I've been at this for days, using dozens of guides. Unfortunately I'm at my wits end. I just can't figure out the right combination of points to get all my ducks in a row and use my Domain structure on this Ubuntu box.
Back story
Building a Print Server using CUPS (based on a design my company made back in 2009 with Ubuntu 8.10, CUPS 1.3.9). We want an updated version with Ubuntu 12.04/CUPS 1.6.2 as three have been quite a few bug fixes and Kerberos support enhancements for things like Negotiate authentication method that we had been patching into our 1.3.9 build.
The original server didn't really directly work well with Kerberos/Domain logins. We were using Basic and passing that through something to "pretend" to be Negotiate. It worked, but not very well. Also, at the time, winbind was still extremely slow with large AD's (this was developed between 2006 & 2009).
At some point in this configuration process, I was able to log in using an AD account, and it authenticated correctly to the CUPS :631/admin page as well as our Apache custom management pages (they interface with a MySQL db). Unfortunately, after a reboot, I couldn't even log in with a local account, much less a domain account. My coworker had to catch the boot sequence, go into bash and revert the PAM config so that I could log into a local account. I still can't log into a Domain account.
Guides I've used
Main Guide I followed: https://help.ubuntu.com/community/Ac...ryWinbindHowto
http://askubuntu.com/questions/12738...an-ldap-client
https://help.ubuntu.com/12.04/server...eros-ldap.html
https://help.ubuntu.com/community/Kerberos
https://help.ubuntu.com/community/GnuTLS
The files as they stand now
Assume that the variables $MY_VALUES[$INDEX_...] are my values as they would be in the file. I have these because I'm also writing a big-ass bash script that would write all these files for me on a fresh install if I needed them to.
E.g. - $MY_VALUES[$INDEX_FQDN] would be "this-server.company.com"
I realize this is a lot to go through, but if you see something that is out of place, please let me know.
file: /etc/hostname
Code:
$MY_VALUES[$INDEX_FQDN]
file: /etc/network/interfaces
Code:
auto lo
iface lo inet loopback
mapping hotplug
script grep
map eth0
auto eth0
iface eth0 inet static
address $MY_VALUES[$INDEX_SERVERSTATICIP]
netmask $MY_VALUES[$INDEX_SERVERNETMASK]
gateway $MY_VALUES[$INDEX_SERVERGATEWAY]
file: /etc/hosts
Code:
127.0.0.1 localhost.localdomain localhost $MY_VALUES[$INDEX_FQDN]
$MY_VALUES[$INDEX_KDCADDRESS] $MY_VALUES[INDEX_DOMAINADDRESS] $MY_VALUES[$INDEX_DOMAINADDRESSSHORT]
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
file: /etc/resolv.conf
Code:
nameserver $MY_VALUES[$INDEX_DNSSERVER]
file: /etc/custom/smb.conf (For joining to the domain)
Code:
[global]
realm = $MY_VALUES[$INDEX_REALM]
workgroup = $MY_VALUES[$INDEX_WORKGROUP]
password server = $MY_VALUES[$INDEX_KDCADDRESS]
server string = %h server (Samba, Ubuntu)
security = ADS
kerberos method = system keytab
netbios name = $MY_VALUES[$INDEX_SERVERSHORTNAME]
allow trusted domains = yes
passdb backend = tdbsam
obey pam restrictions = yes
file: /etc/krb5.conf
Code:
[libdefaults]
default_realm = $MY_VALUES[$INDEX_REALM]
default_keytab_file = /etc/krb5.keytab
dns_lookup_realm = true
dns_lookup_kdc = true
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[appdefaults]
autologin = true
forward = true
forwardable = true
renewable = true
[realms]
$MY_VALUES[$INDEX_REALM] = {
kdc = $MY_VALUES[$INDEX_KDCADDRESS]
admin_server = $MY_VALUES[$INDEX_KDCADDRESS]
default_domain = $MY_VALUES[$INDEX_DOMAINADDRESS]
}
[logging]
kdc = FILE:/var/log/krb/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.$MY_VALUES[$INDEX_DOMAINADDRESS] = $MY_VALUES[$INDEX_REALM]
$MY_VALUES[$INDEX_DOMAINADDRESS] = $MY_VALUES[$INDEX_REALM]
[login]
krb4_convert = true
krb4_get_tickets = false
file: /etc/samba/smb.conf
Code:
[global]
workgroup = $MY_VALUES[$INDEX_WORKGROUP]
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 8192
syslog = 0
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
security = ads
realm = $MY_VALUES[$INDEX_REALM]
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
restrict anonymous = 2
############ Misc ############
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
winbind refresh tickets = true
winbind nested groups = yes
winbind trusted domains only = yes
usershare allow guests = no
#======================= Share Definitions =======================
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
# Windows clients look for this share name as a source of downloadable printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = no
read only = yes
guest ok = no
file: /etc/nsswitch.conf
Code:
passwd: files compat ldap winbind
group: files compat ldap winbind
shadow: files compat ldap winbind
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
The PAM config files are currently at a "sudo pam-auth-update --force" with all options (including Kerberos) selected.
If you need any additional information I will try to answer your questions as best I can.
Bookmarks