folders, once them are created, you may run
    Code:
    sudo chgrp “domain admins” /home/MY_DOMAIN/*
    sudo chmod 700 /home/MY_DOMAIN/*
    So your user's homes will be private but accessible from “Domain Admins” members. You may wish to automate this by scheduling this commands using cron or crontab, because when a new user logs in the home directory just created has 755 permissions and “Domain Users” as group, so all users can browse each other homes. (and that's not such a deal. In italian “Bella merda!”)

    If you want you can read the /etc/samba/smb.conf.bkp (recommended) file to understand what each field signifies. You can also uncomment the end of /etc/samba/smb.conf file in order to share a “test” folder (be sure to modify the field with the correct path and info). Remember that every time you change the /etc/samba/smb.conf file you might to restart the service with:
    Code:
    sudo service smbd restart
    Manage folder's accesses editing the "valid users" field with the proper users and or groups.
    The syntax is as follow:
    valid users =@YOUR_DOMAIN+your_group YOUR_DOMAIN+your_user
    Note: no spaces between = and @
    This allow all the users of the Active Directory group "your_group" to access the shared folder and to the Active Directory user "your_user" also.
    If your groups name have spaces like "Group Name with Spaces" is necessary to put quotation marks:
    valid users =@"YOUR_DOMAIN+Group Name with Spaces"
    Pay attention to the case sensitiveness of the domain names.
    There are a lot of fields you can add or modify in your samba configuration: you can find some example in the preconfigured file (smb.conf) like the “admin user” field or the “[homes]” sharing option (with which you can share user's home folders to them as they login).

    Feel free to do all the experiments you want and please, if you find something interesting, post it here!


    Trubleshooting

    idQp posted some trubleshooting (here the post http://ubuntuforums.org/showthread.p...erbiss&page=10) tested on Debian 6.0

    If you get this error msg:

    "Failed to join domain: failed to connect to AD: Strong(er) authentication required"

    you must add the following line to your smb.conf (GLOBAL Settings):

    client ldap sasl wrapping = sign

    this is because of an microsoft update that enables the ldap signing requirement to your AD.


    edit: this howto worked for me on debian 6.0 (squeeze) and windows server 2008 r2
    ccsaway posted this (http://ubuntuforums.org/showthread.php?t=1580505&page=11):

    just installed it on 11.10. works great! THANK YOU SOOOOOOOOOO MUCH

    Had to do just one extra thing though,

    apt-get install krb5-user to test if kinit was working


    Couple of things I did after

    net groupmap add ntgroup="Domain Users" unixgroup=users
    net groupmap add ntgroup="Domain Guests" unixgroup=nogroup
    net groupmap add ntgroup="Domain Admins" unixgroup=root
    Enjoy
    Attached Files Attached Files
    Last edited by Elfy; June 29th, 2012 at 09:37 AM.

  2. #2
    Join Date
    Mar 2006
    Location
    Kitakyushu Japan
    Beans
    9,361
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: HowTo : Samba Active Directory Integration: Script tested on win 2003r2 and 2008r

    Subscribed. Thank you for posting this. I have been dreading figuring this out on my own.

  3. #3
    Join Date
    Sep 2010
    Location
    Indian Capital City
    Beans
    886
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: HowTo : Samba Active Directory Integration: Script tested on win 2003r2 and 2008r

    Nice to have scripts and comprehensive guides to solve Samba - AD configuration issues

    Great work SerbisS, to start this

    I just have some general queries regarding it.

    1. smb.conf is missing 'password server' parameter. Isn't that an important one for the configuration

    2. When samba and winbind is installed, are they added to startup at general runlevels by default or do we need to add them separately so that setup works fine after restarts

    3. Maybe we can also add that since kerberos comes into picture with AD and Samba, make sure that time skew is not too great and within permissible limits. Else join step may complain of 'time skew too great'. Right ?
    When you have eliminated the impossible, whatever remains, however improbable, must be the truth !!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Mark it [SOLVED] if the issue has been resolved

  4. #4
    Join Date
    Sep 2010
    Location
    Indian Capital City
    Beans
    886
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: HowTo : Samba Active Directory Integration: Script tested on win 2003r2 and 2008r

    Also wanted to add that on samba.org and almost all the other places, the 'winbind' is not added to against 'shadow' entry in /etc/nsswitch.conf file

    Don't know why ??
    When you have eliminated the impossible, whatever remains, however improbable, must be the truth !!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Mark it [SOLVED] if the issue has been resolved

  5. #5
    Join Date
    Sep 2010
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HowTo : Samba Active Directory Integration: Script tested on win 2003r2 and 2008r

    First of all thanks to have read (and tested?) this guide.
    I'm not an expert but I would try to give you an answer anyway despite my very bad english:
    1. smb.conf is missing 'password server' parameter. Isn't that an important one for the configuration
    The password server parameter it's necessary to delegate authentication to another SMB server, in this case is not necessary because the authentication is already made locally.
    2. When samba and winbind is installed, are they added to startup at general runlevels by default or do we need to add them separately so that setup works fine after restarts
    I never had problems about this; but I think you refer to older Linux machine version where it was necessary to stop winbind, stop and start samba and then start winbind.
    3. Maybe we can also add that since kerberos comes into picture with AD and Samba, make sure that time skew is not too great and within permissible limits. Else join step may complain of 'time skew too great'. Right ?
    I've completely forgot to specify this in the guide: thank you!
    Of course it's right, kerberos is time-dependent, it needs to be synchronized with domain ntp. I've just added this to the post.
    the 'winbind' is not added to against 'shadow' entry in /etc/nsswitch.conf file

    Don't know why ??
    I'm not sure to have understood..if I have understood it I can't answer to; but if you take a look to the original nsswitch.conf file you can see that "shadow" entry exists against "winbind" entry.
    I hope it is what you are looking for... greetings

  6. #6
    Join Date
    Sep 2010
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HowTo : Samba Active Directory Integration: Script tested on win 2003r2 and 2008r

    I updated the script adding variables and commands in order to running regulary the update of ntp server and the change of the new home folders' permissions and group. Here is the modified "AD_join.sh" file.
    It creates the "/etc/SECUREHOME" folder and the "/etc/SECUREHOME/file" file, it builds crontab with "file" information with which:
    • sync linux ntp server with domain ntp sever once a day at 12:30 o'clock
    • changes the group of "homes" folders with domain admins group every 60 minutes
    • changes the "homes" permissions in "700" every 60 minutes
    Attached Files Attached Files
    Last edited by SerbisS; November 4th, 2010 at 10:57 AM.

  7. #7
    Join Date
    Sep 2010
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Talking Re: HowTo : Samba Active Directory Integration: Script tested on win 2003r2 and 2008r

    I tested the procedure on several computers of the company where I work and everything gone well
    Once you know the procedure and the requirements and once you have edited the script one time, it's only necessary to change the first value (sudoer user) and the entire procedure is done in 10 minutes max (in the same domain of course).
    I hope for you is the same. Please let me now if it is.
    Regards
    Last edited by SerbisS; July 15th, 2011 at 10:55 AM.

  8. #8
    Join Date
    Sep 2010
    Location
    Indian Capital City
    Beans
    886
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: HowTo : Samba Active Directory Integration: Script tested on win 2003r2 and 2008r

    1. For my 1st query regarding 'password server' parameter, I found in smb.conf that 'password server' defaults to * which shall solve our purpose here. Although when I use it, I always set it to the list of servers I have

    2. For the last query regarding winbind against shadow entry, I actually meant this [taken from http://www.samba.org/samba/docs/man/...n/winbind.html]
    Code:
    passwd:     files winbind
    shadow:     files
    group:      files winbind
    winbind is not mentioned against shadow in nsswitch.conf, though I don't know what effect it may have.
    Maybe because the only thing we may expect from AD server is username and groups information and ofcourse authentication which will any how not involve 'shadow'
    Last edited by luvshines; October 7th, 2010 at 09:15 PM. Reason: Fixed typo
    When you have eliminated the impossible, whatever remains, however improbable, must be the truth !!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Mark it [SOLVED] if the issue has been resolved

  9. #9
    Join Date
    Sep 2010
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HowTo : Samba Active Directory Integration: Script tested on win 2003r2 and 2008r

    There are a lot of programs and method to perform a Linux machine NT authentication. Every program depend to another one and so on. I tried a lot of configuration first to find a well running one. In “samba-common” packet you will find winbind packet which is made by an utility and a daemon: wbinfo and winbindd. Wbinfo is necessary in order to hook PAM authentication and using them for authenticate NT users locally, winbindd daemon take info about NT users and groups for nsswitch program. Nss program (editable in nsswitch.conf file) take information (like users, group and passwords) from a lot of different sources. Shadow is an encryption password database; with the “shadow winbind” line we indicate to shadow program to take information from winbind (as for passwd and group line). Knowing this for me it was logic to edit nsswitch line in that way. Of course it is possible that is not necessary or wrong (as I said I'm not an expert). I read a lot of guide and I made a lot of test before publish this script/method and also what you say about “password server” parameter is logic, but I have see that the authentication is already made using winbind that use nsswich program and PAM authentication method. Knowing this, for me it was also logic to not put the “password server” parameter in smb.conf and as I could see it run perfectly. Do you think that my argument and what I said is wrong ? Have you try to modify in a different way the configuration files? For you it works with this different way? Please, can you paste or attach here you working configuration?
    Thank you for your interest

  10. #10
    Join Date
    Sep 2007
    Beans
    111

    Re: HowTo : Samba Active Directory Integration: Script tested on win 2003r2 and 2008r

    Please, can you change this script to work in Ubuntu 10.10

    Please, i need this a lot

    many thanks

Page 1 of 12 12311 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •