ActiveDirectoryWinbindHowto
|
Size: 6757
Comment:
|
Size: 7565
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 85: | Line 85: |
| Passord for Administrator@LAB.EXAMPLE.COM: **** | Password for Administrator@LAB.EXAMPLE.COM: **** |
| Line 107: | Line 107: |
| root@linuxwork:~# apt-get install winbind samba }}} |
root@linuxwork:~# apt-get install winbind samba smbfs }}} attachment:IconsPage/IconNote.png The package ''smbfs'' is optional, but includes useful client utilities, including the '''smbmount''' command. Also useful is the ''smbclient'' package, which includes an FTP-like client for SMB shares. |
| Line 127: | Line 129: |
}}} |
encrypt passwords = yes winbind use default domain = yes }}} attachment:IconsPage/IconNote.png The "winbind use default domain" parameter is useful in single-domain enterprises and makes winbind assume that all user authentications should be performed in the domain to which winbind is joined. Omit this parameter if your environment includes multiple domains or if your account domain differs from the resource domain. |
| Line 189: | Line 196: |
| This PAM configuration does not acquire a Kerberos TGT at login. To acquire a ticket, use ''klist'' after logging in, and consider using ''kdestroy'' in a logout script. | This PAM configuration does not acquire a Kerberos TGT at login. To acquire a ticket, use ''kinit'' after logging in, and consider using ''kdestroy'' in a logout script. |
| Line 224: | Line 231: |
| Logon with DOMAIN+USERNAME | Logon with DOMAIN+USERNAME, unless you included "winbind use default domain" in your ''smb.conf'', in which case you may log in using only USERNAME. |
This Howto describes how to add a Ubuntu box in a Active Directory domain and to authenticate the users with AD.
Used software
Name |
Version |
MS Windows Server |
2003 standard sp1 |
Linux |
Ubuntu Hoary 5.04 |
Winbind |
3.0.14a-Ubuntu |
Samba |
3.0.14a-Ubuntu |
krb5-user |
1.3.6-1 |
Used terms
term |
definition |
AD |
Active Directory |
DC |
Domain Controller |
lab.example.com |
AD domain |
win2k3.lab.example.com |
DC FQDN |
10.0.0.1 |
DC IP |
LAB.EXAMPLE.COM |
Kerberos Realm |
linuxwork |
computername of the Ubuntu workstation |
linuxwork.lab.example.com |
FQDN of the Ubuntu workstation |
ntp.example.com |
timeserver (NTP) |
Time settings
Time is essential for Kerberos, the easiest way to ensure this, is to use a NTP-Server. Every Active Directory Domain Controller is also an NTP server, so for best results, use the FQDN of an AD DC in ntpdate.
file: /etc/default/ntpdate
# servers to check NTPSERVERS="ntp.example.com" # additional options for ntpdate NTPOPTIONS="-u"
root@linuxwork:~# /etc/init.d/ntpdate restart
FQDN
A valid FQDN is essential for Kerberos
file: /etc/hosts
127.0.0.1 linuxwork.lab.example.com localhost linuxwork
Set up Kerberos
Required software
root@linuxwork:~# apt-get install krb5-user
http://www.ubuntulinux.org/wiki/IconNote.png The config of Kerberos (/etc/krb5.conf) is not necessary, if the DNS service records are correct configured for Kerberos.
file: /etc/krb5.conf
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = LAB.EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
LAB.EXAMPLE.COM = {
kdc = win2k3.lab.example.com
admin_server = win2k3.lab.example.com
default_domain = LAB.EXAMPLE.COM
}
[domain_realm]
.lab.example.com = LAB.EXAMPLE.COM
lab.example.com = LAB.EXAMPLE.COMTesting
Request a TGT (doesn't have to be Administrator, any valid domain account can be used).
root@linuxwork:~# kinit Administrator@LAB.EXAMPLE.COM Password for Administrator@LAB.EXAMPLE.COM: ****
Check if ticket request was valid.
root@linuxwork:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@LAB.EXAMPLE.COM
Valid starting Expires Service principal
01/21/05 10:28:51 01/21/05 20:27:43 krbtgt/LAB.EXAMPLE.COM@LAB.EXAMPLE.COM
renew until 01/21/05 20:28:51
Join AD domain
Required software
http://www.ubuntulinux.org/wiki/IconNote.png For Windows 2003 Server SP1 Winbind version 3.0.14a is necessary. In Hoary is only version 3.0.10, but you can find 3.0.14a in Breezy.
root@linuxwork:~# apt-get install winbind samba smbfs
attachment:IconsPage/IconNote.png The package smbfs is optional, but includes useful client utilities, including the smbmount command. Also useful is the smbclient package, which includes an FTP-like client for SMB shares.
Join
file: /etc/samba/smb.conf
[global]
security = ads
realm = LAB.EXAMPLE.COM
password server = 10.0.0.1
workgroup = LAB
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
encrypt passwords = yes
winbind use default domain = yesattachment:IconsPage/IconNote.png The "winbind use default domain" parameter is useful in single-domain enterprises and makes winbind assume that all user authentications should be performed in the domain to which winbind is joined. Omit this parameter if your environment includes multiple domains or if your account domain differs from the resource domain.
Request a valid Kerberos TGT for an account, which is allowed to join a workstation into the AD domain.
root@linuxwork:~# net ads join Using short domain name – LAB Joined 'linuxwork' to realm 'LAB.EXAMPLE.COM'
attachment:IconsPage/IconNote.png If the Kerberos auth was valid, you should not get asked for a password.
Testing
# wbinfo -u
You should get a list of the users of the domain.
And a list of the groups.
# wbinfo -g
Setup Authentication
nsswitch
file: /etc/nsswitch.conf
passwd: compat winbind group: compat winbind shadow: compat
Testing
Check Winbind nsswitch modul with getent.
root@linuxwork:~# getent passwd root:x:0:0:root:/root:/bin/bash ... LAB+administrator:x:10000:10000:Administrator:/home/LAB/administrator:/bin/bash LAB+gast:x:10001:10001:Gast:/home/LAB/gast:/bin/bash ...
root@linuxwork:~# getent group root:x:0: daemon:x:1: bin:x:2: ... LAB+organisations-admins:x:10005:administrator LAB+domänen-admins:x:10006:manuel,administrator LAB+domänen-benutzer:x:10000: LAB+domänen-gäste:x:10001: LAB+linux-admins:x:10004:manuel ...
PAM
With this config you can access the workstation with local accounts or with domain accounts. On the first login of a domain user a home directory will be created. This PAM configuration assumes that the system will be used primarily with domain accounts. If the opposite is true (i.e., the system will be used primarily with local accounts), the order of pam_winbind.so and pam_unix.so should be reversed. When used with local accounts, the configuration shown here will result in a failed authentication to the Windows/Samba DC for each login and sudo use. This can litter the DC's event log. Likewise, if local accounts are checked first, the /var/log/auth.log will be littered with failed logon attempts each time a domain account is accessed.
This PAM configuration does not acquire a Kerberos TGT at login. To acquire a ticket, use kinit after logging in, and consider using kdestroy in a logout script.
file: /etc/pam.d/common-account
account sufficient pam_winbind.so account required pam_unix.so
file: /etc/pam.d/common-auth
auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass
file: /etc/pam.d/common-session
session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel
file: /etc/pam.d/sudo
auth sufficient pam_winbind.so auth required pam_unix.so use_first_pass @include common-account
Final configuration
Each domain needs a directory in /home/.
root@linuxwork:~# mkdir /home/LAB
Usage
Logon with DOMAIN+USERNAME, unless you included "winbind use default domain" in your smb.conf, in which case you may log in using only USERNAME.
login: LAB+manuel Password: ***** ... LAB+manuel@linuxwork:~$
Troubleshooting
If the Winbind PAM module in /var/log/auth.log says, that the AD-user is not existing, restart winbind. Probably it's best to restart the whole workstation.
root@linuxwork:~# /etc/init.d/winbind start
ActiveDirectoryWinbindHowto (last edited 2008-08-06 16:25:49 by localhost)