HOWTO: Active Directory Authentication

[antihippy]

Hi,

I am interested in trying out SADMS but I cannot get it to install. I am fairly new to Ubuntu and Linux in general. I've been on the SADMS website and downloaded, what I think is, the correct package: sadms-install-ubu-2.0.1.tar.gz
I've unpacked it and I now have a folder called sadms-2.0.1. When I try doublicking the start script I run it in terminal and I can see lots of errors flicking past. I have winbind and samba installed.

How do I install sadms? Have been thick about something?

I've been all over the sadms project pages and there's not much help.

Any help would be much appreciated.

Thanks

PS - I don't think that there is anything wrong with SADMS - it's just my newbieness.

[RxTech]

I'm having a problem, everything worked fine, i was able to join the domain but i log in...using domain logins or locals.

I get this error message in my auth.log

Code:

Feb  1 16:29:43 testws sshd[4090]: (pam_unix) auth could not identify password for [MYUSERNAME]
Feb  1 16:29:45 testws pam_winbind[4090]: user 'MYUSERNAME' granted access
Feb  1 16:29:45 testws sshd[4085]: error: PAM: Authentication information cannot be recovered for MYUSERNAME from testws.mydomain.com



Feb  1 16:44:08 testws login[4096]: (pam_unix) auth could not identify password for [MYUSERNAME]
Feb  1 16:44:10 testws pam_winbind[4096]: user 'MYUSERNAME' granted access
Feb  1 16:44:14 testws login[4096]: FAILED LOGIN (1) on `tty1' FOR `MYUSERNAME', Authentication information cannot be recovered

Any ideas??

PS. I'm authenticating to a win2k3 dc

[Mujaheiden]

I think this Active Directory login is too difficult for me. I have no clue as to what im doing, and what I doe doenst work. Ill just wait for an automix like script, if ever...
Thanx anyway

[SuperMike]

tfiedler,

Wow, got this working, but had to alter the steps slightly. This is way cool stuff here!!! It's sensational that you figured all this out, though. Perhaps things have changed in Ubuntu 5.10 or something. What's cool about this is that my PC is now a member of the AD domain and if I add a unix account with useradd and don't specify a password or use passwd, I can use the password from the AD domain instead of the password on the Unix account. Note that you do not need to use smbpasswd anymore! That's one less admin chore -- and you won't have to worry about password synchronization again with Samba because it passes on to the AD domain.

Here's what I had to do that was so special.

1. Had to put my FQDN in /etc/hosts on the 127.0.0.1 line before localhost. (For noobs -- do hostname to find your hostname. Then, tack on the domain on the end. In my case it was something like UBUNTU.MY_AD_DOMAIN.COM.)

2. Had to turn on Ubuntu Universe option in /etc/apt/sources.list, then do this:

apt-get update
apt-get install krb5-user

...Note that when you do this and it begins to install it, a blue screen will pop open and ask you for the IP address of your closest domain controller for the domain you want to authenticate against.

apt-get install winbind samba

3. Had to use a variation on your /etc/krb5.conf file:

[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = MY_AD_DOMAIN.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
MY_AD_DOMAIN.COM = {
# The "kdc" should be the IP addr of your closest domain controller.
kdc = 192.168.0.2
}

[domain_realm]
.my_ad_domain.com = MY_AD_DOMAIN.COM
my_ad_domain.com = MY_AD_DOMAIN.COM
# end

Note that I did not use admin_server or default_domain because I was getting errors. I commented them out and to my surprise my kinit statement was working.

4. In reference to all those files in /etc/pam.d that you had us edit, if you get one character wrong, you will blow your authentication! Warning! Therefore, I cut and paste from your post and was back in business again.

5. My smb.conf was almost exactly the same. I just want to comment that my password server line reflects the IP address of the closest domain controller. This should match what's in krb5.conf

[global]
unix charset = LOCALE
workgroup = MY_AD_DOMAIN
realm = MY_AD_DOMAIN.COM
netbios name = UBUNTU
server string = Samba
security = ADS
password server = 192.168.0.2
winbind use default domain = yes
client use spnego = yes
domain master = no
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
printcap name = CUPS
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group = "Domain Users"
template shell = /bin/bash
winbind separator = +
printing = cups

[public]
path = /tmp/public
available = yes
browseable = yes
public = yes
writable = yes
create mode = 0755
directory mode = 0755
read only = no

6. I think I had to backup and remove all my /var/lib/samba/*.tdb files and bounce winbind and samba like you mention in order for this to work properly, not caching stuff generated from my previous tests.

7. I found I had to play with chmod on /tmp/public to let other users in. You could do it the world-read-writable way (your security experts will have a cow) with chmod a+x /tmp/public, but you're better off mapping the Linux user account to a folder with chown and setting perms with chmod u+x /tmp/public/my_user_folder

Hope this helps everyone!

[SuperMike]

Some oddities about Samba that I found are these. I don't know if it's just this version, or if it's Ubuntu, or what.

* The shares act funny in Windows 2000 and XP. If you do Start, Run, \\<server and doubleclick the share, then create a new folder, it appears properly and you are given a chance to rename it. But if you close that window and repeat this step, you can create folders but not have a chance to rename them until you refresh your window with F5 key. The same goes for renaming them, creating new files, etc. I can see people getting fairly aggravated by this. I don't know how to fix that.

* Another way the shares act funny is that you cannot edit the NTFS perms from Windows. It will let you start it, but then it won't let you apply those changes. Instead, these must be applied with chown and chmod on the Linux server. This is to be accepted, of course. Just wanted to make you aware of this in case you were a noob and were assuming you can just edit the NTFS permissions from within Windows.

* I had to turn off my firewall for now to get this going. I'm not really sure what all ports need to be opened up to make this work.

* I tried editing the /etc/pam.d/common* files to see if I could trick my Linux so that it only authenticated to the company domain. I wanted to not have to use useradd for every new Samba account I wanted to add to the system. Unfortunately, this almost worked, but not completely. I noticed that it caused the passwords to lockout on the domain controller, but it still wouldn't let me have access to the session. I would imagine with some tweaking in these files I just might get it to work.

[StRobo]

Great howto since it solved all my problems. However, I have one problem and can't seem to quite figure out the correct way to do it.

The user logged on will be a 'domain user' and as such is NOT part of the cdrom, audio, video groups for instance.

Assume I have a user 'foo' that logs in correctly. How do I 'attach' this domain user to the audio group?

[Draaku]

Hi, I am trying the sadms app, and here is what i get:

could not acquire Kerberos ticket
+WARNING
Kerberos requires administrator's password
to have been reset once since domain install
in order to add DES encryption keys to user
account which only has a RC4 key when
initially created.
[ERROR]
returned error code 4
command line was <./_install.sh 'FROOT.NAU.EDU' 'nau.froot.nau.edu' 'froot.nau.edu' 'FROOT' 'ucc123' 'Computers' 'fg32' '*****' 'Domain Users' '134.114.70.0/255.255.255.0' ''>

[stevea1210]

Hi, I am trying the sadms app, and here is what i get:

could not acquire Kerberos ticket
+WARNING
Kerberos requires administrator's password
to have been reset once since domain install
in order to add DES encryption keys to user
account which only has a RC4 key when
initially created.
[ERROR]
returned error code 4
command line was <./_install.sh 'FROOT.NAU.EDU' 'nau.froot.nau.edu' 'froot.nau.edu' 'FROOT' 'ucc123' 'Computers' 'fg32' '*****' 'Domain Users' '134.114.70.0/255.255.255.0' ''>

I have read on some sites that the admin password on the DC needs to be reset before it will work. I think this was ties to win 2k, but I could be remembering incorrectly. Reset the admin account password, then reset it again to what it was previously (for convenience). Then try it again.

[stevea1210]

Great howto since it solved all my problems. However, I have one problem and can't seem to quite figure out the correct way to do it.

The user logged on will be a 'domain user' and as such is NOT part of the cdrom, audio, video groups for instance.

Assume I have a user 'foo' that logs in correctly. How do I 'attach' this domain user to the audio group?

I had the same problem. I wrote a down and dirty script to add domain users to local groups on the linux box. Here is the link
http://ubuntuforums.org/showpost.php...64&postcount=6

Give that a try, it should take care of it. You can add users to audio, as well as any other needd groups using it.

[stevea1210]

Some oddities about Samba that I found are these. I don't know if it's just this version, or if it's Ubuntu, or what.

* Another way the shares act funny is that you cannot edit the NTFS perms from Windows. It will let you start it, but then it won't let you apply those changes. Instead, these must be applied with chown and chmod on the Linux server. This is to be accepted, of course. Just wanted to make you aware of this in case you were a noob and were assuming you can just edit the NTFS permissions from within Windows.

Make sure the partition on the samba server is mounted with acl. Below is a line from my /etc/fstab. Note the acl in it.

Code:

/dev/hdc1       /netshares     ext3    acl,defaults      0       1

Aftr editing fstab, remount the drives

Code:

sudo mount -a

That should fix the inability to edit acl's from windows.