HOWTO: Active Directory Authentication

[Saghaulor]

I just got an Ubuntu 9.10 box to authenticate to AD.

Here's what I did. (Before changing any of the files mentioned below, make sure to create a backup copy to save yourself future headache.)

• Code:

  sudo aptitude install likewise-open-gui

• Modify /etc/hosts, added entry for the domain controller, use FQDN (fully qualified domain name) ie, server.domain.local

• Verify that the hostname of Ubuntu box doesn't contain special characters, check /etc/hostname, if it did make sure the /etc/hosts file is corrected

• Modify connection manager to dhcp(address only) and added Domain Controller in DNS Server field

• Modify /etc/sudoers file to add AD domain admins to sudoers.
  Add to the bottom of the file
  

  %your_fqdn_here\\Domain^Admins ALL=(ALL) ALL

• Modify /etc/samba/lwiauthd.conf, add to the bottom
  

  winbind use default domain = yes

  to have AD member use only their username and not "your_fqdn\username"

• Modify /etc/nsswitch.conf, change the line the refers to hosts to
  

  hosts: files dns

• Using likewise-open, add the computer to the domain. Be sure to use the full domain name, ie, domain.local.

• Reboot and your AD members should be able to authenticate to the the DC, using the Ubuntu box. In addition, your AD admins should be able to administer the Ubuntu box.

A thank you goes out to Likewise-open and these folks for their help.
http://anothersysadmin.wordpress.com...in-ubuntu-804/

[pigmy31]

Hi,

I've configured (kerberos, samba, pam) on my profesional ubuntu box (Karmic Koala 64bits) to be able to join my enterprise active directory.

It works fine (ie when I start nautilus and I click on a windows shares, no password is required) when I :

1. start my session
2. open a terminal, type kinit and give my domain password

Without this second action, a password is asked for any share acceded. I think that it's not the normal process.

When I look the file /var/log/samba.log.winbindd, I can see :

Kinit failed: Client not found in Kerberos database

I have also the following message :

Could not receive trustdoms

How may I correct my configuration to access windows shares without any domain password during my session ?

Thanks,
Michel

[boltronics]

Great tutorial! After following the initial tutorial and configuring NTP, my machine is able to authenticate against AD.

I do have one issue still. Authentication works great for any user unless they are required to change their password. I've been testing using SSH, and get the following output:

Code:

WARNING: Your password has expired.
You must change your password now and login again!
passwd: Authentication token manipulation error
passwd: password unchanged
Connection to _computer-name_ closed.

Any ideas? Once this is working, I'll be completely set. Thanks!

Just bumped into this problem myself. The answer lies in /etc/pam.d/common-password - add the line:

Code:

password	[success=2 default=ignore]	pam_winbind.so

to the top of the default common-password file.

Note the warning here about changing domain passwords using this technique.

[SirBismuth]

Thanks Saghaulor, already had the likewise-open-gui installed.

Also, the line

Modify /etc/samba/lwiauthd.conf, add to the bottom

did not count for me, as I did not have that file on my system, so I ignored it.

Now I can authenticate on the AD domain, and access the relevant shares.

B

[jeevanpk]

Please help me something which can get integrated my ADS with FTP

[jeevanpk]

Please help me something which can get integrated my ADS with FTP

[CAEman]

Dear Experts!

First, excuse me for my English.
There is local Linux machine wich I have cofigured kerberos and ldap - kinit and ldapsearch are working.
Ldapsearch works like this:
ldapsearch -v -x -D CN=user,CN=Users,DC=domain -W -LLL "(cn=user)"
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
filter: (cn=user)
requesting: All userApplication attributes
dn: CN=user,CN=Users,DC=domain
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user
distinguishedName: CN=user,CN=Users,DC=domain
instanceType: 4
whenCreated: 20071003134645.0Z
whenChanged: 20100212095526.0Z
displayName:: 0J/QtdGA0LXQutGA0LXRgdGC0L7QsiDQkNC90LTRgNC10Lkg0J/QtdGC0YDQ vtCy
0LjRhw==
uSNCreated: 389673
memberOf: CN=group,CN=Users,DC=domain
uSNChanged: 44764302
name: user
objectGUID:: TTTD/aBhEE6PxsIlWWxZoA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
homeDirectory: \\server\users\personal\user
homeDrive: Z:
badPasswordTime: 129104512781569552
lastLogoff: 0
lastLogon: 129110472236388768
pwdLastSet: 128880768398237296
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAVnD5YpbP+W9E8DV3OXwAAA==
accountExpires: 0
logonCount: 733
sAMAccountName: user
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain
lastLogonTimestamp: 129104421266577456
"
And with "(cn=*)" I can view all AD users on Windows server (like any other AD user).

But "$ ssh user@localhost" gives:
"
sshd[7005]: nss_ldap: could not search LDAP server - Server is unavailable
sshd[7005]: Invalid user user from 127.0.0.1
sshd[7010]: pam_krb5[7010]: default/local realm 'DOMAIN'
sshd[7010]: pam_krb5[7010]: configured realm 'DOMAIN'
sshd[7010]: pam_krb5[7010]: flag: debug
sshd[7010]: pam_krb5[7010]: flags: forwardable not proxiable
sshd[7010]: pam_krb5[7010]: flag: no ignore_afs
sshd[7010]: pam_krb5[7010]: flag: no null_afs
sshd[7010]: pam_krb5[7010]: flag: user_check
sshd[7010]: pam_krb5[7010]: flag: no krb4_convert
sshd[7010]: pam_krb5[7010]: flag: krb4_convert_524
sshd[7010]: pam_krb5[7010]: flag: krb4_use_as_req
sshd[7010]: pam_krb5[7010]: will try previously set password first
sshd[7010]: pam_krb5[7010]: will let libkrb5 ask questions
sshd[7010]: pam_krb5[7010]: flag: use_shmem
sshd[7010]: pam_krb5[7010]: flag: external
sshd[7010]: pam_krb5[7010]: flag: warn
sshd[7010]: pam_krb5[7010]: ticket lifetime: 43200s (0d,12h,0m,0s)
sshd[7010]: pam_krb5[7010]: renewable lifetime: 86400s (1d,0h,0m,0s)
sshd[7010]: pam_krb5[7010]: minimum uid: 1
sshd[7010]: pam_krb5[7010]: banner: Kerberos 5
sshd[7010]: pam_krb5[7010]: ccache dir: /tmp
sshd[7010]: pam_krb5[7010]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
sshd[7010]: pam_krb5[7010]: keytab: FILE:/etc/krb5.keytab
sshd[7010]: pam_krb5[7010]: token strategy: v4,524,2b,rxk5
sshd[7010]: pam_krb5[7010]: pam_authenticate called for 'user', realm 'DOMAIN'
sshd[7010]: nss_ldap: could not search LDAP server - Server is unavailable
sshd[7010]: pam_krb5[7010]: error resolving user name 'user' to uid/gid pair
sshd[7010]: pam_krb5[7010]: error getting information about 'user'
sshd[7010]: nss_ldap: could not search LDAP server - Server is unavailable
"
And after password input:
"
sshd[7142]: error: PAM: Authentication failure for illegal user user from localhost
sshd[7142]: Failed keyboard-interactive/pam for invalid user user from 127.0.0.1 port 45307 ssh2
sshd[7148]: pam_krb5[7148]: default/local realm 'DOMAIN'
sshd[7148]: pam_krb5[7148]: configured realm 'DOMAIN'
sshd[7148]: pam_krb5[7148]: flag: debug
sshd[7148]: pam_krb5[7148]: flags: forwardable not proxiable
sshd[7148]: pam_krb5[7148]: flag: no ignore_afs
sshd[7148]: pam_krb5[7148]: flag: no null_afs
sshd[7148]: pam_krb5[7148]: flag: user_check
sshd[7148]: pam_krb5[7148]: flag: no krb4_convert
sshd[7148]: pam_krb5[7148]: flag: krb4_convert_524
sshd[7148]: pam_krb5[7148]: flag: krb4_use_as_req
sshd[7148]: pam_krb5[7148]: will try previously set password first
sshd[7148]: pam_krb5[7148]: will let libkrb5 ask questions
sshd[7148]: pam_krb5[7148]: flag: use_shmem
sshd[7148]: pam_krb5[7148]: flag: external
sshd[7148]: pam_krb5[7148]: flag: warn
sshd[7148]: pam_krb5[7148]: ticket lifetime: 43200s (0d,12h,0m,0s)
sshd[7148]: pam_krb5[7148]: renewable lifetime: 86400s (1d,0h,0m,0s)
sshd[7148]: pam_krb5[7148]: minimum uid: 1
sshd[7148]: pam_krb5[7148]: banner: Kerberos 5
sshd[7148]: pam_krb5[7148]: ccache dir: /tmp
sshd[7148]: pam_krb5[7148]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
sshd[7148]: pam_krb5[7148]: keytab: FILE:/etc/krb5.keytab
sshd[7148]: pam_krb5[7148]: token strategy: v4,524,2b,rxk5
sshd[7148]: pam_krb5[7148]: pam_authenticate called for 'user', realm 'DOMAIN'
sshd[7148]: nss_ldap: could not search LDAP server - Server is unavailable
sshd[7148]: pam_krb5[7148]: error resolving user name 'user' to uid/gid pair
sshd[7148]: pam_krb5[7148]: error getting information about 'user'
sshd[7148]: nss_ldap: could not search LDAP server - Server is unavailable
"
How is it possible to configure local Linux machine with authorization on Windows AD server having only such account on a server?

Thanks in advance.

[CAEman]

May be somebody knows how it possible to do by script?

[doncrawley]

The following steps were tested on Ubuntu 9.10.

The easiest way to do this is to install Likewise-Open and Likewise-Open-GUI from the repository:

sudo apt-get install likewise-open likewise-open-gui

After installation is complete, go to System>>Administration>>Active Directory membership to join the Ubuntu computer to the AD domain. You'll have to restart, then you can log on using your AD user account and credentials. The user account is in the form domain\username, for example, soundtraining\doncrawley.

Here's a link to a YouTube video demonstrating how to do it, except that he downloads the packages from their site. You can just use apt-get or aptitude to install it directly from the Ubuntu repository.

[CAEman]

Thanks.
But how is it possible "to join the Ubuntu computer to the AD domain" having only such account on a server?