Active directory authentication for Ubuntu Linux login and cifs mounting home directories...
- by Jamie
I've configured my Ubuntu 10.04 Server LTS Beta 2 residing on a windows network to authenticate logins using active directory, then mount a windows share to serve as there home directory.
Here is what I did starting from the initial installation of Ubuntu.
Download and install Ubuntu Server 10.04 LTS Beta 2
Get updates
# sudo apt-get update && sudo apt-get upgrade
Install an SSH server (sshd)
# sudo apt-get install openssh-server
Some would argue that you should "lock sshd down" by disabling root logins. I figure if your smart enough to hack an ssh session for a root password, you're probably not going to be thwarted by the addition of PermitRootLogin no in the /etc/ssh/sshd_config file. If your paranoid or not simply not convinced then edit the file or give the following a spin:
# (grep PermitRootLogin /etc/ssh/sshd_conifg && sudo sed -ri 's/PermitRootLogin ).+/\1no/' /etc/ssh/sshd_conifg) || echo "PermitRootLogin not found. Add it manually."
Install required packages
# sudo apt-get install winbind samba smbfs smbclient ntp krb5-user
Do some basic networking housecleaning in preparation for the specific package configurations to come.
Determine your windows domain name, DNS server name, and IP address for the active directory server (for samba). For conveniance I set environment variables for the windows domain and DNS server. For me it was (my AD IP address was 192.168.20.11):
# WINDOMAIN=mydomain.local && WINDNS=srv1.$WINDOMAIN
If you want to figure out what your domain and DNS server is (I was contractor and didn't know the network) check out this helpful reference.
The authentication and file sharing processes for the Windows and Linux boxes need to have their clocks agree. Do this with an NTP service, and on the server version of Ubuntu the NTP service comes installed and preconfigured. The network I was joining had the DNS server serving up the NTP service too.
# sudo sed -ri "s/^(server[ \t]).+/\1$WINDNS/" /etc/ntp.conf
Restart the NTP daemon
# sudo /etc/init.d/ntp restart
We need to christen the Linux box on the new network, this is done by editing the host file (replace the DNS of with the FQDN of the windows DNS):
# sudo sed -ri "s/^(127\.0\.0\.1[ \t]).*/\1$(hostname).$WINDOMAIN localhost $(hostname)/" /etc/hosts
Kerberos configuration. The instructions that follow here aren't to be taken literally: the values for MYDOMAIN.LOCAL and srv1.mydomain.local need to be replaced with what's appropriate for your network when you edit the files.
Edit the (previously installed above) /etc/krb5.conf file.
Find the [libdefaults] section and change (or add) the key value pair (and it is in UPPERCASE WHERE IT NEEDS TO BE):
[libdefaults]
default_realm = MYDOMAIN.LOCAL
Add the following to the [realms] section of the file:
MYDOMAIN.LOCAL = {
kdc = srv1.mydomain.local
admin_server = srv1.mydomain.local
default_domain = MYDOMAIN.LOCAL
}
Add the following to the [domain_realm] section of the file:
.mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL
Conmfigure samba. When it's all said done, I don't know where SAMBA fits in ... I used cifs to mount the windows shares ... regardless, my system works and this is how I did it.
Replace /etc/samba/smb.conf (remember I was working from a clean distro of Ubuntu, so I wasn't worried about breaking anything):
[global]
security = ads
realm = MYDOMAIN.LOCAL
password server = 192.168.20.11
workgroup = MYDOMAIN
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
Start and stop various services.
# sudo /etc/init.d/winbind stop
# sudo service smbd restart
# sudo /etc/init.d/winbind start
Setup the authentication.
Edit the /etc/nsswitch.conf. Here are the contents of mine:
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
Start and stop various services.
# sudo /etc/init.d/winbind stop
# sudo service smbd restart
# sudo /etc/init.d/winbind start
At this point I could login, home directories didn't exist, but I could login. Later I'll come back and add how I got the cifs automounting to work.
Numerous resources were considered so I could figure this out. Here is a short list (a number of these links point to mine own questions on the topic):
Samba Kerberos
Active Directory WinBind
Mounting Linux user home directories on CIFS server
Authenticating OpenBSD against Active Directory
How to use Active Directory to authenticate linux users
Mounting windows shares with Active Directory permissions
Using Active Directory authentication with Samba on Ubuntu 9.10 server 64bit
How practical is to authenticate a Linux server against AD?
Auto-mounting a windows share on Linux AD login
