Page 1 of 4 123 ... LastLast
Results 1 to 10 of 57

Thread: HOWTO: NT Domain Authentication

Hybrid View

  1. #1
    Join Date
    Oct 2004
    Beans
    4

    Cool HOWTO: NT Domain Authentication

    NT Domain Authentication in Ubuntu HOW-TO
    by vizvayu@gmail.com

    I'm making this tutorial because I had to set-up Ubuntu to authenticate on my company's NT Domain, so now that it's working I thought I could share my experience.
    Any comments, ideas, and even some questions are welcome. There are several tutorials regarding this, but this one is made specially for Ubuntu.

    First of all, I'm assuming that you are comfortable editing text files and have a basic undestanding of a linux system, including booting in recovery mode and restoring file backups. Although this procedure is not "dangerous", it could render the authentication system unusable if you make any mistake. So please, be careful and make backups of all the files changed.


    To authenticate on a NT Domain, you need the following extra packets:
    • samba
    • winbind


    If I remeber correctly, the samba package comes with Ubuntu, but you have to download winbind separately from the universal repository.


    Ok, now this is a list of the files we are touching, please make backups:
    Code:
    /etc/login.defs
    /etc/nsswitch.conf
    /etc/samba/smb.conf
    /etc/pam.d/common-account
    /etc/pam.d/common-auth
    /etc/pam.d/common-password
    /etc/pam.d/common-session
    /etc/pam.d/sudo
    Now, the first thing we are doing is setting up samba/winbind to work with the domain, so do a nano /etc/samba/smb.conf and insert the following lines:
    Code:
    workgroup = MYDOMAIN
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template shell = /bin/bash
    template homedir = /home/%D/%U
    winbind enum users = yes
    winbind enum groups = yes
    winbind cache time = 10
    winbind separator = +
    security = domain
    password server = *
    winbind use default domain = yes
    Remeber that this is just and example, you should/can change the values according to your needs.


    After that we need to make the system to use winbind. First edit /etc/nsswitch.conf and replace:

    Code:
    passwd:	compat
    group:	compat
    with
    Code:
    passwd: compat winbind
    group:	compat winbind
    Now go to /etc/pam.d and edit the following files:

    common-account:
    Code:
    #Commented for winbind to work
    #account-required	pam_unix.so
    account-required	pam_winbind.so
    common-auth:
    Code:
    auth	sufficient	pam_winbind.so
    auth	required	pam_unix.so nullok_secure use_first_pass
    common-session:
    Code:
    session	required	pam_unix.so
    session	required	pam_mkhomedir.so umask=0022 skel=/etc/skel/
    sudo:
    Code:
    auth	sufficient	pam_winbind.so
    auth	required	pam_unix.so use_first_pass

    And this is an extra, not really required, but as I think the default max password lenght of 8 chars sucks (I like to use passphrases), and as we are using md5, I changed it:

    /etc/login.defs:
    Code:
    PASS_MAX_LEN	50
    /etc/pam.d/common-password:
    Code:
    password	required	pam_unix.so nullok obscure min=4 max=50 md5

    Finally, there are only a few things left to do:

    Join the domain:
    Code:
    net rpc join -D MYDOMAIN -U administrator
    Test it with:
    Code:
    wbinfo -u
    wbinfo -g

    Make the domain home dir (users home dirs will be inside this one, but can be configured in smb.conf):
    Code:
    mkdir /home/MYDOMAIN
    Reboot, and that's it, you should now have domain authentication working in Ubuntu.

    Just a few extra comments:
    • Remeber that if you need one user to have administration permissions, you need to include him in the /etc/sudoers list. Use the visudo command to do this. And there's no need to prepend MYDOMAIN+ to the username since winbind is configured to use the configured domain by default.
    • If anything goes wrong and you cannot login to the system, you have to reboot in recovery mode (press ESC when grub is starting) and replace the changed files from /etc/pam.d with the backups.
    • I use NT4 domains, I don't think a W2k domain in native mode will work. You surely have to make some changes.
    • This tutorial is just and example of how things worked for me. It's obviously not the only (or better) way to do things.

  2. #2
    Join Date
    Oct 2004
    Beans
    29

    Re: HOWTO: NT Domain Authentication

    awesome! worked like a charm.

  3. #3
    Join Date
    Oct 2004
    Location
    oslo, norway
    Beans
    46
    Distro
    Ubuntu 7.04 Feisty Fawn

    Re: HOWTO: NT Domain Authentication

    Has anybody tried this with Hoary?

    :water

  4. #4
    Join Date
    Mar 2005
    Beans
    118

    Re: HOWTO: NT Domain Authentication

    thanks, it worked

  5. #5
    Join Date
    Apr 2005
    Location
    USA
    Beans
    20

    Re: HOWTO: NT Domain Authentication

    has anyone had any luck getting this to work on a win2k domain?

  6. #6
    Join Date
    Nov 2004
    Beans
    5

    Re: HOWTO: NT Domain Authentication

    For a win2k domain, just be sure to set security = ads as well as ream = your_realm in smb.conf and use net ads join -U administrator for the join command.

  7. #7
    Join Date
    Dec 2004
    Location
    St. Louis, Missoura
    Beans
    70
    Distro
    Gutsy Gibbon Testing

    Re: HOWTO: NT Domain Authentication

    Quote Originally Posted by water
    Has anybody tried this with Hoary?

    :water
    I tried this on Hoary but it did not work. System users have to enter their password twice and when they finally get logged in, they get immediately logged out. Domain users to not authenticate at all.

    Nevermind, they key was specifying a default shell and default domain in smb.conf.
    Last edited by JackDog; April 26th, 2005 at 07:46 PM.

  8. #8
    Join Date
    Apr 2005
    Beans
    3

    Re: HOWTO: NT Domain Authentication

    I did this with Hoary Hedgehog 5.04 and now I get the message "The system administrator has disabled access to the system temporarily." when I try to logon using a domain user. My local users can't log in now, simply saying authentication failed. I'm trying to login to a mixed mode windows 2000 domain, so used the net join rpc command and it worked. So I guess the good news is that it IS authenticating against the AD, but it won't let me onto the system. Any suggestions?

  9. #9
    Join Date
    May 2005
    Location
    Henderson, NV, USA
    Beans
    5

    Re: HOWTO: NT Domain Authentication

    I did this and am able to login with one of the command line virtual terminals and ssh as an active directory user. I cannot log in with XWindows though. Any ideas what I should look at?

  10. #10
    Join Date
    Jun 2005
    Beans
    4

    Re: HOWTO: NT Domain Authentication

    Quote Originally Posted by mmrobins
    I did this with Hoary Hedgehog 5.04 and now I get the message "The system administrator has disabled access to the system temporarily." when I try to logon using a domain user. My local users can't log in now, simply saying authentication failed. I'm trying to login to a mixed mode windows 2000 domain, so used the net join rpc command and it worked. So I guess the good news is that it IS authenticating against the AD, but it won't let me onto the system. Any suggestions?
    Quote Originally Posted by xsdevnet
    I did this and am able to login with one of the command line virtual terminals and ssh as an active directory user. I cannot log in with XWindows though. Any ideas what I should look at?
    Hi guys - Think I might have a solution to this for you.

    I was having the same problem until I went into System>Administration>login screen setup (I think you can also run "gksudo gdmsetup" to get this). I then switched to the "security" tab and unchecked the box next to "Always disallow TCP connections to X server"

    While I was there I also switched the graphical greeter to "happy gnome with browser" so that I could see domain users on bootup - just to make sure everything was looking ok!

    I hope this helps. If its wrong or if theres anything stupid contained within, then please accept my apologies - I've only been using linux for a month or so as a curiosity-project, so I don't claim to be any kind of expert, but most of that time has been spent configuring it to work with AD. Worked for me though.

    <Rant>
    And incidentally, why does this have to be so totally painful on every distro I've tried? So far, I've tried fedora, rhe, suse and ubuntu and all of them have made my life hell when simply trying to get hooked up to a windows domain.

    Ubuntu is the only distro where I've ever got this to work (so it scores BIG points from me there) and that took a couple of days spent googling and some total trial-and-error-config-file-madness!

    And whats really annoying is that all of the software is out there to make it work, you've just got to faff around for so long to get it to play. I've been that hacked off by this that I'm seriously thinking of doing some kind of "idiots guide to joining ubuntu to a domain". Granted, there are some good articles out there: the one on wiki is quite handy (https://wiki.ubuntu.com/ActiveDirectoryWinbindHowto) but fell over for me at "apt-get install krb5-user" which just didn't work on my default hoary install!

    From my perspective, as a veteran windows user (but total linux newbie) this is the sort of thing that has to work out-of-the box, first-time and through a nice GUI. Instead, I've been downloading and unpacking tar files for hours and now my brain is bleeding.

    Something should be done.
    </Rant>

    Thanks for your time.

Page 1 of 4 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •