HOWTO: Active Directory Authentication

[tfiedler]

I searched high and low for a good cookie cutter recipe and couldn't find one, so I pieced together parts from various sources to come up with one that I have used for 4 Ubuntu linux servers, and which continues to work for me.

These instructions assume your domain information is DOMAIN (old style domain name) and the DNS resolvable one is DOMAIN.INTERNAL. Our Active Directory environment is running on Windows 2000, but I have tested these instructions in a VMWare Team with Windows 2003 native mode and they worked there as well.

================================================== =======

Installing and Configuring Kerberos, Samba, and Winbind on Ubuntu Server 5

Steps

Step 1: Install the Required Packages

Note: Enter Y when asked if you want to install the additional packages


apt-get install krb5-user
apt-get install winbind samba

Step 2: Edit the /etc/krb5.conf File

Code:

[logging]
    default = FILE10000:/var/log/krb5lib.log
[libdefaults]
    ticket_lifetime = 24000
    default_realm = DOMAIN.INTERNAL
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
    DOMAIN.INTERNAL = {
        kdc = domainserver.domain.internal
        admin_server = domainserver.domain.internal
        default_domain = DOMAIN.INTERNAL
}
[domain_realm]
    .domain.internal = DOMAIN.INTERNAL
    domain.internal = DOMAIN.INTERNAL

Step 3: Edit /etc/samba/smb/conf

Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!!

1) Make the edits. The configuration shown is the bare minimum and doesn't share anything.

Code:

[global]
        security = ads
        netbios name = CMHRG02
        realm = DOMAIN.INTERNAL
        password server = domainserver.domain.internal
        workgroup = DOMAIN
        idmap uid = 500-10000000
        idmap gid = 500-10000000
        winbind separator = +
        winbind enum users = no
        winbind enum groups = no
        winbind use default domain = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        domain master = no

2) Test the configuration with the testparm command

Step 4: Edit /etc/nsswitch.conf to look like the example below

Code:

passwd:         compat winbind
group:          compat winbind
shadow:         compat
hosts:          files dns wins
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

Step 5: Modify the PAM settings

1) /etc/pam.d/common-account should contain only the following lines

Code:

account sufficient	pam_winbind.so
account required		pam_unix.so

2) /etc/pam.d/common-auth should contain only the following lines

Code:

auth    sufficient      pam_winbind.so
auth    required        pam_unix.so nullok_secure use_first_pass

3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below

Code:

password   required   pam_unix.so nullok obscure min=4 max=50 md5

4) Make sure the /etc/pam.d/common-session file contains the following line

Code:

session required        pam_mkhomedir.so umask=0022 skel=/etc/skel

Step 6: Make a directory to hold domain user home directories

Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file

Code:

mkdir /home/DOMAIN

Step 7: Initialize Kerberos

1)

Code:

kinit domain_admin_account@DOMAIN.INTERNAL

Next check to be sure you got a ticket from the domain controller

2)

Code:

klist

Step 8: Join the system to the

Code:

net ads join -U domainadminuser@DOMAIN.INTERNAL

Step 9: Restart Samba-related Services (Or reboot the server)

Note: The order is important

Code:

/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start

Step 10: Restart SSH and Test Connectivity

Note: If you rebooted the server in the previous step, just try and login.

Code:

/etc/init.d/ssh restart

ssh useraccount@server

If you can login using your active directory username and password then everything is working!

Step 11: Configure SUDO

1) First create a group in Active Directory called UnixAdmins and add the names of people whom you want to be able to use sudo to admin the server.

2) Next, add the UnixAdmins group to the /etc/sudoers so these users can use sudo

Code:

%UnixAdmins ALL=(ALL) ALL

HELPFUL COMMAND LINES

1) List the derived UNIX GID values for Active Directory groups

Code:

for gid in $(wbinfo -r <username>); \
do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done

2) See the Active Directory SID for a particular named user

Code:

wbinfo –n <username>

[herot]

will these intructions allow me to have access to my windows 2003 server shares??? i am thinking of making the ubuntu desktop a viable option at my workplace...

[evs]

will these intructions allow me to have access to my windows 2003 server shares??? i am thinking of making the ubuntu desktop a viable option at my workplace...

You should be able to access the shares with the default Samba config. I used to use my laptop with Hoary at work, and it was fine. Go to Places->Connect to Server and choose Windows Share and you'll need to save your user name and password and stuff.

This howto is great, I tried this like a year ago unsuccessfully. I wasn't using Winbind, however, so maybe that will make the difference. I can't wait till I get a chance to test some new machines on the network. Thanks a lot.

[darius_underhill]

HI Sir!

I apologize for being so ignorant but here is my situation. I was just promoted to System Admin from a Technical Support agent (due to the lack of IT personel left). And one of the task delegated to me is setup a centralized username/password authentication for all our workstations. our network is currently composed of around 20 Windows XP and 10 Ubuntu Linux (breezy).

I imagine that i should use Microsoft's Active Directory for the windows xp workstations. However i am not too sure if i am to use your HOWTO so that my Ubuntu Linux workstations will authenticate using Active Directory. Can I use your Howto so that all of our windows xp and ubuntu linux workstations to authenticate with a single active directory server?

Please help or atleast point to some reference I can use.

Thanks.

[intangible]

I have already set up my Linux boxes manually to join the domain, but I was wondering if anyone has had any luck with this tool: http://sadms.sf.net ? It looks like the perfect tool to do all this with a gui instead of manually, and they have a Ubuntu package

[slamp]

great tutorial! i have now joined my ubuntu server into my domain. i do have a question.

how do i setup multiple groups in a folder in linux?

i want groups that can read/write and groups that can only read.

so far i have setup a group in active directory and made to be able to read and write to the samba share, but i do not know of anyway to make another one that can only read.

[slamp]

Replying to my own question.

ACL was the answer!

[intangible]

If you're using ACLs, check out this, love the intergration with nautilus: http://rofi.pinchito.com/eiciel/

sudo apt-get install eiciel

http://packages.ubuntu.com/breezy/gnome/eiciel

[Mujaheiden]

Hi,
I dont know what's my DOMAN or my DOMAIN.INTERNAL. Im on the uinimaas.nl Active direcory. Which should It try?
thx

[moTaro]

great tutorial! i have now joined my ubuntu server into my domain. i do have a question.

how do i setup multiple groups in a folder in linux?

i want groups that can read/write and groups that can only read.

so far i have setup a group in active directory and made to be able to read and write to the samba share, but i do not know of anyway to make another one that can only read.

You can solve this in guru manner rather than groups, since your result should be one write and one read group.

Make 2 new user domains name them for example

domain user: readonly
domain user: readwrite

on shared resources add them to advanced secuirity and on readonly user deny write delete and create directory, and readwrite give full control.

Use this users only for mounting shares from windows resources on ubuntu box, and let them log in authenticate with their own user ex: bobby, pass bobby.