Page 1 of 21 12311 ... LastLast
Results 1 to 10 of 209

Thread: HOWTO: Active Directory Authentication

  1. #1
    Join Date
    Nov 2005
    Beans
    1
    I searched high and low for a good cookie cutter recipe and couldn't find one, so I pieced together parts from various sources to come up with one that I have used for 4 Ubuntu linux servers, and which continues to work for me.

    These instructions assume your domain information is DOMAIN (old style domain name) and the DNS resolvable one is DOMAIN.INTERNAL. Our Active Directory environment is running on Windows 2000, but I have tested these instructions in a VMWare Team with Windows 2003 native mode and they worked there as well.

    ================================================== =======

    Installing and Configuring Kerberos, Samba, and Winbind on Ubuntu Server 5

    Steps

    Step 1: Install the Required Packages

    Note: Enter Y when asked if you want to install the additional packages


    apt-get install krb5-user
    apt-get install winbind samba


    Step 2: Edit the /etc/krb5.conf File

    Code:
    [logging]
        default = FILE10000:/var/log/krb5lib.log
    [libdefaults]
        ticket_lifetime = 24000
        default_realm = DOMAIN.INTERNAL
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
    [realms]
        DOMAIN.INTERNAL = {
            kdc = domainserver.domain.internal
            admin_server = domainserver.domain.internal
            default_domain = DOMAIN.INTERNAL
    }
    [domain_realm]
        .domain.internal = DOMAIN.INTERNAL
        domain.internal = DOMAIN.INTERNAL
    Step 3: Edit /etc/samba/smb/conf

    Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!!

    1) Make the edits. The configuration shown is the bare minimum and doesn't share anything.

    Code:
    [global]
            security = ads
            netbios name = CMHRG02
            realm = DOMAIN.INTERNAL
            password server = domainserver.domain.internal
            workgroup = DOMAIN
            idmap uid = 500-10000000
            idmap gid = 500-10000000
            winbind separator = +
            winbind enum users = no
            winbind enum groups = no
            winbind use default domain = yes
            template homedir = /home/%D/%U
            template shell = /bin/bash
            client use spnego = yes
            domain master = no
    2) Test the configuration with the testparm command

    Step 4: Edit /etc/nsswitch.conf to look like the example below

    Code:
    passwd:         compat winbind
    group:          compat winbind
    shadow:         compat
    hosts:          files dns wins
    networks:       files
    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files
    netgroup:       nis
    Step 5: Modify the PAM settings

    1) /etc/pam.d/common-account should contain only the following lines

    Code:
    account sufficient	pam_winbind.so
    account required		pam_unix.so
    2) /etc/pam.d/common-auth should contain only the following lines

    Code:
    auth    sufficient      pam_winbind.so
    auth    required        pam_unix.so nullok_secure use_first_pass
    3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below

    Code:
    password   required   pam_unix.so nullok obscure min=4 max=50 md5
    4) Make sure the /etc/pam.d/common-session file contains the following line

    Code:
    session required        pam_mkhomedir.so umask=0022 skel=/etc/skel
    Step 6: Make a directory to hold domain user home directories

    Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file

    Code:
    mkdir /home/DOMAIN
    Step 7: Initialize Kerberos

    1)
    Code:
    kinit domain_admin_account@DOMAIN.INTERNAL
    Next check to be sure you got a ticket from the domain controller

    2)
    Code:
    klist
    Step 8: Join the system to the

    Code:
    net ads join -U domainadminuser@DOMAIN.INTERNAL
    Step 9: Restart Samba-related Services (Or reboot the server)

    Note: The order is important

    Code:
    /etc/init.d/samba stop
    /etc/init.d/winbind stop
    /etc/init.d/samba start
    /etc/init.d/winbind start
    Step 10: Restart SSH and Test Connectivity

    Note: If you rebooted the server in the previous step, just try and login.

    Code:
    /etc/init.d/ssh restart
    
    ssh useraccount@server
    If you can login using your active directory username and password then everything is working!

    Step 11: Configure SUDO

    1) First create a group in Active Directory called UnixAdmins and add the names of people whom you want to be able to use sudo to admin the server.

    2) Next, add the UnixAdmins group to the /etc/sudoers so these users can use sudo

    Code:
    %UnixAdmins ALL=(ALL) ALL


    HELPFUL COMMAND LINES

    1) List the derived UNIX GID values for Active Directory groups

    Code:
    for gid in $(wbinfo -r <username>); \
    do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done
    2) See the Active Directory SID for a particular named user

    Code:
    wbinfo –n <username>

  2. #2
    Join Date
    Oct 2005
    Location
    Athens, GA
    Beans
    116

    Re: HOWTO: Active Directory Authentication

    will these intructions allow me to have access to my windows 2003 server shares??? i am thinking of making the ubuntu desktop a viable option at my workplace...
    "Better sleep with a sober cannibal than a drunken Christian." -Ishmael (Moby ****)

    IBM T60p 12.04ubuntu

  3. #3
    Join Date
    Jun 2005
    Beans
    33
    Distro
    Kubuntu 6.10 Edgy

    Re: HOWTO: Active Directory Authentication

    Quote Originally Posted by herot
    will these intructions allow me to have access to my windows 2003 server shares??? i am thinking of making the ubuntu desktop a viable option at my workplace...
    You should be able to access the shares with the default Samba config. I used to use my laptop with Hoary at work, and it was fine. Go to Places->Connect to Server and choose Windows Share and you'll need to save your user name and password and stuff.

    This howto is great, I tried this like a year ago unsuccessfully. I wasn't using Winbind, however, so maybe that will make the difference. I can't wait till I get a chance to test some new machines on the network. Thanks a lot.

  4. #4

    Re: HOWTO: Active Directory Authentication

    HI Sir!

    I apologize for being so ignorant but here is my situation. I was just promoted to System Admin from a Technical Support agent (due to the lack of IT personel left). And one of the task delegated to me is setup a centralized username/password authentication for all our workstations. our network is currently composed of around 20 Windows XP and 10 Ubuntu Linux (breezy).

    I imagine that i should use Microsoft's Active Directory for the windows xp workstations. However i am not too sure if i am to use your HOWTO so that my Ubuntu Linux workstations will authenticate using Active Directory. Can I use your Howto so that all of our windows xp and ubuntu linux workstations to authenticate with a single active directory server?

    Please help or atleast point to some reference I can use.

    Thanks.

  5. #5
    Join Date
    Nov 2004
    Location
    Las Vegas
    Beans
    329
    Distro
    Ubuntu 6.06

    Re: HOWTO: Active Directory Authentication

    I have already set up my Linux boxes manually to join the domain, but I was wondering if anyone has had any luck with this tool: http://sadms.sf.net ? It looks like the perfect tool to do all this with a gui instead of manually, and they have a Ubuntu package
    Computer science has as much to do with computers as astronomy has to do with telescopes.
    - Edsger Wybe Dijkstra


    Intangible's Desktop

  6. #6
    Join Date
    Nov 2005
    Beans
    6

    Re: HOWTO: Active Directory Authentication

    great tutorial! i have now joined my ubuntu server into my domain. i do have a question.

    how do i setup multiple groups in a folder in linux?

    i want groups that can read/write and groups that can only read.

    so far i have setup a group in active directory and made to be able to read and write to the samba share, but i do not know of anyway to make another one that can only read.

  7. #7
    Join Date
    Nov 2005
    Beans
    6

    Re: HOWTO: Active Directory Authentication

    Replying to my own question.

    ACL was the answer!

  8. #8
    Join Date
    Nov 2004
    Location
    Las Vegas
    Beans
    329
    Distro
    Ubuntu 6.06

    Re: HOWTO: Active Directory Authentication

    If you're using ACLs, check out this, love the intergration with nautilus: http://rofi.pinchito.com/eiciel/

    sudo apt-get install eiciel

    http://packages.ubuntu.com/breezy/gnome/eiciel
    Computer science has as much to do with computers as astronomy has to do with telescopes.
    - Edsger Wybe Dijkstra


    Intangible's Desktop

  9. #9
    Join Date
    Oct 2005
    Location
    Banja Luka
    Beans
    158
    Distro
    Ubuntu 8.10 Intrepid Ibex

    Re: HOWTO: Active Directory Authentication

    Hi,
    I dont know what's my DOMAN or my DOMAIN.INTERNAL. Im on the uinimaas.nl Active direcory. Which should It try?
    thx

  10. #10
    Join Date
    Jan 2006
    Location
    Portugal
    Beans
    34

    Re: HOWTO: Active Directory Authentication

    Greetings,

    I followed the howto step by step but I'm getting "kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials" when I run "kinit Administrator@home.brr". However, I can nslookup the computer I specified on "[realms] kdc" (it's both the AD PDC and DNS server). What can I be doing wrong?

    Thanks in advance


    Quote Originally Posted by Mujaheiden
    I dont know what's my DOMAN or my DOMAIN.INTERNAL. Im on the uinimaas.nl Active direcory. Which should It try?
    In your case DOMAIN is uinimaas and DOMAIN.INTERNAL is uinimaas.nl

Page 1 of 21 12311 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •