*values not real (obviously). must use with correct values.
Installed necessary packages
> sudo apt-get install krb5-user
> sudo apt-get install libpam-krb5
> sudo apt-get install krb5-config
> sudo apt-get install libkadm55
> sudo apt-get install winbind
> sudo apt-get install samba
> sudo apt-get install smbfs
> sudo apt-get install smbclient
Made a backup copy of /etc/samba/smb.conf and added the following
[global]DC.DOMAIN.COM* above is a domain controller in DOMAIN.COM*. Since I copy-pasted these values from the manual, I searched for duplicate lines with the same fields and commented them out.
security = ads
realm = DOMAIN.COM
password server = DC.DOMAIN.COM
# note that workgroup is the 'short' domain name
workgroup = LAB
# winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
Restart winbind and samba.
sudo /etc/init.d/winbind stop
sudo /etc/init.d/samba restart
sudo /etc/init.d/winbind start
Request a valid Kerberos TGT.
> sudo kinit administrator@DOMAIN.COMThis resulted in an error in my environment.
kinit(v5): KDC reply did not match expectations while getting initial credentials
I continued anyway. Join the workstation to DOMAIN.COM*.
> sudo net ads join -U username
Since the previous command failed, this prompted me for the DOMAIN.COM* administrator* (not local root) password. I got the following reply.
Using short domain name – DOMAIN
Joined 'UBCLIENT' to realm 'DOMAIN.COM'
I checked the Active Directory snap-in on DC.DOMAIN.COM* for the new UBCLIENT* workstation that just joined the domain. It was present. This confirmed the success of the above operation.
I edited
/etc/nsswitch.confas follows.
passwd: compat winbindI tested the above operations with
group: compat winbind
shadow: compat winbind
wbinfo -uThese commands listed the Domain users and groups as expected. Next I edited the file
wbinfo -g
/etc/pam.d/common-account
as follows
account sufficient pam_winbind.soI edited
account required pam_unix.so
/etc/pam.d/common-auth
as follows
auth sufficient pam_winbind.soI edited
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
/etc/pam.d/common-sessionas follows
session required pam_unix.soand finally
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
/etc/pam.d/sudoas follows
auth sufficient pam_winbind.soFor the final configuration, I created the domain home directory.
auth sufficient pam_unix.so use_first_pass
auth required pam_deny.so
@include common-account
/home/DOMAINand added a domain administrator to the sudoers group. I also added a Domain Administrator (domainadmin*) user to the 'admin' group in /etc/group.
To test the final setup I logged in via ssh to ubclient.domain.com as user domainadmin. Command pwd showed that a home directory was created as /home/DOMAIN/domainadmin. I checked to ensure the domainadmin has admin privileges on the local computer.
sudo id
After prompting for the domainadmin's password, it successfully responded as
uid=0(root) gid=0(root) groups=0(root)
That was completely painless to setup. No surprises or failures. I am now able to login into my Ubuntu machine as part of my Active Directory. I wasn't sure about the 'Automatic Kerberos Ticket Refresh' part, but figure it couldn't hurt.
I edited
/etc/samba/smb.conf
as follows
# winbind separator = +
winbind refresh tickets = yes
idmap uid = 10000-20000
and modified
/etc/pam.d/common-auth
as follows
auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
*values not real (obviously). must use with correct values.
No comments:
Post a Comment