sudo aptitude install krb5-user
sudo aptitude install samba smbfs smbclient winbind
Configure samba
Now likewise-open and samba packages use separate secrets.tdb (samba password file) files,We need to create a symlink to be /var/lib/samba
Take a backupof existing file
sudo mv /var/lib/samba/secrets.tdb /var/lib/samba/secrets.tdb.orig
Create a link to /var/lib/samba
sudo ln -s /etc/samba/secrets.tdb /var/lib/samba
Configuring samba and kerberos
Edit /etc/samba/smb.conf file
sudo vi /etc/samba/smb.conf
Note:- replace ug01 netbios name with your own
Change the following parameters
[global]
security = ads
netbios name = ug01
realm = DOMAIN.INTERNAL
password server = domainserver.domain.internal
workgroup = DOMAIN
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
Save and exit the file
Test the configuration with the testparm command
Kerberos Configuration
Edit the /etc/krb5.conf File
sudo vi /etc/krb5.conf
Change the following lines
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.INTERNAL
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN.INTERNAL = {
kdc = domainserver.domain.internal
admin_server = domainserver.domain.internal
default_domain = DOMAIN.INTERNAL
}
[domain_realm]
.domain.internal = DOMAIN.INTERNAL
domain.internal = DOMAIN.INTERNAL
Save and exit the file
Configuring nsswitch file
Edit /etc/nsswitch.conf to look like the example below
sudo vi /etc/nsswitch.conf
passwd: compat
winbindgroup: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Save and exit the file
Modify the PAM settings
* /etc/pam.d/common-account should contain only the following lines
account sufficient pam_winbind.so
account required pam_unix.so
* /etc/pam.d/common-auth should contain only the following lines
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
* Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below
password required pam_unix.so nullok obscure min=4 max=50 md5
* Make sure the /etc/pam.d/common-session file contains the following line
session required pam_mkhomedir.so umask=0022 skel=/etc
Make a directory to hold domain user home directories
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file
mkdir -p /home/DOMAIN
Initialize Kerberos
sudo kinit domain_admin_account@DOMAIN.INTERNAL
Note:- write $FQDN_OF_YOUR_DOMAIN in capitals as you did in your krb5.conf file.You can check you’ve obtained your ticket with klist
Next check to be sure you got a ticket from the domain controller
sudo klist
If you didn’t add your ubuntu server to windows AD use the following command
net ads join -U Adminstrator@$FQDN_OF_YOUR_DOMAIN
Restart Samba-related Services (Or reboot the server)
Note: If you are stopping and starting services the order is important
sudo /etc/init.d/samba stop
sudo /etc/init.d/winbind stop
sudo /etc/init.d/samba start
sudo /etc/init.d/winbind start
Restart SSH and Test Connectivity
Note: If you rebooted the server in the previous step, just try and login.
sudo /etc/init.d/ssh restart
ssh useraccount@server
If you can login using your active directory username and password then everything is working fine.
Configure SUDO
First you need to create a group in Active Directory called UbuntuAdmins and add the names of people whom you want to be able to use sudo to admin the server.
Next, add the UbuntuAdmins group to the /etc/sudoers so these users can use sudo
%UbuntuAdmins ALL=(ALL) ALL
Useful Commands
List the derived UNIX GID values for Active Directory groups
for gid in $(wbinfo -r
do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done
See the Active Directory SID for a particular named user
wbinfo –n
Friday, March 13, 2009
Install samba and kerberos in Ubuntu
Posting Harry Wisnu di Friday, March 13, 2009
