Other than authenticating against the Windows domain I also want to ensure that all domain users get the same UID/GID so that sharing files between systems is easier.
The first steps are to ensure that the time is correct on the servers and that DNS is working correctly.
# apt-get install ntpedit /etc/netp.conf and set the server lines to point to the systems you want to use for time updates then restart ntp and check the current time is correct
# /etc/init.d/ntp restart
# date
Tue May 14 11:03:42 BST 2013
Check that the "hostname -f" command returns the correct fully qualified server host name. If not edit both /etc/hostname and /etc/hosts and then reboot. Also check that another host on your network can ping the machine by hostname and if not then fix your DNS server so it can.
Install samba and winbind:
# apt-get install samba smbclient samba-common winbindStart smb service and set it to start up on boot from now on:
# /etc/init.d/samba start
# update-rc.d samba enable
Install Kerberos, backup the original config file and then replace with minimal setup
# apt-get install krb5-userreplace with the contents below, changing DOMAIN.COM for your domain and DC.DOMAIN.COM for your primary domin controller - if you have more than one domain controller you can have multiple kdc= lines.
# cp -p /etc/krb5.conf /etc/krb5.conf.orig
# vi /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DOMAIN.COM = {
kdc = dc.domain.com
admin_server = dc.domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
Clear anything cached and then try to get a kerberos ticket - the first klist should report no credentials, the second klist should show expiry dates for the user's kerberos ticket.
# kdestroyYour machine can now get tickets from the AD domain successfully. Next we need to join the domain then enable this for login and then sort out the UID's so they match across servers.
# klist
# kinit [email protected]
# klist
# apt-get install libpam-krb5Now edit /etc/samba/smb.conf and make the following changes. If a variable is not in the config file then add it. ("domain logons = no" controls if this machine can authenticate users for other machines, not if domain users can logon here...):
# cp -p /etc/samba/smb.conf /etc/samba/smb.conf.orig
[global]And then comment out the entire [homes], [printers] and [print$] sections at the bottom (unless you plan to use them...)
workgroup = DOMAIN
security = ads
realm = domain.com
password server = dc.domain.com
domain logons = no
template homedir = /home/%D/%U
template shell = /bin/bash
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
domain master = no
local master = no
prefered master = no
os level = 0
idmap config *:backend = tdb
idmap config *:range = 11000-20000
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range=10000000-19000000
Stop and restart the services:
# /etc/init.d/winbind stop
# /etc/init.d/samba restart
# /etc/init.d/winbind start
Then try to join the domain and test it is all working(replace dc with the hostname of your domain controller):
# net join -S dc -U administrator
# net ads testjoin
# net ads info
# wbinfo -u
# wbinfo -g
Check that the wbinfo commands show users and groups from active directory. For some reason my Winbind shuts down when i join a domain so I get an error "Error looking up domain users" - starting winbind again seems to fix this and it has not died for me since. Hopefully you have now joined the domain and if you look on your domain controller you should see the computer on the domain. Next we need to setup authentication so you can log in using domain credentials.
Edit /etc/nsswitch.conf to add winbind for looking up passwords and groups
Finally set the system up to automatically create home folders for users when they first log on by adding the following two lines (if not already in the file).
You should now be able to log in to the system using a domain username/password combination and a home folder will be automatically created for you on first logon. If the backend=rid part is working then the user ID on each system should be the same for all users making it easier to share files between machines. you can check the UID with the "id" command which will show the user id (UID), group id (GID) and all the groups that the current user is a member of.
My next steps are to add a domain administrators group to the visudo permissions file to allow jumping to root when required and then to block root access by ssh.
You can also now list windows fileshares with:
Although this will only give you read only access unless you jump to root. Adding it to your fstab file will give you a more useable share.
Edit /etc/nsswitch.conf to add winbind for looking up passwords and groups
# vi /etc/nsswitch.confAnd check that domain users and groups are returned by the following commands:
passwd: compat winbind
group: compat winbind
shadow: compat
# getent passwdNote that if you have a problem with these two getent commands not returning any domain level records check your smb.conf file for the idmap syntax - for some reason the version of the config file I received with samba had a different structure for the idmap line that stopped getent working. Entering it as shown above makes these two command work.
# getent group
Finally set the system up to automatically create home folders for users when they first log on by adding the following two lines (if not already in the file).
# vi /etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
You should now be able to log in to the system using a domain username/password combination and a home folder will be automatically created for you on first logon. If the backend=rid part is working then the user ID on each system should be the same for all users making it easier to share files between machines. you can check the UID with the "id" command which will show the user id (UID), group id (GID) and all the groups that the current user is a member of.
My next steps are to add a domain administrators group to the visudo permissions file to allow jumping to root when required and then to block root access by ssh.
You can also now list windows fileshares with:
$ smbclient -L WindowsServer -k
and mount them with:
$ sudo mount t cifs //WindowsServer/Share /mnt/WindowsServerShare -o username=AD_UserName
