I have a plain Ubuntu 9.10 server. It is registered in a rather large Active Domain having both Windows 2003 and 2008 servers and thousands of users. Only a handfull of them will be allowed to use this server. They will use the folders only through Windows shares and only a limited bunch will have access to the Linux side of the system with SSH or on terminal.
Window user can use directories in a Linux server with the same username / password she is using in AD. This can be called Single point of authentication. He logs in her workstation, which authenticates her against the Active Directory.
Links
/www.microsoft.com/windowsserver2003/technologies/security/kerberos/default.mspx
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
Kerberos
is an authentication mechanism used to verify user or host identity
winbind
is a component of the Samba suite of programs that solves the unified
logon problem. Winbind uses a NIX implementation of Microsoft RPC calls,
Pluggable Authentication Modules (PAMs), and the name service switch (NSS) to
allow Windows NT domain users to appear and operate as UNIX users on a UNIX
machine.
What is needed
- Your server must be registered as a member of the Active Directory. You got
to pray this from the AD Administrator.
- You have to have the right to join your PC to the domain. There is no need to
be a AD Administrator yourself. The AD Administrator can give you limited
rights for this.
- Ask the names of the name server(s) (tangerine, dream) and address of the
wins
(192.168....) server from the Administrator of your AD
- ROOT personality in
your server.
Before you start:
- Build some dummy users, with names which are not registered in your AD, to your
Linux system with normal Linux adduser tool.
Ask, if AD Administrator could build you
a temporary identity, for example 'demome'. These identities will help when you
are testing your system.
- Stop Samba making anything funny while you are editing:
/etc/init.d/samba stop
Notes:
- Make notes all the time !
- In this text I have not used original addresses nor names. Instead I have
used these below.
Use capital letters where I have used them in this text.
(an example or explanation in parentheses)
WORKGROUP (MYLAB)
WORKGROUP.EXT (MYLAB.COM)
MYSERVER (ENIAC)
tangerine (DC, Directory Controller, use only netbios name, not address, nor
full name)
dream (DC, Directory Controller, use only netbios name, not address, nor full
name)
myself (a registered user)
In Ubuntu you can install the packets needed with apt-get. Here is a list of
those packets I found in my PC with commands 'grep winbind installed' 'grep
samba installed' 'grep krb installed'. Before that I had used this: 'dpkg
--get-selections > installed'. This builds a list of all the installed
packets in the system
(from now on all the code will be between lines of '===' characters.).
=====Packets needed============= samba samba-common samba-common-bin samba-doc winbind krb5-config krb5-user libgssapi-krb5-2 libkrb5-3 libkrb5support0 ==================
You will stop and start your samba system many times while tuning it. I'll recommend you buld a file /usr/bin/smb.sh Chmod it '700'.
=====/usr/bin/smb.sh====== /etc/init.d/samba stop /etc/init.d/winbind stop /etc/init.d/winbind start /etc/init.d/samba start ==========================
The only file I needed to build from scratch was this: /etc/pam.d/system-auth.
Lets start with it:
You can lock yourself out with wrong parameters in system-auth. I'll recommend
that you log in to your system in at least three terminals as root. If
something goes wrong, you can move to another terminal and fix this. Give it a
try: go through all the setup files and restart Samba in the end then log out
from the terminal and log in again.
This problem is because you can set the system to try to fetch the
authentication from some wrong place.
=====/etc/pam.d/system-auth==================== #%PAM-1.0 auth required pam_mount.so auth required pam_env.so auth sufficient pam_winbind.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth required pam_deny.so # account required pam_unix.so account sufficient pam_winbind.so # password required pam_mount.so use_authtok password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow password required pam_deny.so # session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ session required pam_limits.so session required pam_unix.so session optional pam_mount.so use_authtok ================================================
=====/etc/krb5.conf=============================
[libdefaults]
default_realm = WORKGROUP.EXT
[realms]
WORKGROUP.EXT = {
kdc = tangerine.workgroup.ext
kdc = dream.workgroup.ext
}
[domain_realm]
.workgroup.ext = WORKGROUP.EXT
workgroup.ext = WORKGROUP.EXT
[loggin]
default = FILE:/var/log/krb5.log
[appdefaults]
pam = {
ticket_lifetime = 365d
renew_lifetime = 365d
forwardable = true
proxiable = false
retain_after_close = true
minimum_uid = 0
}
================================================
A note about kerberos.
When you have built your krb5.conf, you can get a ticket for your PC from AD
with command 'kinit' wihout any options or parameters.
It asks your password and if everything is fine, it says nothing -not a line !
At first it seems that you got to build in your server an identity for a user,
who has rights to join the server to the AD.
Then I got this advice from 'one who should know':
kinit user.name@FULL.UPPERCASE.REALM
After that, you'll use "net ads join -U user.name"
Long and not so good way:
I first installed a server and when the Ubuntu 9.10 server installation asked
for a username / password, I gave it unregistered 'mole' (not registered in AD)
as an username. When I
then ran 'kinit', I got a bunch of error messages.
I built an identity with my own username, (registered in th AD) with rights
to join. I also set myself in all the groups, where this 'mole' was
set. Then I logged in with my own credentials and then made me root with 'sudo
su'. Now kinit worked as it should.
There has been discussion about
kerberos.
Some claim that it is not needed, but I have not tested that. In any case it
doesn't take so much space that it matters. Here is a question and a comment
from a 'guru':
'is krb5 necessary for the authentication ?
pam_krb5 is not -- winbind handles it. But it needs krb5 client libs.'
You can check the sittuation with 'klist', after you have ran 'kinit'. It should give you something like this:
=== Ticket cache: FILE:/tmp/krb5cc_0 Default principal: myself@WORKGROUP.EXT Valid starting Expires Service principal 11/26/09 19:33:49 11/27/09 05:33:52 krbtgt/WORKGROUP.EXT@WORKGROUP.EXT renew until 11/27/09 19:33:49 ===
=====/etc/nsswitch.conf========================= passwd: compat winbind group: compat winbind shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files dns services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files bootparams: files automount: files aliases: files ================================================
=====/etc/samba/smb.conf======================== [global] workgroup = WORKGROUP realm = WORKGROUP.EXT server string = %h interfaces = eth0, lo bind interfaces only = Yes security = ADS auth methods = winbind client schannel = No allow trusted domains = No map to guest = Bad User obey pam restrictions = Yes password server = tangerine dream passwd program = /usr/bin/passwd %u passwd chat = *new\s*\spassword:* %n\n *Retype:* %n\n *OK* ntlm auth = No client NTLMv2 auth = Yes log level = 3 syslog = 0 log file = /var/log/samba/log.%m max log size = 10 name resolve order = hosts wins bcast client signing = Yes os level = 1 local master = No domain master = No wins server = 192.168.116.6 panic action = /usr/share/samba/panic-action %d idmap uid = 10000-2000000 idmap gid = 5000-2000000 template homedir = /home/%U template shell = /bin/bash winbind use default domain = Yes winbind nss info = rfc2307 winbind offline logon = Yes idmap config WORKGROUP.EXT:range = 10000 - 2000000 idmap config WORKGROUP.EXT:schema_mode = rfc2307 idmap config WORKGROUP.EXT:default = yes idmap config WORKGROUP.EXT:backend = ad ## create mask = 022 inherit permissions = Yes hosts allow = 192.168., 127.0.0.1 hosts deny = ALL username map = /etc/samba/map.dat # Added here 151209: encrypt passwords = true [homes] comment = Own home directories path = /home/%S read only = No create mask = 0700 directory mask = 0700 browseable = No browsable = No valid users = %U ================================================Run testparm when you have edited smb.conf.
idmap uid = 10000-2000000
idmap gid = 5000-2000000
idmap config WORKGROUP.EXT:range = 10000 - 300000000
It seems that the users get their local UID / GUID as 10000 / 5000 or above
as set in 'idmap uid' and 'idmap gid'.
If you want to avoid troubles, keep the values coherent. In a
single-domain, if you don't need a consistent mapping of the users
across different clients (for example to have multiple clients access a
NFS server) you can keep the range quite limited. If you need consistent
mapping, you can use RID backend -- but you'll have to use a wide range
to avoid collisions.
How to set this
idmap config WORKGROUP.EXT:range
- The same as idmap uid. Or just remove that line.
=====/etc/samba/map.dat========================= myself_in_Linux = myself_in_AD users = @domain users ================================================When all this is edited, you can use your /usr/bin/smb.sh.
Now you can join our system to th AD. Use this (NOTE: it must be '
net ads join
' and not 'net join ads'):
net ads join -w WORKGROUP.EXT -U myself
You should get something like this:
Enter myself's password:
Using short domain name -- WORKGROUP
Joined 'MYSERVER' to realm 'workgroup.ext'
DNS update failed!
- Do not care about the last line ! It works and that's it.
If it doesn't work, check and recheck all and everything.
It is not a bad idea to reboot Linux . Sometimes you just forget to set all and
everything. In the boot you at least will get some error messages, which might
help you to fix things.
Open your WIndows and 'My Computer' there. Write '\\myserver' on the address
line.
You might see an icon for printers. It will not work before you make something
for it in smb.conf.
If you have a home directory in your Linux server, you should see it here as a
folder. Test if you can open that folder and create a file and a folder there.
If not, there is something wrong in the permissions of the home directory in
Linux side.
For some reason you got to set the permissions of your home directory '707' or '770'. Here you musta make some testing with your ídentities. I have not yet tested this thoroughly.
When you want to give a home folder to somebody who is registered in the AD, you just build a directory for her in /home and set the ownership and permissions. There is no need nor no possibility to build a new personality for her in to the Linux. Adduser and useradd will give error messages.
You can make symbolic links in Linux side and they work fine in Windows. You can either make a link to the www-directories of the users or build a share in smb.conf for that.
From here on: use your own head.
| Variable | Definition |
| Client variables | |
| %a | Client's architecture (e.g., Samba, WfWg, WinNT, Win95, or UNKNOWN) |
| %I | Client's IP address (e.g., 192.168.220.100) |
| %m | Client's NetBIOS name |
| %M | Client's DNS name |
| User variables | |
| %g | Primary group of %u |
| %G | Primary group of %U |
| %H | Home directory of %u |
| %u | Current Unix username |
| %U | Requested client username (not always used by Samba) |
| Share variables | |
| %p | Automounter's path to the share's root directory, if different from %P |
| %P | Current share's root directory |
| %S | Current share's name |
| Server variables | |
| %d | Current server process ID |
| %h | Samba server's DNS hostname |
| %L | Samba server's NetBIOS name |
| %N | Home directory server, from the automount map |
| %v | Samba version |
| Miscellaneous | |
| %R | The SMB protocol level that was negotiated |
| %T | The current date and time |