Differences between revisions 1 and 15 (spanning 14 versions)
Revision 1 as of 2007-05-17 01:49:43
Size: 921
Editor: JohnJacob
Comment:
Revision 15 as of 2007-05-17 03:24:31
Size: 7808
Editor: JohnJacob
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
=Authenticating Debian Server, Kubuntu, and Windows XP With Active Directory

 We were tasked with creating an Active Directory domain with Windows Server 2003 and then having a mixed environment all authenticating into the same user domain. The mix of opperating systems that were used in this project were Debian, Kubuntu 7.04 (Feisty Fawn), Samba running on Debian Server and Windows XP. The project consisted of setting up a Windows 2003 Server with Active Directorty and Samba so that the Linux Cients could authenticate into the same domain. We also had one Windows XP client that authenticated into the shard domain as well.

 We ran Samba on Debian Server and had shared directories set up that all clients could view. We used PAM for the Linux clients to allow them to connect and authenticate with a mixed doamin. The following Wiki will detail what was used and done to make this project a reality.=
## page was renamed from JohnJacob
Authenticating Debian & Samba to Active Directory (!)

   This walkthrough is designed to give instructions for configuring Linux servers/clients to authenticate to Active Directory. The purpose is to join a Linux samba server and a Linux client to an existing AD structure. The samba connects seamlessly for Windows and Linux users alike. The walkthrough is broken into two sections and is available in via the links below.

'''''Linux Samba Configuration''''':


'''Debian Samba server connecting to Active directory'''

1. Installing software

The first thing that you need to do is to install the required packages.

 #aptitude update

 #aptitude upgrade

 #aptitude install samba smbclient winbind krb5-doc krb5-user krb5-config

'''Windows server information'''

In this configuration I used the following windows info.

Domain name: is414

Fully qualified domain name: is414.com

Window domain controller: rkb-server

'''Kerberos setup'''

Open /etc/krb5.conf

add the following lines to the krb.conf file.

 [libdeffaults]
  default_realm = IS414

 [realms]
  IS414.COM = {
   kdc – rkb-server.is414.com
   admin_server – rkb-server.is414.com
  }

 [domain_realm]
  .kerberos.server = IS414.COM

After that has been completed do the following:

 #kinit administrator@IS414.COM

Verify that it worked by using the following command:
 
 #klist

'''Samba Setup'''

Open the samba configuration file /etc/samba/smb.conf and add the following:

 [global]
  security = ADS
  password server = rkb-server
  encrypt passwords = yes
  workgroup = IS414
  realm = IS414.COM
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  winbind enum users = yes
  winbind enum groups = yes
  winbind use default domain = yes
  winbind separator = +

Creating a share in /etc/samba/smb.conf. Replace WindowsShare with any name you want.
first create the folder:
 #mkdir /home/WindowsShare
 #chmod 777 /home/WindowsShare

Add the following in the /etc/samba/smb.conf

 [WindowsShare]
  comment = Windows Share
  path = /home/WindowsShare
  read only = no
  create mask = 0775
  directory mask = 0775
  browsable = yes
  public = yes
  writeable = yes
  force create mode = 0775
  force directory mode = 0775
  force security mode = 0775
  guest ok = no
  inherit permissions = yes
  nt acl support = yes

Test your configuration with the following command:

 #testparm -v

Now you must restart the samba deamon.

 # /etc/init.d/samba stop

'''Winbind configuration'''

Stop the winbind deamon.

 #/etc/init.d/winbind stop

edit the couple of lines of the /etc/nsswitch.conf file.

 passwd: compat winbind
 group: compat winbind

'''Joining the Domain'''

start the samba and winbind deamons

 #/etc/init.d/samba start
 #/etc/init.d/winbind start

Join the domain with the following command

 #net ads join -U administrator

Test winbind with the following commands

 #wbinfo -u

The wbinfo – u should list the AD users

 #wbinfo – g

The wbinfo – g should list the AD groups

All that is left is to test the connection from the server to verify that the share is working.



'''''Linux Client Configuration''''':

'''Joining a Debian Client to Active Directory'''

Note: This walkthrough was taken almost entirely from https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto. A few configuration changes in the PAM section and verbiage used are the only differences.

'''Required Software/Packages'''

Name
Version
MS Server 2003 w/AD and DNS
2003 Standard
Linux
(Ubuntu 6.10)
Winbind
3.0.22-lubuntu4.1
Samba
3.0.22.-lubuntu4.1
Krb5-user
1.4.3-9ubuntu1.2
Libpam-krb5
2.4-1


'''Time settings'''

Kerberos requires that the device time be within a few minutes of the server time. Utilize NTP-Server to confirm time synchronization.


Location: /etc/default/ntpdate

#servers to check
NTPSERVERS= “example.test.server.com”
#additional options for ntpdate
NTPOPTIONS= “-u”


root@linux:~# /etc/init.d/ntpdate restart
 
*Synchronizing clock to example.test.server.com… [ok]


'''FQDN'''

A valid FQDN is necessary for Kerberos and AD. Edit the local host file so that it is resolvable.

Location: /etc/hosts
127.0.0.1 linux.test.server.com localhost linux


'''Configure Kerberos'''

Use apt-get install to install the following packages:
 krb5-user (Universe repository)
 libpam-krb5
 krb5-conifg
 libkrb53
 libkadm55

krb5 template
Location: /etc/krb5.conf

[logging]
 Default = FILE:/var/log/krb5.log

[libdefaults]
 ticket_lifetime = 24000
 clock-skew = 300
 default_realm = test.server.com
# dns_lookup_realm = false
# dns_lookup_kdc = true

[realms]
 test.example.com = {
  kdc = example.test.server.com:88
  admin_server = example.test.server.com:464
  default_domain = test.server.com

}

[domain_realm]
 .server.com = test.server.com
 server.com = test.server.com


Test your configuration by requesting a ticket
root@linux:~# kinit Administrator@test.server.com
Password for Administrator@test.server.com : ****

Use klist to verify request worked
root@linux:~# klist
Ticket cache: File: /tmp/krb5cc_0
Default principal: Administrator@test.server.com

Valid starting Expires Service principal
05/16/07 10:30:42 05/16/07 20:30:01
Krbtgt/test.server.com@test.server.com
 renew until 05/16/07 10:30:42


'''Join the Domain'''

Use apt-get install to install the following packages:
 winbind
 samba

Join
Location: /etc/samba/smb.conf

[global]
 security = ads
 realm = test.server.com
 password server = 10.0.0.1
 workgroup = test
# winbind separator = +
 idmap uid = 10000-20000
 idmap gid = 10000-20000
 winbind enum users = yes
 winbind enum groups = yes
 template homedir = /home/%D/%U
 template shell = /bin/bash
 client use sponego = yes
 client ntlmv2 auth = yes
 encrypt passwords = yes
 winbind use default domain = yes
 restrict anonymous = 2
 domain master = no
 local master = no
 preferred master = no
 os level = 0


Restart services
root@linux:~# /etc/init.d/winbind stop
root@linux:~# /etc/init.d/samba restart
root@linux:~# /etc/init.d/winbind start

Request Kerberos TGT for an account
root@linux:~# n et ads join

Using short domain name – test

Joined ‘Linux’ to realm ‘test.server.com’

Test
# wbinfo – u


'''Setup Authentication'''

nsswitch
Location: /etc/nsswitch.conf

passwd: compat winbind
group: compat winbind
shadow: compat

Test
root@linux:~# getent passwd

root:x:0:0:root:/root:/bin/bash
. . .
test+administrator:x:10000:10000:Administrator:/home/test/administrator:/bin/b…
test+gast:x:10001:10001:Gast:/home/LAB/gast:/bin/bash
. . .

root@linux:~#: getent group

root:x:0:
daemon:x:1:
bin:x:2:
. . .
test+organizations-admins:x:10005:administrator
test+domain-admins:x:10006: user, administrator
. . .


'''PAM'''


Location: /etc/pam.d/common-account

account sufficient pam_winbind.so
account required pam_unix.so

Location: /etc/pam.d/common-auth

auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so

Location: /etc/pam.d/common-session

session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

Location: /etc/pam.d/sudo

Auth sufficient pam_winbind.so
Auth sufficient pam_unix.so use_first_pass
Auth required pam_deny.so

@include common-account


'''Final Config'''

Each domain needs a directory in home
root@linux:~# mkdir /home/test

Login
login: test+user
password: ****
. . .
test+user@linux:~$

Authenticating Debian & Samba to Active Directory (!)

  • This walkthrough is designed to give instructions for configuring Linux servers/clients to authenticate to Active Directory. The purpose is to join a Linux samba server and a Linux client to an existing AD structure. The samba connects seamlessly for Windows and Linux users alike. The walkthrough is broken into two sections and is available in via the links below.

Linux Samba Configuration:

Debian Samba server connecting to Active directory

1. Installing software

The first thing that you need to do is to install the required packages.

  • #aptitude update #aptitude upgrade #aptitude install samba smbclient winbind krb5-doc krb5-user krb5-config

Windows server information

In this configuration I used the following windows info.

Domain name: is414

Fully qualified domain name: is414.com

Window domain controller: rkb-server

Kerberos setup

Open /etc/krb5.conf

add the following lines to the krb.conf file.

  • [libdeffaults]
    • default_realm = IS414
    [realms]
    • IS414.COM = {
      • kdc – rkb-server.is414.com admin_server – rkb-server.is414.com
      }
    [domain_realm]
    • kerberos.server = IS414.COM

After that has been completed do the following:

Verify that it worked by using the following command:

  • #klist

Samba Setup

Open the samba configuration file /etc/samba/smb.conf and add the following:

  • [global]
    • security = ADS password server = rkb-server encrypt passwords = yes workgroup = IS414 realm = IS414.COM idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind separator = +

Creating a share in /etc/samba/smb.conf. Replace ?WindowsShare with any name you want. first create the folder:

  • #mkdir /home/WindowsShare #chmod 777 /home/WindowsShare

Add the following in the /etc/samba/smb.conf

  • [?WindowsShare]

    • comment = Windows Share path = /home/WindowsShare read only = no create mask = 0775 directory mask = 0775 browsable = yes public = yes writeable = yes force create mode = 0775 force directory mode = 0775 force security mode = 0775 guest ok = no inherit permissions = yes nt acl support = yes

Test your configuration with the following command:

  • #testparm -v

Now you must restart the samba deamon.

  • # /etc/init.d/samba stop

Winbind configuration

Stop the winbind deamon.

  • #/etc/init.d/winbind stop

edit the couple of lines of the /etc/nsswitch.conf file.

  • passwd: compat winbind group: compat winbind

Joining the Domain

start the samba and winbind deamons

  • #/etc/init.d/samba start #/etc/init.d/winbind start

Join the domain with the following command

  • #net ads join -U administrator

Test winbind with the following commands

  • #wbinfo -u

The wbinfo – u should list the AD users

  • #wbinfo – g

The wbinfo – g should list the AD groups

All that is left is to test the connection from the server to verify that the share is working.

Linux Client Configuration:

Joining a Debian Client to Active Directory

Note: This walkthrough was taken almost entirely from https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto. A few configuration changes in the PAM section and verbiage used are the only differences.

Required Software/Packages

Name Version MS Server 2003 w/AD and DNS 2003 Standard Linux (Ubuntu 6.10) Winbind 3.0.22-lubuntu4.1 Samba 3.0.22.-lubuntu4.1 Krb5-user 1.4.3-9ubuntu1.2 Libpam-krb5 2.4-1

Time settings

Kerberos requires that the device time be within a few minutes of the server time. Utilize NTP-Server to confirm time synchronization.

Location: /etc/default/ntpdate

#servers to check NTPSERVERS= “example.test.server.com” #additional options for ntpdate NTPOPTIONS= “-u”

root@linux:~# /etc/init.d/ntpdate restart

*Synchronizing clock to example.test.server.com… [ok]

FQDN

A valid FQDN is necessary for Kerberos and AD. Edit the local host file so that it is resolvable.

Location: /etc/hosts 127.0.0.1 linux.test.server.com localhost linux

Configure Kerberos

Use apt-get install to install the following packages:

  • krb5-user (Universe repository) libpam-krb5 krb5-conifg libkrb53 libkadm55

krb5 template Location: /etc/krb5.conf

[logging]

  • Default = FILE:/var/log/krb5.log

[libdefaults]

  • ticket_lifetime = 24000 clock-skew = 300 default_realm = test.server.com

# dns_lookup_realm = false # dns_lookup_kdc = true

[realms]

  • test.example.com = {
    • kdc = example.test.server.com:88 admin_server = example.test.server.com:464 default_domain = test.server.com

}

[domain_realm]

  • server.com = test.server.com server.com = test.server.com

Test your configuration by requesting a ticket root@linux:~# kinit Administrator@test.server.com Password for Administrator@test.server.com : ****

Use klist to verify request worked root@linux:~# klist Ticket cache: File: /tmp/krb5cc_0 Default principal: Administrator@test.server.com

Valid starting Expires Service principal 05/16/07 10:30:42 05/16/07 20:30:01 Krbtgt/test.server.com@test.server.com

  • renew until 05/16/07 10:30:42

Join the Domain

Use apt-get install to install the following packages:

  • winbind samba

Join Location: /etc/samba/smb.conf

[global]

  • security = ads realm = test.server.com password server = 10.0.0.1 workgroup = test

# winbind separator = +

  • idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use sponego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 domain master = no local master = no preferred master = no os level = 0

Restart services root@linux:~# /etc/init.d/winbind stop root@linux:~# /etc/init.d/samba restart root@linux:~# /etc/init.d/winbind start

Request Kerberos TGT for an account root@linux:~# n et ads join

Using short domain name – test

Joined ‘Linux’ to realm ‘test.server.com’

Test # wbinfo – u

Setup Authentication

nsswitch Location: /etc/nsswitch.conf

passwd: compat winbind group: compat winbind shadow: compat

Test root@linux:~# getent passwd

root:x:0:0:root:/root:/bin/bash . . . test+administrator:x:10000:10000:Administrator:/home/test/administrator:/bin/b… test+gast:x:10001:10001:Gast:/home/LAB/gast:/bin/bash . . .

root@linux:~#: getent group

root:x:0: daemon:x:1: bin:x:2: . . . test+organizations-admins:x:10005:administrator test+domain-admins:x:10006: user, administrator . . .

PAM

Location: /etc/pam.d/common-account

account sufficient pam_winbind.so account required pam_unix.so

Location: /etc/pam.d/common-auth

auth sufficient pam_winbind.so auth sufficient pam_unix.so nullok_secure use_first_pass auth required pam_deny.so

Location: /etc/pam.d/common-session

session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel

Location: /etc/pam.d/sudo

Auth sufficient pam_winbind.so Auth sufficient pam_unix.so use_first_pass Auth required pam_deny.so

@include common-account

Final Config

Each domain needs a directory in home root@linux:~# mkdir /home/test

Login login: test+user password: **** . . . test+user@linux:~$