Active Directory authentication with Ubuntu

DISCLAIMER: This entry is almost an integral copy of this post on the Ubuntu Forums, so let’s give the credit where is due and I give a huge THANKS to tfiedler. Now, why am I doing this? The reason is simple: I’m using this blog as a scratchbook/memo/notepad so if one day I’m going to need again this howto, I will know for sure where to find it easily. Moreover I will cover more in depth a couple of points so… let’s go!

1. Install the required packages with all their dependencies:
   apt-get install krb5-user
apt-get install winbind samba
   Note: you have to enable the Universe repository in your Ubuntu configuration (edit your /etc/apt/sources.list) or you will not find krb5-user
2. Edit /etc/krb5.conf to look exactly like this, no more, no less. Only change the $VARIABLES with your real names:
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = $FQDN_OF_YOUR_DOMAIN
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
$FQDN_OF_YOUR_DOMAIN = {
kdc = $FQDN_OF_YOUR_DC
admin_server = $FQDN_OF_YOUR_DC
default_domain = $FQDN_OF_YOUR_DOMAIN
}
[domain_realm]
.domain.internal = $FQDN_OF_YOUR_DOMAIN
domain.internal = $FQDN_OF_YOUR_DOMAIN

   moreover, remember that $FQDN_OF_YOUR_DOMAIN should be in capitals.
3. Edit /etc/samba/smb.conf to look like this (you will need to add your shares after this):
[global]
security = ads
netbios name = $NETBIOS_NAME_OF_YOUR_UBUNTU_BOX
realm = $FQDN_OF_YOUR_DOMAIN
password server = $FQDN_OF_YOUR_DC
workgroup = $NETBIOS_NAME_OF_YOUR_DOMAIN
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
4. Edit /etc/nsswitch.conf to look exactly like this, no more, no less:
   passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

5. Edit PAM settings:
   • /etc/pam.d/common-account should contain only the following lines:
     account sufficient pam_winbind.so
account required pam_unix.so

   • /etc/pam.d/common-auth should contain only the following lines:
     auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
   • Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below:
     password required pam_unix.so nullok obscure min=4 max=50 md5
   • Make sure the /etc/pam.d/common-session file contains the following line:
     session required pam_mkhomedir.so umask=0022 skel=/etc/skel
6. Now, let’s create the base home dir for the AD users:
   mkdir -p /home/$NETBIOS_NAME_OF_YOUR_DOMAIN
7. Initiliaze Kerberos:kinit Administrator@$FQDN_OF_YOUR_DOMAIN
   Note: write $FQDN_OF_YOUR_DOMAIN in capitals as you did in your krb5.conf file.You can check you’ve obtained your ticket with klist
8. Join the system to the AD:net ads join -U Adminstrator@$FQDN_OF_YOUR_DOMAIN
9. Restart these services in order:
   /etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
10. Restart ssh/etc/init.d/ssh restartand test it (it should work fine!)ssh $ad_user@$FQDN_OF_YOUR_UBUNTU_BOX

That’s all!