ActiveDirectoryWinbindHowto

Differences between revisions 3 and 25 (spanning 22 versions)
Revision 3 as of 2005-06-28 20:55:03
Size: 5745
Editor: S0106000000cc07fc
Comment: format
Revision 25 as of 2008-08-06 16:25:49
Size: 71
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
This Howto describes how to add a Ubuntu box in a Active Directory domain and to authenticate the users with AD.

=== Used software ===
||<rowbgcolor="#E5E5E5">'''Name'''||'''Version'''||
||MS Windows Server|| 2003 standard sp1||
||Linux||Ubuntu Hoary 5.04||
||Winbind||3.0.14a-Ubuntu||
||Samba||3.0.14a-Ubuntu||
||krb5-user||1.3.6-1||

=== Used terms ===

||<rowbgcolor="#E5E5E5">'''term'''||'''definition'''||
||AD || Active Directory ||
||DC||Domain Controller||
||lab.example.com||AD domain||
||win2k3.lab.example.com|| DC FQDN||
||10.0.0.1||DC IP||
||LAB.EXAMPLE.COM||Kerberos Realm||
||linuxwork||computername of the Ubuntu workstation||
||linuxwork.lab.example.com||FQDN of the Ubuntu workstation||
||ntp.example.com||timeserver (NTP)||

== Time settings ==
Time is essential for Kerberos, the easiest way to ensure this, is to use a NTP-Server.

file: {{{/etc/default/ntpdate}}}
{{{
# servers to check
NTPSERVERS="ntp.example.com"
# additional options for ntpdate
NTPOPTIONS="-u"
}}}

{{{
root@linuxwork:~# /etc/init.d/ntpdate restart
}}}

== FQDN ==
A valid FQDN is essential for Kerberos

file: {{{/etc/hosts}}}
{{{
127.0.0.1 linuxwork.lab.example.com localhost linuxwork
}}}

== Set up Kerberos ==

=== Required software ===
{{{
root@linuxwork:~# apt-get install krb5-user
}}}

http://www.ubuntulinux.org/wiki/IconNote.png The config of Kerberos (/etc/krb5.conf) is not necessary, if the DNS service records are correct configured for Kerberos.

file: {{{/etc/krb5.conf}}}
{{{
[logging]
    default = FILE10000:/var/log/krb5lib.log

[libdefaults]
    ticket_lifetime = 24000
    default_realm = LAB.EXAMPLE.COM
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc


[realms]
    LAB.EXAMPLE.COM = {
        kdc = win2k3.lab.example.com
        admin_server = win2k3.lab.example.com
        default_domain = LAB.EXAMPLE.COM
}

[domain_realm]
    .lab.example.com = LAB.EXAMPLE.COM
    lab.example.com = LAB.EXAMPLE.COM
}}}

''' Testing '''

Request a TGT.
{{{
root@linuxwork:~# kinit Administrator@LAB.EXAMPLE.COM
Passord for Administrator@LAB.EXAMPLE.COM: ****
}}}

Check if ticket request was valid.
{{{
root@linuxwork:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@LAB.EXAMPLE.COM

Valid starting Expires Service principal
01/21/05 10:28:51 01/21/05 20:27:43 krbtgt/LAB.EXAMPLE.COM@LAB.EXAMPLE.COM
        renew until 01/21/05 20:28:51
}}}

== Join AD domain ==

=== Required software ===
http://www.ubuntulinux.org/wiki/IconNote.png For Windows 2003 Server SP1 Winbind version 3.0.14a is necessary. In Hoary is only version 3.0.10, but you can find 3.0.14a in Breezy.

{{{
root@linuxwork:~# apt-get install winbind samba
}}}

=== Join ===

file: {{{ /etc/samba/smb.conf }}}
{{{
[global]
        security = ads
        realm = LAB.EXAMPLE.COM
        password server = 10.0.0.1
        workgroup = LAB
        winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes

}}}
Request a valid Kerberos TGT for an account, which is allowed to join a workstation into the AD domain.

{{{
root@linuxwork:~# net ads join
Using short domain name – LAB
Joined 'linuxwork' to realm 'LAB.EXAMPLE.COM'
}}}
http://ubuntulinux.org/wiki/IconNote.png If the Kerberos auth was valid, you should not get asked for a password.

=== Testing ===
{{{
# wbinfo -u
}}}
You should get a list of the users of the domain.

And a list of the groups.
{{{
# wbinfo -g
}}}

== Setup Authentication ==
=== nsswitch ===

file: {{{/etc/nsswitch.conf}}}
{{{
passwd: compat winbind
group: compat winbind
shadow: compat
}}}

=== Testing ===
Check Winbind nsswitch modul with '''getent'''.

{{{
root@linuxwork:~# getent passwd

root:x:0:0:root:/root:/bin/bash
...
LAB+administrator:x:10000:10000:Administrator:/home/LAB/administrator:/bin/bash
LAB+gast:x:10001:10001:Gast:/home/LAB/gast:/bin/bash
...
}}}
{{{
root@linuxwork:~# getent groups

root:x:0:
daemon:x:1:
bin:x:2:
...
LAB+organisations-admins:x:10005:administrator
LAB+domänen-admins:x:10006:manuel,administrator
LAB+domänen-benutzer:x:10000:
LAB+domänen-gäste:x:10001:
LAB+linux-admins:x:10004:manuel
...
}}}

=== PAM ===
With this config you can access the workstation with local accounts and which of the domain. On the first login of a domain user a home directory will be created.

file: {{{/etc/pam.d/common-account}}}
{{{
account sufficient pam_winbind.so
account sufficient pam_unix.so
}}}

file: {{{/etc/pam.d/common-auth}}}
{{{
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
}}}

file: {{{/etc/pam.d/common-session}}}
{{{
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
}}}

file: {{{/etc/pam.d/sudo}}}
{{{
auth sufficient pam_winbind.so
auth required pam_unix.so use_first_pass
}}}

== Final configuration ==
Each domain needs a directory in /home/.

{{{
root@linuxwork:~# mkdir /home/LAB
}}}

== Usage ==
Logon with DOMAIN+USERNAME

{{{
login: LAB+manuel
Password: *****
...
LAB+manuel@linuxwork:~$
}}}

== Troubleshooting ==
If the Winbind PAM module in {{{/var/log/auth.log}}} says, that the AD-user is not existing, restart winbind. Probably it's best to restart the whole workstation.

{{{
root@linuxwork:~# /etc/init.d/winbind start
}}}		 #REFRESH 0 http://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

ActiveDirectoryWinbindHowto (last edited 2008-08-06 16:25:49 by localhost)