HOWTO: NT Domain Authentication

vizvayu

NT Domain Authentication in Ubuntu HOW-TO
by vizvayu@gmail.com

I'm making this tutorial because I had to set-up Ubuntu to authenticate on my company's NT Domain, so now that it's working I thought I could share my experience.
Any comments, ideas, and even some questions are welcome. There are several tutorials regarding this, but this one is made specially for Ubuntu.

First of all, I'm assuming that you are comfortable editing text files and have a basic undestanding of a linux system, including booting in recovery mode and restoring file backups. Although this procedure is not "dangerous", it could render the authentication system unusable if you make any mistake. So please, be careful and make backups of all the files changed.

To authenticate on a NT Domain, you need the following extra packets:

samba
winbind

If I remeber correctly, the samba package comes with Ubuntu, but you have to download winbind separately from the universal repository.

Ok, now this is a list of the files we are touching, please make backups:

Code:

/etc/login.defs
/etc/nsswitch.conf
/etc/samba/smb.conf
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/sudo

Now, the first thing we are doing is setting up samba/winbind to work with the domain, so do a nano /etc/samba/smb.conf and insert the following lines:

Code:

workgroup = MYDOMAIN
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind separator = +
security = domain
password server = *
winbind use default domain = yes

Remeber that this is just and example, you should/can change the values according to your needs.

After that we need to make the system to use winbind. First edit /etc/nsswitch.conf and replace:

Code:

passwd:	compat
group:	compat

with

Code:

passwd: compat winbind
group:	compat winbind

Now go to /etc/pam.d and edit the following files:

common-account:

Code:

#Commented for winbind to work
#account-required	pam_unix.so
account-required	pam_winbind.so

common-auth:

Code:

auth	sufficient	pam_winbind.so
auth	required	pam_unix.so nullok_secure use_first_pass

common-session:

Code:

session	required	pam_unix.so
session	required	pam_mkhomedir.so umask=0022 skel=/etc/skel/

sudo:

Code:

auth	sufficient	pam_winbind.so
auth	required	pam_unix.so use_first_pass

And this is an extra, not really required, but as I think the default max password lenght of 8 chars sucks (I like to use passphrases), and as we are using md5, I changed it:

/etc/login.defs:

Code:

PASS_MAX_LEN	50

/etc/pam.d/common-password:

Code:

password	required	pam_unix.so nullok obscure min=4 max=50 md5

Finally, there are only a few things left to do:

Join the domain:

Code:

net rpc join -D MYDOMAIN -U administrator

Test it with:

Code:

wbinfo -u
wbinfo -g

Make the domain home dir (users home dirs will be inside this one, but can be configured in smb.conf):

Code:

mkdir /home/MYDOMAIN

Reboot, and that's it, you should now have domain authentication working in Ubuntu.

Just a few extra comments:

Remeber that if you need one user to have administration permissions, you need to include him in the /etc/sudoers list. Use the visudo command to do this. And there's no need to prepend MYDOMAIN+ to the username since winbind is configured to use the configured domain by default.
If anything goes wrong and you cannot login to the system, you have to reboot in recovery mode (press ESC when grub is starting) and replace the changed files from /etc/pam.d with the backups.
I use NT4 domains, I don't think a W2k domain in native mode will work. You surely have to make some changes.
This tutorial is just and example of how things worked for me. It's obviously not the only (or better) way to do things.

KenLin

awesome! worked like a charm.

water

Has anybody tried this with Hoary?

:water

kuleali

thanks, it worked

slipp3dstr3am

has anyone had any luck getting this to work on a win2k domain?

DracosX

For a win2k domain, just be sure to set security = ads as well as ream = your_realm in smb.conf and use net ads join -U administrator for the join command.

tonybee

This method seems to require a domain server present and connected to allow login to the local machine. How can the scripts be modifided to allow a local login if the network or domain is unavailable?

JackDog · 02:46 PM

Quote:

Originally Posted by water

Has anybody tried this with Hoary?

:water

I tried this on Hoary but it did not work. System users have to enter their password twice and when they finally get logged in, they get immediately logged out. Domain users to not authenticate at all.

Nevermind, they key was specifying a default shell and default domain in smb.conf.

mmrobins

I did this with Hoary Hedgehog 5.04 and now I get the message "The system administrator has disabled access to the system temporarily." when I try to logon using a domain user. My local users can't log in now, simply saying authentication failed. I'm trying to login to a mixed mode windows 2000 domain, so used the net join rpc command and it worked. So I guess the good news is that it IS authenticating against the AD, but it won't let me onto the system. Any suggestions?

xsdevnet

I did this and am able to login with one of the command line virtual terminals and ssh as an active directory user. I cannot log in with XWindows though. Any ideas what I should look at?

November 18th, 2004	#1
vizvayu First Cup of Ubuntu Join Date: Oct 2004 Beans: 4	HOWTO: NT Domain Authentication NT Domain Authentication in Ubuntu HOW-TO by vizvayu@gmail.com I'm making this tutorial because I had to set-up Ubuntu to authenticate on my company's NT Domain, so now that it's working I thought I could share my experience. Any comments, ideas, and even some questions are welcome. There are several tutorials regarding this, but this one is made specially for Ubuntu. First of all, I'm assuming that you are comfortable editing text files and have a basic undestanding of a linux system, including booting in recovery mode and restoring file backups. Although this procedure is not "dangerous", it could render the authentication system unusable if you make any mistake. So please, be careful and make backups of all the files changed. To authenticate on a NT Domain, you need the following extra packets: samba winbind If I remeber correctly, the samba package comes with Ubuntu, but you have to download winbind separately from the universal repository. Ok, now this is a list of the files we are touching, please make backups: Code: /etc/login.defs /etc/nsswitch.conf /etc/samba/smb.conf /etc/pam.d/common-account /etc/pam.d/common-auth /etc/pam.d/common-password /etc/pam.d/common-session /etc/pam.d/sudo Now, the first thing we are doing is setting up samba/winbind to work with the domain, so do a nano /etc/samba/smb.conf and insert the following lines: Code: workgroup = MYDOMAIN idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash template homedir = /home/%D/%U winbind enum users = yes winbind enum groups = yes winbind cache time = 10 winbind separator = + security = domain password server = * winbind use default domain = yes Remeber that this is just and example, you should/can change the values according to your needs. After that we need to make the system to use winbind. First edit /etc/nsswitch.conf and replace: Code: passwd: compat group: compat with Code: passwd: compat winbind group: compat winbind Now go to /etc/pam.d and edit the following files: common-account: Code: #Commented for winbind to work #account-required pam_unix.so account-required pam_winbind.so common-auth: Code: auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass common-session: Code: session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ sudo: Code: auth sufficient pam_winbind.so auth required pam_unix.so use_first_pass And this is an extra, not really required, but as I think the default max password lenght of 8 chars sucks (I like to use passphrases), and as we are using md5, I changed it: /etc/login.defs: Code: PASS_MAX_LEN 50 /etc/pam.d/common-password: Code: password required pam_unix.so nullok obscure min=4 max=50 md5 Finally, there are only a few things left to do: Join the domain: Code: net rpc join -D MYDOMAIN -U administrator Test it with: Code: wbinfo -u wbinfo -g Make the domain home dir (users home dirs will be inside this one, but can be configured in smb.conf): Code: mkdir /home/MYDOMAIN Reboot, and that's it, you should now have domain authentication working in Ubuntu. Just a few extra comments: Remeber that if you need one user to have administration permissions, you need to include him in the /etc/sudoers list. Use the visudo command to do this. And there's no need to prepend MYDOMAIN+ to the username since winbind is configured to use the configured domain by default. If anything goes wrong and you cannot login to the system, you have to reboot in recovery mode (press ESC when grub is starting) and replace the changed files from /etc/pam.d with the backups. I use NT4 domains, I don't think a W2k domain in native mode will work. You surely have to make some changes. This tutorial is just and example of how things worked for me. It's obviously not the only (or better) way to do things.

February 7th, 2005	#2
KenLin 5 Cups of Ubuntu Join Date: Oct 2004 Beans: 29	Re: HOWTO: NT Domain Authentication awesome! worked like a charm.

April 10th, 2005	#3
water Just Give Me the Beans! Join Date: Oct 2004 Location: oslo, norway Beans: 46 Ubuntu 7.04 Feisty Fawn	Re: HOWTO: NT Domain Authentication Has anybody tried this with Hoary? :water __________________ http://wa.terhou.se - http://werock.org - http://nunmusic.com - my last.fm

April 12th, 2005	#4
kuleali A Carafe of Ubuntu Join Date: Mar 2005 Beans: 120	Re: HOWTO: NT Domain Authentication thanks, it worked

April 18th, 2005	#5
slipp3dstr3am 5 Cups of Ubuntu Join Date: Apr 2005 Location: USA Beans: 22	Re: HOWTO: NT Domain Authentication has anyone had any luck getting this to work on a win2k domain?

April 19th, 2005	#6
DracosX First Cup of Ubuntu Join Date: Nov 2004 Beans: 5	Re: HOWTO: NT Domain Authentication For a win2k domain, just be sure to set security = ads as well as ream = your_realm in smb.conf and use net ads join -U administrator for the join command.

April 20th, 2005	#7
tonybee First Cup of Ubuntu Join Date: Apr 2005 Location: Cairns AUSTRALIA Beans: 3	Re: HOWTO: NT Domain Authentication This method seems to require a domain server present and connected to allow login to the local machine. How can the scripts be modifided to allow a local login if the network or domain is unavailable?

April 26th, 2005	#9
mmrobins First Cup of Ubuntu Join Date: Apr 2005 Beans: 3	Re: HOWTO: NT Domain Authentication I did this with Hoary Hedgehog 5.04 and now I get the message "The system administrator has disabled access to the system temporarily." when I try to logon using a domain user. My local users can't log in now, simply saying authentication failed. I'm trying to login to a mixed mode windows 2000 domain, so used the net join rpc command and it worked. So I guess the good news is that it IS authenticating against the AD, but it won't let me onto the system. Any suggestions?

May 9th, 2005	#10
xsdevnet First Cup of Ubuntu Join Date: May 2005 Location: Henderson, NV, USA Beans: 5	Re: HOWTO: NT Domain Authentication I did this and am able to login with one of the command line virtual terminals and ssh as an active directory user. I cannot log in with XWindows though. Any ideas what I should look at?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode