HOWTO: Active Directory Authentication

[warlockvix]

Great guide! I just have one problem and I'm not sure how to fix it. I have set up my Ubuntu box just like the guide and I can sign onto it locally and with AD accounts. When I setup AD users with their home folders (via ssh user@ubuntupc) the home drives are created.

My problem is that users can map to their Ubuntu-based home folders as a network drive from a Windows XP machine but they can not add files or edit any existing files. When users try, they get a Windows pop stating Access Denied. But if they sign on locally to the Ubuntu box, they can add files and edit existing ones in their home folder. My goal is to redirect my users "My Documents" to this Ubuntu box and eliminate the Windows 2K server that currently fulfills this role. To do this, they need to be able to write to the folde. So did I miss a step? Is what I want to do possible? Any ideas?

The home folders all reside in /home/DOMAIN/ which is listed in the smb.conf below


SMB.CONF

[global]
security = ads
netbios name = UBU
realm = DOMAIN.COM
password server = SERVER.DOMAIN.com
workgroup = DOMAIN
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
preferred master = no
local master = no
nt acl support = yes
[SHARE]
path = /home/DOMAIN/
read only = Yes
browseable = No


EDIT - NVM. I fixed it. I freed up my [SHARE] so it's not read only and locked down the home dirs. It worky now.

[ziggie216]

Is there a way to login via gnome using AD account? as for right now I have everythign setup but only to be able to login in via ssh

[warlockvix]

Following the guide should allow you to sign on via gnome with AD accounts or local accounts. Any errors?
Can you post your smb.conf file and krb5.conf file?

[ziggie216]

all the DOMAIN and domain were replaced with the actual name.

krb5.conf

Code:

[logging]
    default = FILE10000:/var/log/krb5lib.log

[libdefaults]
        default_realm = DOMAIN.COM
        ticket_lifetime = 24000
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        DOMAIN.COM = {
                kdc = nascdca01.domain.com
                admin_server = nascdca01.domain.com
                default_domain = DOMAIN.COM
        }

[domain_realm]
        domain.com = DOMAIN.COM
        .domain.com = DOMAIN.COM

[login]
        krb4_convert = true
        krb4_get_tickets = false

smb.conf

Code:

[global]
        security = ads
        netbios name = computer_name
        realm = DOMAIN.COM
        password server = nascdca01.domain.com
        workgroup = DOMAINAD
        idmap uid = 500-10000000
        idmap gid = 500-10000000
        #winbind separator = +
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        encrypt passwords = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        domain master = no
        log file = /var/log/samba/log.%m
        max log size = 1000
        syslog = 0

I just checked the auth.log and notice this

Code:

May 16 08:01:02 COMPUTER_NAME pam_winbind[20446]: user 'USERNAME' granted access
May 16 08:01:02 COMPUTER_NAME gdm[20446]: (pam_unix) could not identify user (from getpwnam(USERNAME))
May 16 08:01:02 COMPUTER_NAME gdm[20446]: Couldn't set acct. mgmt for USERNAME

[warlockvix]

I haven't played too much with the winbind seperator but I would allow it to be read, so I would remove the # in front of it. What happens when you type in kinit user@DOMAIN.COM? Does it some back with a response? What about wbinfo -g and wbinfo -u?Also, your nsswitch.conf and all your pam.d/common-* are similiar to the guide, correct?

[ziggie216]

I haven't played too much with the winbind seperator but I would allow it to be read, so I would remove the # in front of it. What happens when you type in kinit user@DOMAIN.COM? Does it some back with a response? What about wbinfo -g and wbinfo -u?Also, your nsswitch.conf and all your pam.d/common-* are similiar to the guide, correct?

kinit works fine, I was about to use klist as well
wbinfo -g and -u works fine

I had everything configured as it said in the guide, even tried to use
winbind separator = \
winbind separator = +

[MockY]

I have tried to make this work for soon a year and I finally gave up. I installed 2XApplicationServer instead and I am once again happy with Ubuntu in a business environment.

[warlockvix]

As much as I hate to do this, I'm going to post a link to another guide. Linky.
I used this guide to further my configuration on my Ubuntu server. It might be useful.

I was able to come up with a similiar error in my auth.log as yours by messing with my /etc/pam.d/gdm file. I altered the path of the *.so files and it was not happy. In all my /etc/pam.d/common-* files and now in my gdm file, I have /lib/security/ in front of the *.so files. Like this -

common-auth -

auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_krb5.so use_first_pass
auth sufficient /lib/security/pam_winbind.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so broken_shadow
account sufficient /lib/security/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/pam_krb5.so
account [default=bad success=ok user_unknown=ignore] /lib/security/pam_winbind.$
account required /lib/security/pam_permit.so
#account requisite /lib/security/pam_succeed_if.so user ingroup un$
password requisite /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md$
password sufficient /lib/security/pam_krb5.so use_authtok
password sufficient /lib/security/pam_winbind.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_mkhomedir.so skel=etc/skel/ umask=0007
session optional /lib/security/pam_krb5.so

It might be worth a try to add the full path, at least with the gdm file.

Also, my krb5.conf looks like this -

krb5.conf -


[logging]
default = FILE10000:/var/log/kr5lib.log
[libdefaults]
default_realm = DOMAIN.COM
ticket_lifetime = 24000
default_tkt_enctypes = des3-hmac-shal des-cbc-crc
default_tgs_enctypes = des3-hmac-shal des-cbc-crc

[realms]
DOMAIN.COM = {
kdc = myserver.domain.com
admin_server = myserver.domain.com
default_domain = DOMAIN.COM
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM


Of course, DOMAIN replaces what is actually there and I removed a few things from the file that I wouldn't be needing.

[ziggie216]

I'm locked out from my system after a restart. Tried both the local and the domain name and it doenst accept it. Any idea what happend?

[warlockvix]

depends on what you changed. But this happened to me and PAM was locking me out. Bootup with a system rescue CD Linky and mount your partition. Change the common-* files back and you'll be able to sign back on, as long as it's PAM locking you out.