ActiveDirectoryWinbindHowto
|
Size: 5745
Comment: format
|
Size: 5738
Comment: fixed broken icons
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 134: | Line 134: |
| http://ubuntulinux.org/wiki/IconNote.png If the Kerberos auth was valid, you should not get asked for a password. | attachment:IconsPage/IconNote.png If the Kerberos auth was valid, you should not get asked for a password. |
This Howto describes how to add a Ubuntu box in a Active Directory domain and to authenticate the users with AD.
Used software
Name |
Version |
MS Windows Server |
2003 standard sp1 |
Linux |
Ubuntu Hoary 5.04 |
Winbind |
3.0.14a-Ubuntu |
Samba |
3.0.14a-Ubuntu |
krb5-user |
1.3.6-1 |
Used terms
term |
definition |
AD |
Active Directory |
DC |
Domain Controller |
lab.example.com |
AD domain |
win2k3.lab.example.com |
DC FQDN |
10.0.0.1 |
DC IP |
LAB.EXAMPLE.COM |
Kerberos Realm |
linuxwork |
computername of the Ubuntu workstation |
linuxwork.lab.example.com |
FQDN of the Ubuntu workstation |
ntp.example.com |
timeserver (NTP) |
Time settings
Time is essential for Kerberos, the easiest way to ensure this, is to use a NTP-Server.
file: /etc/default/ntpdate
# servers to check NTPSERVERS="ntp.example.com" # additional options for ntpdate NTPOPTIONS="-u"
root@linuxwork:~# /etc/init.d/ntpdate restart
FQDN
A valid FQDN is essential for Kerberos
file: /etc/hosts
127.0.0.1 linuxwork.lab.example.com localhost linuxwork
Set up Kerberos
Required software
root@linuxwork:~# apt-get install krb5-user
http://www.ubuntulinux.org/wiki/IconNote.png The config of Kerberos (/etc/krb5.conf) is not necessary, if the DNS service records are correct configured for Kerberos.
file: /etc/krb5.conf
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = LAB.EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
LAB.EXAMPLE.COM = {
kdc = win2k3.lab.example.com
admin_server = win2k3.lab.example.com
default_domain = LAB.EXAMPLE.COM
}
[domain_realm]
.lab.example.com = LAB.EXAMPLE.COM
lab.example.com = LAB.EXAMPLE.COMTesting
Request a TGT.
root@linuxwork:~# kinit Administrator@LAB.EXAMPLE.COM Passord for Administrator@LAB.EXAMPLE.COM: ****
Check if ticket request was valid.
root@linuxwork:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@LAB.EXAMPLE.COM
Valid starting Expires Service principal
01/21/05 10:28:51 01/21/05 20:27:43 krbtgt/LAB.EXAMPLE.COM@LAB.EXAMPLE.COM
renew until 01/21/05 20:28:51
Join AD domain
Required software
http://www.ubuntulinux.org/wiki/IconNote.png For Windows 2003 Server SP1 Winbind version 3.0.14a is necessary. In Hoary is only version 3.0.10, but you can find 3.0.14a in Breezy.
root@linuxwork:~# apt-get install winbind samba
Join
file: /etc/samba/smb.conf
[global]
security = ads
realm = LAB.EXAMPLE.COM
password server = 10.0.0.1
workgroup = LAB
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yesRequest a valid Kerberos TGT for an account, which is allowed to join a workstation into the AD domain.
root@linuxwork:~# net ads join Using short domain name – LAB Joined 'linuxwork' to realm 'LAB.EXAMPLE.COM'
attachment:IconsPage/IconNote.png If the Kerberos auth was valid, you should not get asked for a password.
Testing
# wbinfo -u
You should get a list of the users of the domain.
And a list of the groups.
# wbinfo -g
Setup Authentication
nsswitch
file: /etc/nsswitch.conf
passwd: compat winbind group: compat winbind shadow: compat
Testing
Check Winbind nsswitch modul with getent.
root@linuxwork:~# getent passwd root:x:0:0:root:/root:/bin/bash ... LAB+administrator:x:10000:10000:Administrator:/home/LAB/administrator:/bin/bash LAB+gast:x:10001:10001:Gast:/home/LAB/gast:/bin/bash ...
root@linuxwork:~# getent groups root:x:0: daemon:x:1: bin:x:2: ... LAB+organisations-admins:x:10005:administrator LAB+domänen-admins:x:10006:manuel,administrator LAB+domänen-benutzer:x:10000: LAB+domänen-gäste:x:10001: LAB+linux-admins:x:10004:manuel ...
PAM
With this config you can access the workstation with local accounts and which of the domain. On the first login of a domain user a home directory will be created.
file: /etc/pam.d/common-account
account sufficient pam_winbind.so account sufficient pam_unix.so
file: /etc/pam.d/common-auth
auth sufficient pam_winbind.so auth sufficient pam_unix.so nullok_secure use_first_pass
file: /etc/pam.d/common-session
session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel
file: /etc/pam.d/sudo
auth sufficient pam_winbind.so auth required pam_unix.so use_first_pass
Final configuration
Each domain needs a directory in /home/.
root@linuxwork:~# mkdir /home/LAB
Usage
Logon with DOMAIN+USERNAME
login: LAB+manuel Password: ***** ... LAB+manuel@linuxwork:~$
Troubleshooting
If the Winbind PAM module in /var/log/auth.log says, that the AD-user is not existing, restart winbind. Probably it's best to restart the whole workstation.
root@linuxwork:~# /etc/init.d/winbind start
ActiveDirectoryWinbindHowto (last edited 2008-08-06 16:25:49 by localhost)