Untitled

[TUTORIAL] AD integration with Ubuntu 14.04 and winbind
So it seems the internet is not short of winbind/smb documentation, but I have yet to find a cohesive start to finish guide for the setup process. So here goes nothing! This guide is for people looking to set up a Linux machine that will authenticate in a 1 forest, 1 domain Active Directory environment.

A bit of advice: be patient. This was one of the most frustrating things I have ever set up, mostly due to old/fragmented help around the internet. I strongly recommend against using Ubuntu's official guide, it's outdated and borderline useless. Hopefully I can save someone from a concussion with this.

1. Install winbind and other helper packages.

Here are the versions I used while writing this:

winbindd: 4.1.6-Ubuntu
samba: 4.1.6-Ubuntu
smbd: 4.1.6-Ubuntu
nmdb: 4.1.6-Ubuntu

The command to install all required packages:
Code:

# apt-get install winbind samba libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user

Of course, you'll need to install the dependencies as well. Just say yes to whatever apt-get comes up with.

2. Setup Kerberos authentication.
AD uses standard (for once) Kerberos for authentication, which easily fits in with Linux.

The environment I'm working in is as follows:
Domain controller: ad.bfs.com (10.0.0.20)
DNS server: 10.0.0.20
NetBIOS domain name: BFS

Kerberos configuration is located at:
Code:

/etc/krb5.conf


The following is my working krb5.conf:
Code:

[libdefaults]
 ticket_lifetime = 24000
 default_realm = AD.BFS.COM
 default_tgs_entypes = rc4-hmac des-cbc-md5
 default_tkt__enctypes = rc4-hmac des-cbc-md5
 permitted_enctypes = rc4-hmac des-cbc-md5
 dns_lookup_realm = true
 dns_lookup_kdc = true
 dns_fallback = yes

[realms]
 AD.BFS.COM = {
  kdc = ad.bfs.com:88
  default_domain = ad.bfs.com
 }

[domain_realm]
 .ad.bfs.com = AD.BFS.COM
 ad.bfs.com = AD.BFS.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

Capitalization matters! The realm name is just your domain controller's address in all caps.

3. Kerbs authentication

Once saved, test the setup with the following command. In this test, I'm looking for myself (brian) in the Kerbs realm of AD.BFS.COM controlled by the server at ad.bfs.com.

Code:

# kinit brian@AD.BFS.COM

This should return a password prompt for your test user, NOT the root user. If you get an error message of any kind, be sure your DC is online and reachable at the specified address + port and the username exists in the directory.

Once you successfully authenticate with the DC, we now need to authenticate an account with binding privileges. In my case, it's my ad-brian account.

Code:

# kinit ad-brian@AD.BFS.COM

This should go down like the test user, and you should receive a password prompt for the specified user, and receive nothing back upon completion.

4. winbind setup (the real fun begins now)
The default configuration given to you be Ubuntu is lengthy and a bit difficult to read. A much simpler one is given below, you will need to tune my configuration to suit your needs.

The file is located at:
Code:

/etc/samba/smb.conf

Code:

[global]

   netbios name = BFS-SCANNER
   workgroup = BFS
   security = ADS
   realm = AD.BFS.COM
   encrypt passwords = yes

   idmap config *:backend = rid
   idmap config *:range = 5000-100000

   winbind allow trusted domains = no
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes
   winbind refresh tickets = yes

   template shell = /bin/bash

If you must modify this file, I strongly recommend against messing with the idmap section unless you know exactly what you're doing. This by itself is the mother of all bitches to get working if you don't know what you're doing. The rid backend I'm using will work just fine for most workstations. As long as you keep the range consistent between Linux machines, the resulting uid/gid's will stay uniform between machines.

5. Configure nss to make domain accounts locally available.
The nss configuration is located at:
Code:

/etc/nsswitch.conf

All you need to do is append winbind to the end of the passwd and group lines. Like this:

Code:

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

6. Joining the domain.
Easiest part of the whole tutorial:
Code:

# net ads join -k

You may get a DNS error, but the important bit is the successful domain joining message. As long as it informs you of this, you are fine.


Once joined, start or restart the following three services with this command:
Code:

# service winbind restart; service nmbd restart; service smbd restart

Note: it helps to define this chain as a function for easy refreshed in the future.

winbind will crap out on you if you aren't joined to a domain, so no shortcuts.

7. Testing winbind setup.
Hopefully you've made it this far, this is about when you'll start hitting enormous brick walls. Chin up!

The rid backend will enumerate all domain accounts and groups and add them to a local database (not /etc/passwd). You need to first verify rid has correctly mapped out UID's and other info.

Code:

# wbinfo -u
# wbinfo -g
# wbinfo -i brian
# getent passwd
# getend group

All 5 commands must return correct information before you can proceed. If this were some Ubuntu guide, I'd just leave it at that. Thankfully, it's not.

wbinfo -u: all domain users
wbinfo -g: all domain groups
wbinfo -i brian: user information for brian
Code:

brian:*:6106:5513:Brian:/home/BFS/brian:/bin/bash

getent passwd: all locally available accounts. Domain accounts will be at the bottom.
getent group: all locally available groups. Domain groups will be at the bottom.

If wbinfo -u and -g are successful, but you get this for wbinfo -i brian:
Code:

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user brian

that likely indicates something wrong in the idmap section and is very bad. The above configuration posted is confirmed to work fine with Ubuntu 14.04 and the versions listed above. It could also mean the user you asked for does not exist.

If wbinfo -i brian returns this:
Code:

brian:*:4294967295:4294967295:Brian:/home/BFS/brian:/bin/bash

This is also very bad. winbind is not properly enumerating UID/GID's from the domain. If you nss configuration is alright, then this is almost certainly caused by bad idmap options. Again, the smb.conf file posted above is confirmed to work.

The same goes for getent passwd and groups. If the id's on the users or groups are 4294967295 and not within the range specified, this is wrong and will not function correctly. Take another look at your idmap section.

Just in case you did, it should be noted the idmap backend = ad does not do what you think it does. This will attempt to pull all user information from the directory, including UID, login shell, etc. If you did not set these for each user in the domain on the DC, this won't work since there will be nothing to pull down! The UNIX attributes tab for each user is where you will need to go if you insist on going this route. I will stick with the rid method in this tutorial. The Samba page gives the options needed to use each backend correctly.

After each configuration file edit, be it smb.conf, nsswitch.conf, etc. you need to restart all Samba services:

Code:

# redo() { service winbind restart; service nmbd restart; service smbd restart; }
# redo
winbind stop/waiting
winbind start/running, process 30540
nmbd stop/waiting
nmbd start/running, process 30556
smbd stop/waiting
smbd start/running, process 30568
#

8. PAM integration.
If you made it this far congratulations! The worst is now over! PAM configuration is nice and easy, just run:
Code:

pam-auth-update

and ensure the Winbind NT/Active Directory authentication box is checked. PAM by default does not create new home directories, so run this to append to your PAM configuration:
Code:

echo 'session    required    pam_mkhomedir.so skel=/etc/skel   umask=0022' >> /etc/pam.d/common-account

To test your new domain authentication setup, simply try logging in:
Code:

# login
BFS-SCANNER login: brian
Password:

[stuff]

brian@BFS-SCANNER:~$ pwd
/home/BFS/brian
brian@BFS-SCANNER:~$

Yay! I have a home directory and login using my domain credentials!!

One tiny downside to this setup is that passwd for domain accounts does not appear to work. I get an error every time, but that's minor anyways. Also, I strongly recommend version locking your winbind, samba, libnss-winbind, and libpam-winbind packages. It is a well-known fact the Samba team loves to drop random syntax changes between versions, and this will almost certainly break your setup. If it works, then leave it at that and don't touch it, you never know what might break from an update.

Good luck everyone! If I missed anything, tell me and I'll add it.


--------------------------------------------------------------------------------------------------

[libdefaults]
  default_realm = GENERALITAT.GVA.ES
  default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
  default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
  preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
  dns_lookup_kdc = true
  pkinit_kdc_hostname = <DNS>
  pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
  pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
  pkinit_eku_checking = kpServerAuth
  pkinit_win2k_require_binding = false
  pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so
[domain_realm]
  .generalitat.gva.es = GENERALITAT.GVA.ES
  .centrales.agp.gva.es = CENTRALES.AGP.GVA.ES
  .centros.tra.gva.es = CENTROS.TRA.GVA.ES
  .cic.ad = CIC.AD
  .indi.gva.es = INDI.GVA.ES
  .cap.just.gva.es = CAP.JUST.GVA.ES
  .territorio.vivienda = TERRITORIO.VIVIENDA
  .nt.tra.gva.es = NT.TRA.GVA.ES
  .ivaj.gva.es = IVAJ.GVA.ES
  .presidencia.ad = PRESIDENCIA.AD
  .gov.gva.es = GOV.GVA.ES
  .invassat.local = INVASSAT.LOCAL
  .ocupacio.gva.es = OCUPACIO.GVA.ES
  .cencal = CENCAL
  .barbate.ha.gva.es = BARBATE.HA.GVA.ES
  .dwnt46.ha.gva.es = DWNT46.HA.GVA.ES
  .alicante.local = ALICANTE.LOCAL
  .coput.gva.es = COPUT.GVA.ES
  .avapsa.nt.tra.gva.es = AVAPSA.NT.TRA.GVA.ES
  .dtadona.nt.tra.gva.es = DTADONA.NT.TRA.GVA.ES
  .dta01.nt.tra.gva.es = DTA01.NT.TRA.GVA.ES
  .dtdv01.nt.tra.gva.es = DTDV01.NT.TRA.GVA.ES
  .cbasev.nt.tra.gva.es = CBASEV.NT.TRA.GVA.ES
  .dta00.nt.tra.gva.es = DTA00.NT.TRA.GVA.ES
  .dta02.nt.tra.gva.es = DTA02.NT.TRA.GVA.ES
  .dtc01.nt.tra.gva.es = DTC01.NT.TRA.GVA.ES
  .dgss.nt.tra.gva.es = DGSS.NT.TRA.GVA.ES
  .dtv1.nt.tra.gva.es = DTV1.NT.TRA.GVA.ES
[realms]
  GENERALITAT.GVA.ES = {
   auth_to_local = RULE:[1:$0\$1](^GENERALITAT\.GVA\.ES\\.*)s/^GENERALITAT\.GVA\.ES\\//
   auth_to_local = RULE:[1:$0\$1](^CENTRALES\.AGP\.GVA\.ES\\.*)s/^CENTRALES\.AGP\.GVA\.ES/CENTRALES/
   auth_to_local = RULE:[1:$0\$1](^CENTROS\.TRA\.GVA\.ES\\.*)s/^CENTROS\.TRA\.GVA\.ES/CENTROS/
   auth_to_local = RULE:[1:$0\$1](^CIC\.AD\\.*)s/^CIC\.AD/CIC/
   auth_to_local = RULE:[1:$0\$1](^INDI\.GVA\.ES\\.*)s/^INDI\.GVA\.ES/INDI/
   auth_to_local = RULE:[1:$0\$1](^CAP\.JUST\.GVA\.ES\\.*)s/^CAP\.JUST\.GVA\.ES/CAP/
   auth_to_local = RULE:[1:$0\$1](^TERRITORIO\.VIVIENDA\\.*)s/^TERRITORIO\.VIVIENDA/AMBIENTE/
   auth_to_local = RULE:[1:$0\$1](^NT\.TRA\.GVA\.ES\\.*)s/^NT\.TRA\.GVA\.ES/SCV01/
   auth_to_local = RULE:[1:$0\$1](^IVAJ\.GVA\.ES\\.*)s/^IVAJ\.GVA\.ES/IVAJ/
   auth_to_local = RULE:[1:$0\$1](^PRESIDENCIA\.AD\\.*)s/^PRESIDENCIA\.AD/PRESIDENCIA/
   auth_to_local = RULE:[1:$0\$1](^GOV\.GVA\.ES\\.*)s/^GOV\.GVA\.ES/GOV/
   auth_to_local = RULE:[1:$0\$1](^INVASSAT\.LOCAL\\.*)s/^INVASSAT\.LOCAL/INVASSAT/
   auth_to_local = RULE:[1:$0\$1](^OCUPACIO\.GVA\.ES\\.*)s/^OCUPACIO\.GVA\.ES/SERVEF/
   auth_to_local = RULE:[1:$0\$1](^CENCAL\\.*)s/^CENCAL/CENCAL/
   auth_to_local = RULE:[1:$0\$1](^BARBATE\.HA\.GVA\.ES\\.*)s/^BARBATE\.HA\.GVA\.ES/BARBATE/
   auth_to_local = RULE:[1:$0\$1](^DWNT46\.HA\.GVA\.ES\\.*)s/^DWNT46\.HA\.GVA\.ES/DWNT46/
   auth_to_local = RULE:[1:$0\$1](^ALICANTE\.LOCAL\\.*)s/^ALICANTE\.LOCAL/ALICANTE/
   auth_to_local = RULE:[1:$0\$1](^COPUT\.GVA\.ES\\.*)s/^COPUT\.GVA\.ES/COP_VAL/
   auth_to_local = RULE:[1:$0\$1](^AVAPSA\.NT\.TRA\.GVA\.ES\\.*)s/^AVAPSA\.NT\.TRA\.GVA\.ES/AVAPSA/
   auth_to_local = RULE:[1:$0\$1](^DTADONA\.NT\.TRA\.GVA\.ES\\.*)s/^DTADONA\.NT\.TRA\.GVA\.ES/DTADONA/
   auth_to_local = RULE:[1:$0\$1](^DTA01\.NT\.TRA\.GVA\.ES\\.*)s/^DTA01\.NT\.TRA\.GVA\.ES/DTA01/
   auth_to_local = RULE:[1:$0\$1](^DTDV01\.NT\.TRA\.GVA\.ES\\.*)s/^DTDV01\.NT\.TRA\.GVA\.ES/DTVD01/
   auth_to_local = RULE:[1:$0\$1](^CBASEV\.NT\.TRA\.GVA\.ES\\.*)s/^CBASEV\.NT\.TRA\.GVA\.ES/CBASEV/
   auth_to_local = RULE:[1:$0\$1](^DTA00\.NT\.TRA\.GVA\.ES\\.*)s/^DTA00\.NT\.TRA\.GVA\.ES/DTTYASA1/
   auth_to_local = RULE:[1:$0\$1](^DTA02\.NT\.TRA\.GVA\.ES\\.*)s/^DTA02\.NT\.TRA\.GVA\.ES/DTA02/
   auth_to_local = RULE:[1:$0\$1](^DTC01\.NT\.TRA\.GVA\.ES\\.*)s/^DTC01\.NT\.TRA\.GVA\.ES/DTC01/
   auth_to_local = RULE:[1:$0\$1](^DGSS\.NT\.TRA\.GVA\.ES\\.*)s/^DGSS\.NT\.TRA\.GVA\.ES/DGSS/
   auth_to_local = RULE:[1:$0\$1](^DTV1\.NT\.TRA\.GVA\.ES\\.*)s/^DTV1\.NT\.TRA\.GVA\.ES/DTV1/
   auth_to_local = DEFAULT
  }
[appdefaults]
  pam = {
   mappings = GENERALITAT\\(.*) $1@GENERALITAT.GVA.ES
   forwardable = true
   validate = true
  }
  httpd = {
   mappings = GENERALITAT\\(.*) $1@GENERALITAT.GVA.ES
   reverse_mappings = (.*)@GENERALITAT\.GVA\.ES GENERALITAT\$1
  }