Active Directory authentication with Ubuntu

DISCLAIMER: This entry is almost an integral copy of this post on the Ubuntu Forums, so let’s give the credit where is due and I give a huge THANKS to tfiedler. Now, why am I doing this? The reason is simple: I’m using this blog as a scratchbook/memo/notepad so if one day I’m going to need again this howto, I will know for sure where to find it easily. Moreover I will cover more in depth a couple of points so… let’s go!

  1. Install the required packages with all their dependencies:
    apt-get install krb5-user
    apt-get install winbind samba

    Note: you have to enable the Universe repository in your Ubuntu configuration (edit your /etc/apt/sources.list) or you will not find krb5-user
  2. Edit /etc/krb5.conf to look exactly like this, no more, no less. Only change the $VARIABLES with your real names:
    [logging]
    default = FILE10000:/var/log/krb5lib.log
    [libdefaults]
    ticket_lifetime = 24000
    default_realm = $FQDN_OF_YOUR_DOMAIN
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
    [realms]
    $FQDN_OF_YOUR_DOMAIN = {
    kdc = $FQDN_OF_YOUR_DC
    admin_server = $FQDN_OF_YOUR_DC
    default_domain = $FQDN_OF_YOUR_DOMAIN
    }
    [domain_realm]
    .domain.internal = $FQDN_OF_YOUR_DOMAIN
    domain.internal = $FQDN_OF_YOUR_DOMAIN

    moreover, remember that $FQDN_OF_YOUR_DOMAIN should be in capitals.
  3. Edit /etc/samba/smb.conf to look like this (you will need to add your shares after this):
    [global]
    security = ads
    netbios name = $NETBIOS_NAME_OF_YOUR_UBUNTU_BOX
    realm = $FQDN_OF_YOUR_DOMAIN
    password server = $FQDN_OF_YOUR_DC
    workgroup = $NETBIOS_NAME_OF_YOUR_DOMAIN
    idmap uid = 500-10000000
    idmap gid = 500-10000000
    winbind separator = +
    winbind enum users = no
    winbind enum groups = no
    winbind use default domain = yes
    template homedir = /home/%D/%U
    template shell = /bin/bash
    client use spnego = yes
    domain master = no
  4. Edit /etc/nsswitch.conf to look exactly like this, no more, no less:
    passwd: compat winbind
    group: compat winbind
    shadow: compat
    hosts: files dns wins
    networks: files
    protocols: db files
    services: db files
    ethers: db files
    rpc: db files
    netgroup: nis
  5. Edit PAM settings:
    • /etc/pam.d/common-account should contain only the following lines:
      account sufficient pam_winbind.so
      account required pam_unix.so
    • /etc/pam.d/common-auth should contain only the following lines:
      auth sufficient pam_winbind.so
      auth required pam_unix.so nullok_secure use_first_pass
    • Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below:
      password required pam_unix.so nullok obscure min=4 max=50 md5
    • Make sure the /etc/pam.d/common-session file contains the following line:
      session required pam_mkhomedir.so umask=0022 skel=/etc/skel
  6. Now, let’s create the base home dir for the AD users:
    mkdir -p /home/$NETBIOS_NAME_OF_YOUR_DOMAIN
  7. Initiliaze Kerberos:kinit Administrator@$FQDN_OF_YOUR_DOMAIN
    Note: write $FQDN_OF_YOUR_DOMAIN in capitals as you did in your krb5.conf file.You can check you’ve obtained your ticket with klist
  8. Join the system to the AD:net ads join -U Adminstrator@$FQDN_OF_YOUR_DOMAIN
  9. Restart these services in order:
    /etc/init.d/samba stop
    /etc/init.d/winbind stop
    /etc/init.d/samba start
    /etc/init.d/winbind start
  10. Restart ssh/etc/init.d/ssh restartand test it (it should work fine!)ssh $ad_user@$FQDN_OF_YOUR_UBUNTU_BOX

That’s all!

Advertisements

9 thoughts on “Active Directory authentication with Ubuntu

  1. Very nice, I have followed other tutorials that were much more complex, yet didn’t quite work, yours worked first pass.

  2. Can any body tell me if we can put two password servers in smb.conf configuration as explained above. I need to add two DC for fail-safe purposes.

  3. I have issue with installing krb5-user in my ubuntu 1.6 version…….

    I really appreciate if you can help me out with that,, since i have been struggling with tht problem for a long time..

    email me your reply at
    : anisalimomin@hotmail.com

    thanks:
    Anis

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s