Integrate Linux into Active Directory
Introduction
This is mostly based on Scott's weblog, just modify some for Ubuntu and added the winbind part
Enivronment
Setup required software
/etc/pam.d/common-auth
Setup required software
Edit PAM to use Kerberos
/etc/pam.d/common-auth
Setup winbind
/etc/pam.d/common-auth
Reference
This is mostly based on Scott's weblog, just modify some for Ubuntu and added the winbind part
Enivronment
- Ubuntu Server 7.04
- Vmware Server
- Windows 2003 PDC
- Download and install Microsoft's Services for Unix 3.5
- Accept the standard installation
- Where prompted for "security settings", leave both boxes blank
- Where prompted for "username mapping" select "Local Username Mapping Server" and subsequently "Network Information Services"
- Select the Windows Domain Name
- Reboot server when complete
Setup required software
#apt-get install ldap-utils nscd libnss-ldapWe will need a user to bind to Active Directory, you can create a new one or use existing. Here will use "proxyuser". To Test the user can bind to the directory (In default setting in Active Directory, the user container should be "cn=Users,dc=home,dc=local"):
ldapsearch -x -W -D "cn=proxyuser,cn=Users,dc=mydomain" -LLL "(sAMAccountName=proxyuser)"Edit /etc/libnss-ldap.conf and /etc/pam_ldap.conf. Firstly, backup the original one.
#cp /etc/libnss-ldap.conf /etc/libnss-ldap.conf.oldModified libnss-ldap.conf.
#cp /etc/pam_ldap.conf /etc/pam_ldap.conf.old
base cn=Users,dc=mydomainLinks /etc/pam_ldap.conf to /etc/libnss-ldap.conf
uri ldap://pdc
binddn cn=proxyuser,cn=Users,dc=mydomain
bindpw password
scope sub
nss_base_passwd cn=Users,dc=mydomain?sub
nss_base_shadow cn=Users,dc=mydomain?sub
nss_base_group cn=Users,dc=mydomain?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup Group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn
pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_password ad
#ln -s /etc/libnss-ldap.conf /etc/pam_ldap.confEdit /etc/nsswitch.conf, add ldap to passwd and group
passwd: compat ldapSimple test. If success, you will get the account
group: compat ldap
#getent passwdEdit PAM to use LDAP
/etc/pam.d/common-auth
auth sufficient pam_ldap.so minimum_uid=10000/etc/pam.d/common-password
auth required pam_unix.so nullok_secure use_first_pass
password sufficient pam_ldap.so use_first_passAuthentication via Kerberos, Authorization via LDAP
password required pam_unix.so nullok obscure min=4 max=8 md5
Setup required software
#apt-get install krb5-clients krb5-user krb5-configEdit /etc/krb5.conf to access your KDC
[logging]For test kerberos configuration if it works or not, just try
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN
dns_lookup_realm = true
dns_lookup_kdc = true
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
MYDOMAIN = {
kdc = pdc.mydomain
admin_server = pdc.mydomain
}
[domain_realm] .mydomain = MYDOMAIN mydomain = MYDOMAIN
#kinit <userid>@<realm>If success, klist will show the ticket
#klistMake use samba to get keytab. Firstly setup it
#apt-get install samba-common smbclientEdit /etc/samba/smb.conf
workgroup = MYDOMAIN security = ads realm = MYDOMAIN use kerberos keytab = true password server = pdc.mydomainGet Domain Administrator's Kerberos ticket
#kinit administrator@MYDOMAINJoin to the Domain
#net ads join -U administratorIf success, computer object will be in AD and keytab will be generated automatically
Edit PAM to use Kerberos
/etc/pam.d/common-auth
auth sufficient pam_krb5.so minimum_uid=10000/etc/pam.d/common-account
auth required pam_unix.so nullok_secure use_first_pass
account sufficient pam_krb5.soMake Use Winbind for Integration
account required pam_unix.so
Setup winbind
apt-get install winbindEdit /etc/samba/smb.conf
workgroup = MYDOMAINEdit /etc/nsswitch.conf, add winbind to passwd and group
security = ads
realm = MYDOMAIN
use kerberos keytab = true
password server = pdc.mydomain
client ntlmv2 auth = yes
client use spnego = yes
domain master = no
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
restrict anonymous = 2
template homedir = /home/%D/%U
template shell = /bin/bash
winbind enum users = yes
winbind enum groups = yes
passwd: compat winbindEdit PAM to use Winbind
group: compat winbind
/etc/pam.d/common-auth
auth sufficient pam_winbind.so/etc/pam.d/common-account
auth required pam_unix.so nullok_secure use_first_pass
account sufficient pam_winbind.sonscd should not be running while running winbind
account required pam_unix.so
Reference
- AD bind errors: http://www.willeke.com:9080/wikildap/Wiki.jsp?page=CommonActiveDirectoryBindErrors
- Winbind: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
- Linux-AD Integration from Scott's weblog: http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/