Integrate Linux into Active Directory

Introduction
This is mostly based on Scott's weblog, just modify some for Ubuntu and added the winbind part

Enivronment
  • Ubuntu Server 7.04
  • Vmware Server
  • Windows 2003 PDC
Setup Microsoft's Service for Unix 3.5
  • Download and install Microsoft's Services for Unix 3.5
  • Accept the standard installation
  • Where prompted for "security settings", leave both boxes blank
  • Where prompted for "username mapping" select "Local Username Mapping Server" and subsequently "Network Information Services"
  • Select the Windows Domain Name
  • Reboot server when complete
Authentication and Authorization via LDAP
Setup required software
#apt-get install ldap-utils nscd libnss-ldap
We will need a user to bind to Active Directory, you can create a new one or use existing. Here will use "proxyuser". To Test the user can bind to the directory (In default setting in Active Directory, the user container should be "cn=Users,dc=home,dc=local"):
ldapsearch -x -W -D "cn=proxyuser,cn=Users,dc=mydomain" -LLL "(sAMAccountName=proxyuser)"
Edit /etc/libnss-ldap.conf and /etc/pam_ldap.conf. Firstly, backup the original one.
#cp /etc/libnss-ldap.conf /etc/libnss-ldap.conf.old
#cp /etc/pam_ldap.conf /etc/pam_ldap.conf.old
Modified libnss-ldap.conf.
base cn=Users,dc=mydomain
uri ldap://pdc

binddn cn=proxyuser,cn=Users,dc=mydomain
bindpw password
scope sub

nss_base_passwd cn=Users,dc=mydomain?sub
nss_base_shadow cn=Users,dc=mydomain?sub
nss_base_group cn=Users,dc=mydomain?sub

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup Group

nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn

pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_password ad
Links /etc/pam_ldap.conf to /etc/libnss-ldap.conf
#ln -s /etc/libnss-ldap.conf /etc/pam_ldap.conf
Edit /etc/nsswitch.conf, add ldap to passwd and group
passwd:    compat ldap
group: compat ldap
Simple test. If success, you will get the account
#getent passwd
Edit PAM to use LDAP
/etc/pam.d/common-auth
auth sufficient pam_ldap.so minimum_uid=10000
auth required pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-password
password sufficient pam_ldap.so use_first_pass
password required pam_unix.so nullok obscure min=4 max=8 md5
Authentication via Kerberos, Authorization via LDAP
Setup required software
#apt-get install krb5-clients krb5-user krb5-config
Edit /etc/krb5.conf to access your KDC
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN
dns_lookup_realm = true
dns_lookup_kdc = true

default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
MYDOMAIN = {
kdc = pdc.mydomain
admin_server = pdc.mydomain
}
[domain_realm] .mydomain = MYDOMAIN mydomain = MYDOMAIN
For test kerberos configuration if it works or not, just try
#kinit <userid>@<realm>
If success, klist will show the ticket
#klist
Make use samba to get keytab. Firstly setup it
#apt-get install samba-common smbclient
Edit /etc/samba/smb.conf
workgroup = MYDOMAIN security = ads realm = MYDOMAIN use kerberos keytab = true password server = pdc.mydomain
Get Domain Administrator's Kerberos ticket
#kinit administrator@MYDOMAIN
Join to the Domain
#net ads join -U administrator
If success, computer object will be in AD and keytab will be generated automatically

Edit PAM to use Kerberos
/etc/pam.d/common-auth
auth sufficient pam_krb5.so minimum_uid=10000
auth required pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-account
account sufficient pam_krb5.so
account required pam_unix.so
Make Use Winbind for Integration
Setup winbind
apt-get install winbind
Edit /etc/samba/smb.conf
workgroup = MYDOMAIN
security = ads
realm = MYDOMAIN
use kerberos keytab = true
password server = pdc.mydomain
client ntlmv2 auth = yes
client use spnego = yes
domain master = no
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
restrict anonymous = 2
template homedir = /home/%D/%U
template shell = /bin/bash
winbind enum users = yes
winbind enum groups = yes
Edit /etc/nsswitch.conf, add winbind to passwd and group
passwd:    compat winbind
group: compat winbind
Edit PAM to use Winbind
/etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-account
account sufficient pam_winbind.so
account required pam_unix.so
nscd should not be running while running winbind

Reference
  • AD bind errors: http://www.willeke.com:9080/wikildap/Wiki.jsp?page=CommonActiveDirectoryBindErrors
  • Winbind: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
  • Linux-AD Integration from Scott's weblog: http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/