Page 1 of 5 123 ... LastLast
Results 1 to 10 of 44

Thread: Howto: Ubuntu server as an Active Directory member server

  1. #1
    Join Date
    Oct 2006
    Location
    Georgia
    Beans
    9
    Distro
    Ubuntu 6.06

    Howto: Ubuntu server as an Active Directory member server

    Overview:

    The key advantages of Active Directory membership are secure central user management, authentication, and single sign-on for the clients accessing the server. Once an Ubuntu Samba server is integrated with Active Directory, share level and file level permissions can be set using the AD users and groups without requiring local account mapping. Using Winbind, the Linux server sees the domain users and groups transparently. Accountants will love this; using a Samba server you avoid paying OS licensing fees on the server and client access license fees. My goal is to implement Samba-Active Directory integration on a single domain using Winbind with Kerberos on a Linux operating system that is free with free updates for at least 3 years. I selected the Ubuntu Dapper Drake 6.06 Server distribution because it is a Debian downstream distribution which has a reputation for being stable and promises to be Free “forever.” My objective is to make the process transparent (and chocked full of tricks) so that I may reproduce the integration anytime and to make it available to other Ubuntu users.

    Preliminaries:

    It is assumed that a functioning Active Directory domain is in place. The DNS house must also be in order along with a solid Internet connection for updates and installs. The key pieces needed on the Linux server are NTP, Kerberos Samba & Winbind. The current version of Samba 3.02 on Ubuntu supports Winbind with Kerberos. Winbind supplies the users, groups, & passwords from the AD domain and Kerberos supplies the AD authentication mechanisms for Winbind. Because you will use the Shell to do most of the configuration work on the Ubuntu server, make sure you know how to use VI or VIM to modify files.


    Getting the Ubuntu Dapper Drake 6.06 Server ready:

    • Make sure your workstations and servers system clocks are in Sync (to within the default 5 minutes.) If they are not, trust me, the Kerberos authentication and ticket passing will not work and you will get some unexpected results. THIS IS VERY IMPORTANT. So do yourself a favor and make sure. I recommend that you setup an NTP server on your network and use it to synchronize your system clocks. This is easy just go to http://www.ntp.org for instructions and Windows Client. This can and should be done on your Window Servers to make sure your system clocks are synchronized and stay synched. Be sure to use the NTP server pools which will make the process very efficient. YOU HAVE BEEN WARNED.
    • Install the Ubuntu server using the CD or DVD base installs. Once the server is up and running and you have set the fixed IP, test the Internet connection and make sure you can Ping the IP Address of the key Windows Domain Controllers.
    • Just to make life easy, you might want to enable the root account access so that you do not need to prefix every command with sudo. If you do this you will not have to sudo everything. Once the root account access is enabled the password will be the same as the password used for sudo. To enable root account access type the following:

    root@ubuntuserver:/#sudo passwd root

    • Next you will need to modify the repositories /etc/apt/sources.list to include universe and multiverse repositories. This is important because some of the key packages needed, such as krb5-user, are found there. Backup, and then Modify the /etc/apt/sources.list to include at least the following lines:

    deb cdrom:[Ubuntu-Server 6.06.1 _Dapper Drake_ - Release i386 (20060807.1)]/ dapper main restricted

    deb http://us.archive.ubuntu.com/ubuntu/ dapper main restricted universe multiverse
    deb-src http://us.archive.ubuntu.com/ubuntu/ dapper main restricted universe multiverse

    deb http://us.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
    deb-src http://us.archive.ubuntu.com/ubuntu/ dapper-updates main restricted


    deb http://us.archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse
    deb-src http://us.archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse

    deb http://security.ubuntu.com/ubuntu dapper-security main restricted universe
    deb-src http://security.ubuntu.com/ubuntu dapper-security main restricted universe

    • Run the following command to download the local repository lists:

    root@ubuntuserver:/#sudo apt-get update

    • Update system updates:

    root@ubuntuserver:/#sudo apt-get upgrade

    • I recommend installing the packages below using the following command:

    root@ubuntuserver:/#sudo apt-get install samba smbfs smbclient smbldap-tools winbind krb5-user krb5-config krb5-doc libkrb53 libpam-krb5 ntp-server ntp sun-java5-jre swat apache2 inetutils-inetd ssh

    • As part of the installation of krb5-conf you will be prompted to enter the default realm information. It will see your current AD Realm.

    You will enter the Active Directory domain server such as DCSERVER.LOCALDOMAIN.NET. Kerberos is case sensitive so the realm is entered in upper case. Do not worry too much here because you will later modify the /etc/krb5.conf file to the correct settings.

    Configure and Test NTP :

    • Next, configure your NTP service. Review the design suggestions found on the ntp.org website. I present an example that works well for tier-two US-based servers. To duplicate my example modify the /etc/ntp.conf file to look use settings such as:

    root@ubuntuserver:/#sudo vim /etc/ntp.conf

    # /etc/ntp.conf, configuration for ntpd

    # ntpd will use syslog() if logfile is not defined
    logfile /var/log/ntpd

    driftfile /var/lib/ntp/ntp.drift
    statsdir /var/log/ntpstats/

    statistics loopstats peerstats clockstats
    filegen loopstats file loopstats type day enable
    filegen peerstats file peerstats type day enable
    filegen clockstats file clockstats type day enable


    # You do need to talk to an NTP server or two (or three).
    #server ntp.your-provider.example


    #use your local NTP server –You may want to set this first
    server dcserver.localdomain.net


    #For the U.S. Pools:
    server 0.us.pool.ntp.org
    server 1.us.pool.ntp.org
    server 2.us.pool.ntp.org


    # pool.ntp.org maps to more than 100 low-stratum NTP servers.
    # Your server will pick a different set every time it starts up.

    # ... and use the local system clock as a reference if all else fails
    # NOTE: in a local network, set the local stratum of *one* stable server
    # to 10; otherwise your clocks will drift apart if you lose connectivity.
    server 127.127.1.0
    fudge 127.127.1.0 stratum 13

    # By default, exchange time with everybody, but don't allow configuration.
    # See /usr/share/doc/ntp-doc/html/accopt.html for details.
    restrict default kod notrap nomodify nopeer noquery

    # Local users may interrogate the ntp server more closely.
    restrict 127.0.0.1 nomodify

    # Clients from this (example!) subnet have unlimited access,
    # but only if cryptographically authenticated
    #restrict 192.168.123.0 mask 255.255.255.0 notrust

    # If you want to provide time to your local subnet, change the next line.
    # (Again, the address is an example only.)
    broadcast 192.168.1.0

    # If you want to listen to time broadcasts on your local subnet,
    # de-comment the next lines. Please do this only if you trust everybody
    # on the network!
    #disable auth
    #broadcastclient


    • Once ntp is configured restart it with the following command:

    root@ubuntuserver:/#sudo /etc/init.d/ntp-server restart


    Configure /etc/hosts

    Just to be safe even if your DNS servers are working perfectly, it is a wise to add the kdc server to your local /etc/hosts file. This will make everything work much faster (MAKE SURE YOU USE YOUR IP ADDRESS AND FQDN FOR YOUR DC:

    192.168.1.100 dcserver.localdomain.net dcserver

    Configure and Test Kerberos

    Given that the Active Directory domain server is dcserver.localdomain.net,(USE YOUR REALM) The following is the /etc/krb5.conf used to configure the MIT Kerberos that we have installed:

    Configure Keberos

    [logging]

    default = FILE:/var/log/krb5.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log


    [libdefaults]
    default_realm = LOCALDOMAIN.NET
    dns_lookup_realm = false
    dns_lookup_kdc = true

    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }


    Testing Kerberos

    root@ubuntuserver:/#sudo kinit Administrator@LOCALDOMAIN.NET
    Password for Administrator@LOCALDOMAIN.NET: ********
    Check if ticket request was valid using the klist command:

    root@ubuntuserver:/#sudo klist

    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: Administrator@LOCALDOMAIN.NET

    Valid starting Expires Service principal
    10/18/06 15:43:51 10/19/06 01:43:55 KRBTGT/LOCALDOMAIN.NET@LOCALDOMAIN.NET
    Renew until 10/19/06 15:43:51

    Kerberos 4 ticket cache: /tmp/tkt0
    Klist: You have no tickets cached

    root@ubuntuserver:/#

    At this point, your base Kerberos installation and configuration is operating correctly. You can release the ticket by issuing the kdestroy command.


    Join the AD Domain

    Configure the Samba file /etc/samba/smb.conf -Below is an example of Global and share settings that will work for your testing purposes on a single domain. Just create the /home/data directory using the following command:

    root@ubuntuserver:/#sudo mkdir /home/data

    Then modify the smb.conf file:

    root@ubuntuserver:/#sudo vim /etc/samba/smb.conf

    #/etc/samba/smb.conf
    [global]

    workgroup = LOCALDOMAIN
    realm = LOCALDOMAIN.NET
    server string = %h server (Samba %v, Ubuntu)
    wins server = 192.168.1.100
    password server = DCSERVER
    enable privileges =Yes
    allow trusted domains = No
    dns proxy = no
    name resolve order = host wins bcast
    log file = /var/log/samba/log.%m
    max log size = 1000
    log level = 3
    security = ADS
    encrypt passwords = true
    socket options = TCP_NODELAY
    time server = Yes
    map to guest = nobody
    idmap uid = 16777217-33554431
    idmap gid = 16777217-33554431
    winbind enum users = yes
    winbind enum groups = yes
    printcap name = cups
    printing = cups
    cups options = raw
    template shell = /bin/bash



    #======================= Share Definitions =======================
    [data]
    comment = Share Data
    path = /home/data
    read only = No
    create mask = 0775
    directory mask = 0775
    browsable = Yes
    public = Yes
    writeable = Yes
    force create mode = 0775
    force directory mode = 0775
    force security mode = 0775
    guest ok = no
    inherit permissions = yes
    nt acl support = yes

    [printers]
    comment = All Printers
    browseable = no
    path = /tmp
    printable = yes
    public = no
    writable = no
    create mode = 0700


    Check the configuration using testparm:

    root@ubuntuserver:/#sudo testparm

    Be sure to stop and start the Winbind services and restart the samba service after modifying and testing the /etc/samba/smb.conf file by executing the following commands:

    root@ubuntuserver:/#sudo /etc/init.d/winbind stop
    root@ubuntuserver:/#sudo /etc/init.d/samba restart
    root@ubuntuserver:/#sudo /etc/init.d/winbind start


    The next step is to make sure the time is synchronized with the domain by typing:

    root@ubuntuserver:/#sudo net time set


    It is now the moment of truth. Type the following to add the linux server to the AD Domain:

    root@ubuntuserver:/#sudo net ads join –U Administrator
    Administrator’s password:******

    Using short domain name – LOCALDOMAIN
    Joined ‘Ubuntuserver’ to realm ‘LOCALDOMAIN.NET’


    Success! The computer ‘Ubuntuserver’ will now appear as a machine account under “Computers” in your AD console.

    Now, stop Samba & Winbind for the next steps using the following:


    root@ubuntuserver:/#sudo /etc/init.d/winbind stop
    root@ubuntuserver:/#sudo /etc/init.d/samba stop


    Setup Winbind Authentication

    Setup Authentication by modifying the file: /etc/nsswitch.conf


    root@ubuntuserver:/#sudo vim /etc/nsswitch.conf


    # /etc/nsswitch.conf
    #
    # Example configuration of GNU Name Service Switch functionality.
    # If you have the `glibc-doc' and `info' packages installed, try:
    # `info libc "Name Service Switch"' for information about this file.

    passwd: compat winbind
    group: compat winbind
    shadow: compat winbind

    hosts: files dns wins
    networks: files dns

    protocols: files
    services: files
    ethers: files
    rpc: files
    netgroup: files
    publickey: nisplus
    automount: files
    aliases: files nisplus



    Save your changes, and start samba and Winbind in the following order:


    root@ubuntuserver:/#sudo /etc/init.d/samba start
    root@ubuntuserver:/#sudo /etc/init.d/winbind start


    Verify that Winbind is working. Use the Winbind utility wbinfo to list users and groups from the AD Domain Controller.

    root@ubuntuserver:/#sudo wbinfo –u
    LOCALDOMAIN\Administrator
    LOCALDOMAIN\Guest
    LOCALDOMAIN\Mhinrichsen
    LOCALDOMAIN\User


    root@ubuntuserver:/#sudo wbinfo –g
    LOCALDOMAIN\Domain Computers
    LOCALDOMAIN\Admins
    LOCALDOMAIN\Guests
    LOCALDOMAIN\Domain Users


    Verify that logins and passwords are coming from the AD Domain Controller as well as the local files:

    root@ubuntuserver:/#sudo getent passwd


    If Winbind is working you will see the LOCALDOMAIN\ prefix. If not you will probably just see the local accounts on the linux server.

    The final Winbind test is to run net ads info to display the AD server information.

    root@ubuntuserver:/#sudo net ads info

    LDAP server: 192.168.1.100
    LDAP server name: DCSERVER
    Realm: LOCALDOMAIN.NET
    Bind Path: dc=LOCALDOMAIN, dc=NET
    LDAP port: 389
    Server time: Wed, 18 Oct 2006 18:02:18 EDT
    KDC server: 192.168.1.100
    Server time offset: 0
    root@ubuntuserver:/#



    Configure PAM to use Winbind for workstations authentication


    PAM configuration for samba is accomplished by modifying files in the /etc/pam.d directory. The following files need to be modified:

    /etc/pam.d/samba
    /etc/pam.d/common-account
    /etc/pam.d/common-auth
    /etc/pam.d/common-password
    /etc/pam.d/common-session

    It is important to make a copy of these files prior to modification. Here is what each of these files should look like after modification:

    root@ubuntuserver:/#vim /etc/pam.d/samba

    @include common-auth
    @include common-account
    @include common-session
    @include common-password


    root@ubuntuserver:/#vim /etc/pam.d/common-account

    #
    # /etc/pam.d/common-account - authorization settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authorization modules that define
    # the central access policy for use on the system. The default is to
    # only deny service to users whose accounts are expired in /etc/shadow.
    #
    account required pam_unix.so


    root@ubuntuserver:/#vim /etc/pam.d/common-auth

    #
    # /etc/pam.d/common-auth - authentication settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authentication modules that define
    # the central authentication scheme for use on the system
    # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
    # traditional Unix authentication mechanisms.
    #
    auth required pam_env.so
    auth required pam_unix.so


    root@ubuntuserver:/#vim /etc/pam.d/common-password

    #
    # /etc/pam.d/common-password - password-related modules common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of modules that define the services to be
    #used to change user passwords. The default is pam_unix

    # The "nullok" option allows users to change an empty password, else
    # empty passwords are treated as locked accounts.
    #
    # (Add `md5' after the module name to enable MD5 passwords)
    #
    # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
    # login.defs. Also the "min" and "max" options enforce the length of the
    # new password.
    password sufficient pam_windbind.so
    password required pam_unix.so nullok obscure min=4 max=8 md5

    # Alternate strength checking for password. Note that this
    # requires the libpam-cracklib package to be installed.
    # You will need to comment out the password line above and
    # uncomment the next two in order to use this.
    # (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
    #
    # password required pam_cracklib.so retry=3 minlen=6 difok=3
    # password required pam_unix.so use_authtok nullok md5


    root@ubuntuserver:/#vim /etc/pam.d/common-session

    #
    # /etc/pam.d/common-session - session-related modules common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of modules that define tasks to be performed
    # at the start and end of sessions of *any* kind (both interactive and
    # non-interactive). The default is pam_unix.
    #
    session required pam_limits.so
    session required pam_unix.so


    At this point check to make sure you can logon to another terminal session such as tty2. Just type Alt-F2 and make sure you can still login as root then go back by typing Alt-F1. Once this is accomplished I recommend restarting the server at this point just to make sure there are no errors during startup and to get a clean environment for testing.

    Applying ownership & permissions to the shared directory

    To set the ownership and group permissions on the shared directory /home/data use the chmod and chown commands. Note: use valid users and groups from the real domain

    root@ubuntuserver:/#chown –R ‘localdomain\administrator:localdomain\Domain Users’ /home/data

    Final Test with a Windows XP/2000/NT workstation

    Test a connection to the Ubuntu server from the Windows XP workstation by clicking on start-run in the open box type\\ubuntuserver and then click OK. A window should open showing the \\ubuntuserver\data share and the Printers and Faxes icon. If you open the share the permission at the directory level should match the user and group settings applied previously.

    Recap

    If everything works, your Samba server is a member of the Active Directory domain and the accounts can be used to apply permissions to objects on the Ubuntu Linux Server. The central account database is available to the Samba server along with the local accounts such as root, etc. Also, this process will work for other Linux distributions using tools other than apt for the install on non-Debian based distros as long as you are using MIT Kerberos . Of course, you can still use a secure shell and many other tools to connect to the server and do admin work on the server using local accounts without being forced to use AD accounts. It’s called the best of both worlds!


    Michael Hinrichsen
    Solution Designers, Inc.
    mh@solutiondesignersinc.com
    Last edited by mhinrichsen; February 16th, 2007 at 06:35 PM. Reason: Correct Typo

  2. #2
    Join Date
    Nov 2005
    Beans
    140
    Distro
    Ubuntu 6.06

    Re: Howto: Ubuntu server as an Active Directory member server

    Thanks for this tutorial, I am working my way through... Found a typo in this bit, 'libpa-krb5' should be 'libpam-krb5'
    Quote Originally Posted by mhinrichsen View Post
    • I recommend installing the packages below using the following command:
    root@ubuntuserver:/#sudo apt-get install samba smbfs smbclient smbldap-tools winbind krb5-user krb5-config krb5-doc libkrb53 libpa-krb5 ntp-server ntp sun-java5-jre swat apache2 inetutils-inetd ssh

  3. #3
    Join Date
    Feb 2005
    Location
    Doha, QA
    Beans
    39

    Re: Howto: Ubuntu server as an Active Directory member server

    Thanks, nice walk-thru ... Do you have an updated one for using Ubuntu 6.10 (i.e. Edgy) instead - I have some driver issues with my server on 6.06 which has been resolved in 6.10 - However I can't seem to find any of the krb5 packages for 6.10?

  4. #4
    Join Date
    Nov 2006
    Beans
    22

    Re: Howto: Ubuntu server as an Active Directory member server

    Very nice tutorial and works perfect on ubuntu edgy.
    I have one question:

    Is it normal that you can't set permissions using the windows explorer on a windows client.

  5. #5
    Join Date
    Jan 2007
    Beans
    1

    Exclamation Re: Howto: Ubuntu server as an Active Directory member server

    Thanks mhinrichsen, works great on Debian Etch.

    rpr: yes that's normal, acl is not turned on by default (needed for windows permissions instead of standard *nix user,group,world)

    For ext3:
    add acl to your mount options in /etc/fstab for the filesystem that contains the share, eg:
    Code:
    /dev/hda5            /home                   ext3    noatime,acl   0  2
    and then either reboot or remount the filesystem:
    Code:
    mount -v -o remount /home
    This should now work fine, you won't be able to remove the user,group,world permissions, but you can restrict them and add permissions.


    Hope this helps
    Jim

  6. #6
    Join Date
    Jan 2007
    Beans
    33

    Talking Re: Howto: Ubuntu server as an Active Directory member server

    Wow! Great tutorial!! I've been using Linux approximately 4 days and yet managed to add my new server to our AD Domain. Thanks for being so explicit, besides vi commands the only thing I had to look up was how to reboot the server. (Yep, I'm that new).

    Now I just need to read up on chmod and chown. Thanks again, this is really helping me "infect" my workplace with Linux fever

  7. #7
    Join Date
    Feb 2005
    Location
    Doha, QA
    Beans
    39

    Lightbulb Re: Howto: Ubuntu server as an Active Directory member server

    Quote Originally Posted by rverrips View Post
    Thanks, nice walk-thru ... Do you have an updated one for using Ubuntu 6.10 (i.e. Edgy) instead - I have some driver issues with my server on 6.06 which has been resolved in 6.10 - However I can't seem to find any of the krb5 packages for 6.10?
    Duh, it's called following step one and enabling multiverse and universe repo's ... works fine on Edgy Server, and even tested it on a Feisty Herd-1 box!

  8. #8
    Join Date
    Feb 2005
    Location
    Doha, QA
    Beans
    39

    Re: Howto: Ubuntu server as an Active Directory member server

    Ok, so this works beautifully for my server on domain1.something.foo

    However, howto set it up so that users from a trusted sister domain domain2.something.foo can also access it (The server is joined to domain1)

    Thanks

  9. #9
    Join Date
    Oct 2006
    Location
    Georgia
    Beans
    9
    Distro
    Ubuntu 6.06

    Re: Howto: Ubuntu server as an Active Directory member server

    You should try setting the following in the Global section of the smb.conf:

    allow trusted domains = yes

    Thanks

  10. #10
    Join Date
    Oct 2006
    Location
    Georgia
    Beans
    9
    Distro
    Ubuntu 6.06

    Re: Howto: Ubuntu server as an Active Directory member server

    Acknowledged and corrected in the HOWTO

    Thanks!

Page 1 of 5 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •