Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [TUTORIAL] AD integration with Ubuntu 14.04 and winbind
- So it seems the internet is not short of winbind/smb documentation, but I have yet to find a cohesive start to finish guide for the setup process. So here goes nothing! This guide is for people looking to set up a Linux machine that will authenticate in a 1 forest, 1 domain Active Directory environment.
- A bit of advice: be patient. This was one of the most frustrating things I have ever set up, mostly due to old/fragmented help around the internet. I strongly recommend against using Ubuntu's official guide, it's outdated and borderline useless. Hopefully I can save someone from a concussion with this.
- 1. Install winbind and other helper packages.
- Here are the versions I used while writing this:
- winbindd: 4.1.6-Ubuntu
- samba: 4.1.6-Ubuntu
- smbd: 4.1.6-Ubuntu
- nmdb: 4.1.6-Ubuntu
- The command to install all required packages:
- Code:
- # apt-get install winbind samba libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user
- Of course, you'll need to install the dependencies as well. Just say yes to whatever apt-get comes up with.
- 2. Setup Kerberos authentication.
- AD uses standard (for once) Kerberos for authentication, which easily fits in with Linux.
- The environment I'm working in is as follows:
- Domain controller: ad.bfs.com (10.0.0.20)
- DNS server: 10.0.0.20
- NetBIOS domain name: BFS
- Kerberos configuration is located at:
- Code:
- /etc/krb5.conf
- The following is my working krb5.conf:
- Code:
- [libdefaults]
- ticket_lifetime = 24000
- default_realm = AD.BFS.COM
- default_tgs_entypes = rc4-hmac des-cbc-md5
- default_tkt__enctypes = rc4-hmac des-cbc-md5
- permitted_enctypes = rc4-hmac des-cbc-md5
- dns_lookup_realm = true
- dns_lookup_kdc = true
- dns_fallback = yes
- [realms]
- AD.BFS.COM = {
- kdc = ad.bfs.com:88
- default_domain = ad.bfs.com
- }
- [domain_realm]
- .ad.bfs.com = AD.BFS.COM
- ad.bfs.com = AD.BFS.COM
- [appdefaults]
- pam = {
- debug = false
- ticket_lifetime = 36000
- renew_lifetime = 36000
- forwardable = true
- krb4_convert = false
- }
- [logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
- Capitalization matters! The realm name is just your domain controller's address in all caps.
- 3. Kerbs authentication
- Once saved, test the setup with the following command. In this test, I'm looking for myself (brian) in the Kerbs realm of AD.BFS.COM controlled by the server at ad.bfs.com.
- Code:
- # kinit brian@AD.BFS.COM
- This should return a password prompt for your test user, NOT the root user. If you get an error message of any kind, be sure your DC is online and reachable at the specified address + port and the username exists in the directory.
- Once you successfully authenticate with the DC, we now need to authenticate an account with binding privileges. In my case, it's my ad-brian account.
- Code:
- # kinit ad-brian@AD.BFS.COM
- This should go down like the test user, and you should receive a password prompt for the specified user, and receive nothing back upon completion.
- 4. winbind setup (the real fun begins now)
- The default configuration given to you be Ubuntu is lengthy and a bit difficult to read. A much simpler one is given below, you will need to tune my configuration to suit your needs.
- The file is located at:
- Code:
- /etc/samba/smb.conf
- Code:
- [global]
- netbios name = BFS-SCANNER
- workgroup = BFS
- security = ADS
- realm = AD.BFS.COM
- encrypt passwords = yes
- idmap config *:backend = rid
- idmap config *:range = 5000-100000
- winbind allow trusted domains = no
- winbind trusted domains only = no
- winbind use default domain = yes
- winbind enum users = yes
- winbind enum groups = yes
- winbind refresh tickets = yes
- template shell = /bin/bash
- If you must modify this file, I strongly recommend against messing with the idmap section unless you know exactly what you're doing. This by itself is the mother of all bitches to get working if you don't know what you're doing. The rid backend I'm using will work just fine for most workstations. As long as you keep the range consistent between Linux machines, the resulting uid/gid's will stay uniform between machines.
- 5. Configure nss to make domain accounts locally available.
- The nss configuration is located at:
- Code:
- /etc/nsswitch.conf
- All you need to do is append winbind to the end of the passwd and group lines. Like this:
- Code:
- passwd: compat winbind
- group: compat winbind
- shadow: compat
- hosts: files dns
- networks: files
- protocols: db files
- services: db files
- ethers: db files
- rpc: db files
- netgroup: nis
- 6. Joining the domain.
- Easiest part of the whole tutorial:
- Code:
- # net ads join -k
- You may get a DNS error, but the important bit is the successful domain joining message. As long as it informs you of this, you are fine.
- Once joined, start or restart the following three services with this command:
- Code:
- # service winbind restart; service nmbd restart; service smbd restart
- Note: it helps to define this chain as a function for easy refreshed in the future.
- winbind will crap out on you if you aren't joined to a domain, so no shortcuts.
- 7. Testing winbind setup.
- Hopefully you've made it this far, this is about when you'll start hitting enormous brick walls. Chin up!
- The rid backend will enumerate all domain accounts and groups and add them to a local database (not /etc/passwd). You need to first verify rid has correctly mapped out UID's and other info.
- Code:
- # wbinfo -u
- # wbinfo -g
- # wbinfo -i brian
- # getent passwd
- # getend group
- All 5 commands must return correct information before you can proceed. If this were some Ubuntu guide, I'd just leave it at that. Thankfully, it's not.
- wbinfo -u: all domain users
- wbinfo -g: all domain groups
- wbinfo -i brian: user information for brian
- Code:
- brian:*:6106:5513:Brian:/home/BFS/brian:/bin/bash
- getent passwd: all locally available accounts. Domain accounts will be at the bottom.
- getent group: all locally available groups. Domain groups will be at the bottom.
- If wbinfo -u and -g are successful, but you get this for wbinfo -i brian:
- Code:
- failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
- Could not get info for user brian
- that likely indicates something wrong in the idmap section and is very bad. The above configuration posted is confirmed to work fine with Ubuntu 14.04 and the versions listed above. It could also mean the user you asked for does not exist.
- If wbinfo -i brian returns this:
- Code:
- brian:*:4294967295:4294967295:Brian:/home/BFS/brian:/bin/bash
- This is also very bad. winbind is not properly enumerating UID/GID's from the domain. If you nss configuration is alright, then this is almost certainly caused by bad idmap options. Again, the smb.conf file posted above is confirmed to work.
- The same goes for getent passwd and groups. If the id's on the users or groups are 4294967295 and not within the range specified, this is wrong and will not function correctly. Take another look at your idmap section.
- Just in case you did, it should be noted the idmap backend = ad does not do what you think it does. This will attempt to pull all user information from the directory, including UID, login shell, etc. If you did not set these for each user in the domain on the DC, this won't work since there will be nothing to pull down! The UNIX attributes tab for each user is where you will need to go if you insist on going this route. I will stick with the rid method in this tutorial. The Samba page gives the options needed to use each backend correctly.
- After each configuration file edit, be it smb.conf, nsswitch.conf, etc. you need to restart all Samba services:
- Code:
- # redo() { service winbind restart; service nmbd restart; service smbd restart; }
- # redo
- winbind stop/waiting
- winbind start/running, process 30540
- nmbd stop/waiting
- nmbd start/running, process 30556
- smbd stop/waiting
- smbd start/running, process 30568
- #
- 8. PAM integration.
- If you made it this far congratulations! The worst is now over! PAM configuration is nice and easy, just run:
- Code:
- pam-auth-update
- and ensure the Winbind NT/Active Directory authentication box is checked. PAM by default does not create new home directories, so run this to append to your PAM configuration:
- Code:
- echo 'session required pam_mkhomedir.so skel=/etc/skel umask=0022' >> /etc/pam.d/common-account
- To test your new domain authentication setup, simply try logging in:
- Code:
- # login
- BFS-SCANNER login: brian
- Password:
- [stuff]
- brian@BFS-SCANNER:~$ pwd
- /home/BFS/brian
- brian@BFS-SCANNER:~$
- Yay! I have a home directory and login using my domain credentials!!
- One tiny downside to this setup is that passwd for domain accounts does not appear to work. I get an error every time, but that's minor anyways. Also, I strongly recommend version locking your winbind, samba, libnss-winbind, and libpam-winbind packages. It is a well-known fact the Samba team loves to drop random syntax changes between versions, and this will almost certainly break your setup. If it works, then leave it at that and don't touch it, you never know what might break from an update.
- Good luck everyone! If I missed anything, tell me and I'll add it.
- --------------------------------------------------------------------------------------------------
- [libdefaults]
- default_realm = GENERALITAT.GVA.ES
- default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
- default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
- preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
- dns_lookup_kdc = true
- pkinit_kdc_hostname = <DNS>
- pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
- pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
- pkinit_eku_checking = kpServerAuth
- pkinit_win2k_require_binding = false
- pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so
- [domain_realm]
- .generalitat.gva.es = GENERALITAT.GVA.ES
- .centrales.agp.gva.es = CENTRALES.AGP.GVA.ES
- .centros.tra.gva.es = CENTROS.TRA.GVA.ES
- .cic.ad = CIC.AD
- .indi.gva.es = INDI.GVA.ES
- .cap.just.gva.es = CAP.JUST.GVA.ES
- .territorio.vivienda = TERRITORIO.VIVIENDA
- .nt.tra.gva.es = NT.TRA.GVA.ES
- .ivaj.gva.es = IVAJ.GVA.ES
- .presidencia.ad = PRESIDENCIA.AD
- .gov.gva.es = GOV.GVA.ES
- .invassat.local = INVASSAT.LOCAL
- .ocupacio.gva.es = OCUPACIO.GVA.ES
- .cencal = CENCAL
- .barbate.ha.gva.es = BARBATE.HA.GVA.ES
- .dwnt46.ha.gva.es = DWNT46.HA.GVA.ES
- .alicante.local = ALICANTE.LOCAL
- .coput.gva.es = COPUT.GVA.ES
- .avapsa.nt.tra.gva.es = AVAPSA.NT.TRA.GVA.ES
- .dtadona.nt.tra.gva.es = DTADONA.NT.TRA.GVA.ES
- .dta01.nt.tra.gva.es = DTA01.NT.TRA.GVA.ES
- .dtdv01.nt.tra.gva.es = DTDV01.NT.TRA.GVA.ES
- .cbasev.nt.tra.gva.es = CBASEV.NT.TRA.GVA.ES
- .dta00.nt.tra.gva.es = DTA00.NT.TRA.GVA.ES
- .dta02.nt.tra.gva.es = DTA02.NT.TRA.GVA.ES
- .dtc01.nt.tra.gva.es = DTC01.NT.TRA.GVA.ES
- .dgss.nt.tra.gva.es = DGSS.NT.TRA.GVA.ES
- .dtv1.nt.tra.gva.es = DTV1.NT.TRA.GVA.ES
- [realms]
- GENERALITAT.GVA.ES = {
- auth_to_local = RULE:[1:$0\$1](^GENERALITAT\.GVA\.ES\\.*)s/^GENERALITAT\.GVA\.ES\\//
- auth_to_local = RULE:[1:$0\$1](^CENTRALES\.AGP\.GVA\.ES\\.*)s/^CENTRALES\.AGP\.GVA\.ES/CENTRALES/
- auth_to_local = RULE:[1:$0\$1](^CENTROS\.TRA\.GVA\.ES\\.*)s/^CENTROS\.TRA\.GVA\.ES/CENTROS/
- auth_to_local = RULE:[1:$0\$1](^CIC\.AD\\.*)s/^CIC\.AD/CIC/
- auth_to_local = RULE:[1:$0\$1](^INDI\.GVA\.ES\\.*)s/^INDI\.GVA\.ES/INDI/
- auth_to_local = RULE:[1:$0\$1](^CAP\.JUST\.GVA\.ES\\.*)s/^CAP\.JUST\.GVA\.ES/CAP/
- auth_to_local = RULE:[1:$0\$1](^TERRITORIO\.VIVIENDA\\.*)s/^TERRITORIO\.VIVIENDA/AMBIENTE/
- auth_to_local = RULE:[1:$0\$1](^NT\.TRA\.GVA\.ES\\.*)s/^NT\.TRA\.GVA\.ES/SCV01/
- auth_to_local = RULE:[1:$0\$1](^IVAJ\.GVA\.ES\\.*)s/^IVAJ\.GVA\.ES/IVAJ/
- auth_to_local = RULE:[1:$0\$1](^PRESIDENCIA\.AD\\.*)s/^PRESIDENCIA\.AD/PRESIDENCIA/
- auth_to_local = RULE:[1:$0\$1](^GOV\.GVA\.ES\\.*)s/^GOV\.GVA\.ES/GOV/
- auth_to_local = RULE:[1:$0\$1](^INVASSAT\.LOCAL\\.*)s/^INVASSAT\.LOCAL/INVASSAT/
- auth_to_local = RULE:[1:$0\$1](^OCUPACIO\.GVA\.ES\\.*)s/^OCUPACIO\.GVA\.ES/SERVEF/
- auth_to_local = RULE:[1:$0\$1](^CENCAL\\.*)s/^CENCAL/CENCAL/
- auth_to_local = RULE:[1:$0\$1](^BARBATE\.HA\.GVA\.ES\\.*)s/^BARBATE\.HA\.GVA\.ES/BARBATE/
- auth_to_local = RULE:[1:$0\$1](^DWNT46\.HA\.GVA\.ES\\.*)s/^DWNT46\.HA\.GVA\.ES/DWNT46/
- auth_to_local = RULE:[1:$0\$1](^ALICANTE\.LOCAL\\.*)s/^ALICANTE\.LOCAL/ALICANTE/
- auth_to_local = RULE:[1:$0\$1](^COPUT\.GVA\.ES\\.*)s/^COPUT\.GVA\.ES/COP_VAL/
- auth_to_local = RULE:[1:$0\$1](^AVAPSA\.NT\.TRA\.GVA\.ES\\.*)s/^AVAPSA\.NT\.TRA\.GVA\.ES/AVAPSA/
- auth_to_local = RULE:[1:$0\$1](^DTADONA\.NT\.TRA\.GVA\.ES\\.*)s/^DTADONA\.NT\.TRA\.GVA\.ES/DTADONA/
- auth_to_local = RULE:[1:$0\$1](^DTA01\.NT\.TRA\.GVA\.ES\\.*)s/^DTA01\.NT\.TRA\.GVA\.ES/DTA01/
- auth_to_local = RULE:[1:$0\$1](^DTDV01\.NT\.TRA\.GVA\.ES\\.*)s/^DTDV01\.NT\.TRA\.GVA\.ES/DTVD01/
- auth_to_local = RULE:[1:$0\$1](^CBASEV\.NT\.TRA\.GVA\.ES\\.*)s/^CBASEV\.NT\.TRA\.GVA\.ES/CBASEV/
- auth_to_local = RULE:[1:$0\$1](^DTA00\.NT\.TRA\.GVA\.ES\\.*)s/^DTA00\.NT\.TRA\.GVA\.ES/DTTYASA1/
- auth_to_local = RULE:[1:$0\$1](^DTA02\.NT\.TRA\.GVA\.ES\\.*)s/^DTA02\.NT\.TRA\.GVA\.ES/DTA02/
- auth_to_local = RULE:[1:$0\$1](^DTC01\.NT\.TRA\.GVA\.ES\\.*)s/^DTC01\.NT\.TRA\.GVA\.ES/DTC01/
- auth_to_local = RULE:[1:$0\$1](^DGSS\.NT\.TRA\.GVA\.ES\\.*)s/^DGSS\.NT\.TRA\.GVA\.ES/DGSS/
- auth_to_local = RULE:[1:$0\$1](^DTV1\.NT\.TRA\.GVA\.ES\\.*)s/^DTV1\.NT\.TRA\.GVA\.ES/DTV1/
- auth_to_local = DEFAULT
- }
- [appdefaults]
- pam = {
- mappings = GENERALITAT\\(.*) $1@GENERALITAT.GVA.ES
- forwardable = true
- validate = true
- }
- httpd = {
- mappings = GENERALITAT\\(.*) $1@GENERALITAT.GVA.ES
- reverse_mappings = (.*)@GENERALITAT\.GVA\.ES GENERALITAT\$1
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement