ActiveDirectoryWinbindHowto

Revision 14 as of 2005-11-30 16:45:21

Clear message

This Howto describes how to add a Ubuntu box in a Active Directory domain and to authenticate the users with AD.

Used software

Name

Version

MS Windows Server

2003 standard sp1

Linux

Ubuntu Breezy 5.10

Winbind

3.0.14a-Ubuntu

Samba

3.0.14a-Ubuntu

krb5-user

1.3.6-1

libpam-krb5

1.0-12

Used terms

term

definition

AD

Active Directory

DC

Domain Controller

lab.example.com

AD domain

win2k3.lab.example.com

DC FQDN

10.0.0.1

DC IP

LAB.EXAMPLE.COM

Kerberos Realm

linuxwork

computername of the Ubuntu workstation

linuxwork.lab.example.com

FQDN of the Ubuntu workstation

ntp.example.com

timeserver (NTP)

Time settings

Time is essential for Kerberos, the easiest way to ensure this, is to use a NTP-Server. Every Active Directory Domain Controller is also an NTP server, so for best results, use the FQDN of an AD DC in ntpdate.

file: /etc/default/ntpdate 

# servers to check
NTPSERVERS="ntp.example.com"
# additional options for ntpdate
NTPOPTIONS="-u"

root@linuxwork:~# /etc/init.d/ntpdate restart

FQDN

A valid FQDN is essential for Kerberos

file: /etc/hosts 

127.0.0.1 linuxwork.lab.example.com localhost linuxwork

Set up Kerberos

Required software

root@linuxwork:~# apt-get install krb5-user libpam-krb5

attachment:IconsPage/IconNote.png The Kerberos config package (/etc/krb5.conf) is not necessary, if the DNS service records are correct configured for Kerberos. If you do not intend to acquire a Kerberos ticket at login, you need not install the libpam-krb5 package.

file: /etc/krb5.conf 

[logging]
    default = FILE10000:/var/log/krb5lib.log

[libdefaults]
    ticket_lifetime = 24000
    default_realm = LAB.EXAMPLE.COM
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc


[realms]
    LAB.EXAMPLE.COM = {
        kdc = win2k3.lab.example.com
        admin_server = win2k3.lab.example.com
        default_domain = LAB.EXAMPLE.COM
}

[domain_realm]
    .lab.example.com = LAB.EXAMPLE.COM
    lab.example.com = LAB.EXAMPLE.COM

Testing

Request a TGT (doesn't have to be Administrator, any valid domain account can be used). 

root@linuxwork:~# kinit Administrator@LAB.EXAMPLE.COM
Password for Administrator@LAB.EXAMPLE.COM: ****

Check if ticket request was valid. 

root@linuxwork:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@LAB.EXAMPLE.COM

Valid starting     Expires            Service principal
01/21/05 10:28:51  01/21/05 20:27:43    krbtgt/LAB.EXAMPLE.COM@LAB.EXAMPLE.COM
        renew until 01/21/05 20:28:51

Join AD domain

Required software

attachment:IconsPage/IconNote.png For Windows 2003 Server SP1 Winbind version 3.0.14a is necessary. In Hoary is only version 3.0.10, but you can find 3.0.14a in Breezy. 

root@linuxwork:~# apt-get install winbind samba smbfs

attachment:IconsPage/IconNote.png The package smbfs is optional, but includes useful client utilities, including the smbmount command. Also useful is the smbclient package, which includes an FTP-like client for SMB shares.

Join

file:  /etc/samba/smb.conf  

[global]
        security = ads
        realm = LAB.EXAMPLE.COM
        password server = 10.0.0.1
        workgroup = LAB
        winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        encrypt passwords = yes
        winbind use default domain = yes

attachment:IconsPage/IconNote.png The "winbind use default domain" parameter is useful in single-domain enterprises and makes winbind assume that all user authentications should be performed in the domain to which winbind is joined. Omit this parameter if your environment includes multiple domains or if your account domain differs from the resource domain.

Request a valid Kerberos TGT for an account, which is allowed to join a workstation into the AD domain. 

root@linuxwork:~# net ads join
Using short domain name – LAB
Joined 'linuxwork' to realm 'LAB.EXAMPLE.COM'

attachment:IconsPage/IconNote.png If the Kerberos auth was valid, you should not get asked for a password. However, if you are not working as root and are instead using sudo to perform the necessary tasks, use the command sudo net ads join -U username and supply your password when prompted. Otherwise, you will be asked to authenticate as root@LAB.EXAMPLE.COM instead of a valid account name.

Testing

# wbinfo -u

You should get a list of the users of the domain.

And a list of the groups. 

# wbinfo -g

Setup Authentication

nsswitch

file: /etc/nsswitch.conf 

passwd:         compat winbind
group:          compat winbind
shadow:         compat

Testing

Check Winbind nsswitch module with getent. 

root@linuxwork:~# getent passwd

root:x:0:0:root:/root:/bin/bash
...
LAB+administrator:x:10000:10000:Administrator:/home/LAB/administrator:/bin/bash
LAB+gast:x:10001:10001:Gast:/home/LAB/gast:/bin/bash
...

root@linuxwork:~# getent group

root:x:0:
daemon:x:1:
bin:x:2:
...
LAB+organisations-admins:x:10005:administrator
LAB+domänen-admins:x:10006:manuel,administrator
LAB+domänen-benutzer:x:10000:
LAB+domänen-gäste:x:10001:
LAB+linux-admins:x:10004:manuel
...

PAM

With this config you can access the workstation with local accounts or with domain accounts. On the first login of a domain user a home directory will be created. This PAM configuration assumes that the system will be used primarily with domain accounts. If the opposite is true (i.e., the system will be used primarily with local accounts), the order of pam_winbind.so and pam_unix.so should be reversed. When used with local accounts, the configuration shown here will result in a failed authentication to the Windows/Samba DC for each login and sudo use. This can litter the DC's event log. Likewise, if local accounts are checked first, the /var/log/auth.log will be littered with failed logon attempts each time a domain account is accessed.

This PAM configuration does not acquire a Kerberos TGT at login. To acquire a ticket, use kinit after logging in, and consider using kdestroy in a logout script.

file: /etc/pam.d/common-account 

account sufficient       pam_winbind.so
account required         pam_unix.so

file: /etc/pam.d/common-auth 

auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required   pam_deny.so

file: /etc/pam.d/common-session 

session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

file: /etc/pam.d/sudo 

auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required   pam_deny.so

@include common-account

Final configuration

Each domain needs a directory in /home/. 

root@linuxwork:~# mkdir /home/LAB

Usage

Logon with DOMAIN+USERNAME, unless you included "winbind use default domain" in your smb.conf, in which case you may log in using only USERNAME. 

login: LAB+manuel
Password: *****
...
LAB+manuel@linuxwork:~$

Troubleshooting

If the Winbind PAM module in /var/log/auth.log says, that the AD-user is not existing, restart winbind. Probably it's best to restart the whole workstation. 

root@linuxwork:~# /etc/init.d/winbind start

CategoryDocumentation