<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener("load", function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <iframe src="http://www.blogger.com/navbar.g?targetBlogID=3780656211824216406&amp;blogName=DiaryScript+and+Tutorial&amp;publishMode=PUBLISH_MODE_BLOGSPOT&amp;navbarType=BLACK&amp;layoutType=CLASSIC&amp;searchRoot=http://nava-azura.blogspot.com/search&amp;blogLocale=in&amp;homepageUrl=http://nava-azura.blogspot.com/&amp;vt=-2589447209091911660" marginwidth="0" marginheight="0" scrolling="no" frameborder="0" height="30px" width="100%" id="navbar-iframe" allowtransparency="true" title="Blogger Navigation and Search"></iframe> <div></div>
Your Ad Here

Authenticate to Active Directory using Winbind

11 Agustus 2009

Introduction

This Howto describes how to add an Ubuntu box in an Active Directory domain and to authenticate the users with AD.

Used terms

term

definition

AD

Active Directory

DC

Domain Controller

lab.example.com

AD domain

win2k3.lab.example.com

DC FQDN

10.0.0.1

DC IP

LAB.EXAMPLE.COM

Kerberos Realm

linuxwork

computername of the Ubuntu workstation

linuxwork.lab.example.com

FQDN of the Ubuntu workstation

ntp.example.com

timeserver (NTP)

Kerberos

The first step in joining an Active Directory domain is to install and configure Kerberos. See Samba/Kerberos for details.

Join AD domain

Required software

You need to install the winbind and samba packages. The packages smbfs and smbclient are useful for mounting network shares and copying files.

IconsPage/IconNote.png The package smbfs is optional, but includes useful client utilities, including the smbmount command. Also useful is the smbclient package, which includes an FTP-like client for SMB shares.

Join

The first step in joining the Active Directory domain is to edit /etc/samba/smb.conf:

file: /etc/samba/smb.conf 

[global]
     security = ads
     realm = LAB.EXAMPLE.COM
     password server = 10.0.0.1
# note that workgroup is the 'short' domain name
     workgroup = LAB
#       winbind separator = +
     idmap uid = 10000-20000
     idmap gid = 10000-20000
     winbind enum users = yes
     winbind enum groups = yes
     template homedir = /home/%D/%U
     template shell = /bin/bash
     client use spnego = yes
     client ntlmv2 auth = yes
     encrypt passwords = yes
     winbind use default domain = yes
     restrict anonymous = 2

IconsPage/IconNote.png The "winbind use default domain" parameter is useful in single-domain enterprises and causes winbind to treat any username that isn't qualified with a domain name as a username in the domain to which winbind is joined. Omit this parameter if you are concerned about confusion between local accounts on your systems and accounts in the default domain. The "winbind separator" directive is optional, and the default value is the usual backslash "\" Domain and User separator. You can use "+" if you know of a specific reason "\" will not work in your environment.

Be sure to restart the Samba and Winbind services after changing the /etc/samba/smb.conf file: 

sudo /etc/init.d/winbind stop
sudo /etc/init.d/samba restart
sudo /etc/init.d/winbind start

Request a valid Kerberos TGT for an account using kinit, which is allowed to join a workstation into the AD domain. Now join to the domain, if the ticket was valid you should not need to supply a password - even if prompted you should be able to leave it blank.

IconsPage/IconNote.png This next step gave me the error: kinit(v5): Cannot resolve network address for KDC in realm LAB.EXAMPLE.COM while getting initial credentials even though nslookup win2k3 and host 10.0.0.1 would both return the correct entries. To correct this problem, I had to edit my /etc/hosts file and add the following to it: 10.0.0.1 win2k3.lab.example.com 

sudo kinit Administrator@EXAMPLE.COM
sudo net ads join
Using short domain name – LAB
Joined 'linuxwork' to realm 'LAB.EXAMPLE.COM'

IconsPage/IconNote.png If the Kerberos auth was valid, you should not get asked for a password. However, if you are not working as root and are instead using sudo to perform the necessary tasks, use the command sudo net ads join -U username and supply your password when prompted. Otherwise, you will be asked to authenticate as root@LAB.EXAMPLE.COM instead of a valid account name. You can also supply a password if you don't want to get prompted. Just use net ads join -U % for this. Maybe it's useful for unattended installations where you want to add machines to an AD automatically.

IconsPage/IconNote.png If your Active Directory server is not running DDNS as well (eg. if you're running a separate DNS server) you may get the error: 

sudo net ads join
Failed to join domain: failed to find DC for domain LAB.EXAMPLE.COM

To fix this, specify the AD server to the "net join" command: 

sudo net ads join -S WIN2K3 -U %

You'll get a warning about not being able to update DNS, but you will successfully join the AD!

Testing

Setup Authentication

nsswitch

file: /etc/nsswitch.conf 

passwd:         compat winbind
group:          compat winbind
shadow:         compat

IconsPage/IconNote.png I needed to add hosts: files dns to /etc/nsswitch.conf to avoid the settings in /etc/hosts to be ignored.

IconsPage/IconNote.png Don´t forget to restart winbind again after editing /etc/nsswitch.conf!!!

Testing

You can check that the Domain has successfully been joined by: 

wbinfo -u

You should get a list of the users of the domain.

IconsPage/IconNote.png I needed to make shadow: compat winbind in /etc/nsswitch.conf to make wbinfo -u work.

And a list of the groups. Be patient these queries can take time. 

wbinfo -g

Check Winbind nsswitch module with getent. 

sudo getent passwd

root:x:0:0:root:/root:/bin/bash
...
LAB+administrator:x:10000:10000:Administrator:/home/LAB/administrator:/bin/bash
LAB+gast:x:10001:10001:Gast:/home/LAB/gast:/bin/bash
...

Note that the domain name (here, "LAB+") is displayed by getent only if you have not set winbind use default domain = yes in smb.conf. 

sudo getent group

root:x:0:
daemon:x:1:
bin:x:2:
...
LAB+organisations-admins:x:10005:administrator
LAB+domänen-admins:x:10006:manuel,administrator
LAB+domänen-benutzer:x:10000:
LAB+domänen-gäste:x:10001:
LAB+linux-admins:x:10004:manuel
...

PAM

With this config you can access the workstation with local accounts or with domain accounts. On the first login of a domain user a home directory will be created. This PAM configuration assumes that the system will be used primarily with domain accounts. If the opposite is true (i.e., the system will be used primarily with local accounts), the order of pam_winbind.so and pam_unix.so should be reversed. When used with local accounts, the configuration shown here will result in a failed authentication to the Windows/Samba DC for each login and sudo use. This can litter the DC's event log. Likewise, if local accounts are checked first, the /var/log/auth.log will be littered with failed logon attempts each time a domain account is accessed.

This PAM configuration does not acquire a Kerberos TGT at login. To acquire a ticket, use kinit after logging in, and consider using kdestroy in a logout script.

file: /etc/pam.d/common-account 

account sufficient       pam_winbind.so
account required         pam_unix.so

file: /etc/pam.d/common-auth 

auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required   pam_deny.so

IconsPage/IconNote.png On a Ubuntu 7.10 (Gutsy Gibbon) and 9.04 (Jaunty Jackalope) systems, these changes to pam.d/common-auth result in not being able to log in as a local user, for example by ssh. Your luck may be better, but test immediately just in case.

file: /etc/pam.d/common-session 

session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

file: /etc/pam.d/sudo 

auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required   pam_deny.so

@include common-account

Final configuration

Each domain needs a directory in /home/. 

sudo mkdir /home/LAB

One last thing

If you want to be able to use an active directory account, to manage your Ubuntu box, you need to add it to the sudoers file. For that, you will need to edit the file /etc/group an add your username to the admin group, and whatever other group you need(plugdev,audio,cdrom just to mention a few). it will be like: 

.......
admin:x:117:olduser,ActiveDirectoryUser
.......

Where olduser, is your current linux user, and ActiveDirectoryUser, is the new administrator. Another way to make a Domain Group, a sudoer in your ubuntu, is to edit the file /etc/sudoers (using the command 'visudo') and add the following line 

%adgroup        ALL=(ALL) ALL

Where adgroup is a group from your active directory. take in mind, that spaces in the group name are not allowed, you can use '%domain\ admins', without quotes.

Usage

Logon with DOMAIN+USERNAME, unless you included "winbind use default domain" in your smb.conf, in which case you may log in using only USERNAME. 

login: LAB+manuel
Password: *****
...
LAB+manuel@linuxwork:~$

Automatic Kerberos Ticket Refresh

To have pam_winbind automatically refresh the kerberos ticket

Add the winbind refresh tickets line to smb.conf :

file: /etc/samba/smb.conf 

#       winbind separator = +
     winbind refresh tickets = yes
     idmap uid = 10000-20000

And modify /etc/pam.d/common-auth:

file: /etc/pam.d/common-auth 

auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required   pam_deny.so

Troubleshooting

If the Winbind PAM module in /var/log/auth.log says that the AD-user is not existing restart winbind. It might be best to restart the whole workstation. 

sudo /etc/init.d/winbind restart

If when logging into the machine one gets a "no logon servers" error winbind\samba may not be starting properly. Try restarting them manually, and then logging in.

-If a manual restart works, then to fix this issue one needs to change scripts S20samba and S20winbind to S25samba and S25winbind in the /etc/rc2.d, rc3.d, rc4.d, rc5.d folders. The understanding is that this causes samba and winbind to startup later in the boot order for each runlevel. So that they start after S24avahi-daemon. If you then find that you must wait a bit before you can log in, you need to set "winbind enum users" and "winbind enum groups" in /etc/samba/smb.conf to 'no'.

name service cache daemon

The name service cache daemon (nscd) can interfere with winbind, as winbind maintains its own cache. Remove it. 

sudo apt-get remove nscd

Some names or groups are not resolved with getent, but others are not

The range of your idmap parameter is not wide enough to encompass all the users or groups 

idmap uid = 16777216-33554431
idmap gid = 16777216-33554431

Adding more than one Linux machine to a Windows network

The above procedure allows you to add as many Linux machines as you like. However, the UID assigned to a given user may not be the same across all the machines. It created file ownership & rights issues when files/folders are shared between these machines. See Question #21806 on https://answers.launchpad.net/ubuntu/ for details. Therefore it is advisable to specify the UID mapping method 

idmap backend = rid:YOURDOMAIN=70000-1000000
idmap uid = 70000-1000000
idmap gid = 70000-1000000
winbind use default domain = yes
security = ADS

Copy From here

This entry was posted on 11 Agustus 2009 at 12:14. There are . If you want, you can leave your own response by clicking here. You may also send this post to a friend of yours via email, or bookmark it for yourself by using icons below:

Share/Save/Bookmark

0 Komentar:

Poskan Komentar

Berlangganan Poskan Komentar [Atom]

Link ke posting ini:

Buat sebuah Link

<< Beranda