I wrote similar documentation for work and decided to make it generic enough for others to do this. For all I know there is now some GUI tool that does this, however, I believe it’s best to know what’s going on in the background in order to troubleshoot when something goes wrong.
NTP
First set up ntp, because AD, really kerberos, relies upon exact time and DNS.
Change this line in /etc/ntp.conf
# You do need to talk to an NTP server or two.
server ntp.circus.com
Restart ntp.
# /etc/init.d/ntp restart
Kerberos
Install Kerberos stuff, these will bring some dependencies with them.
# apt-get install krb5-config krb5-user libpam-krb5 libkadm55
Now for a DNS trivia example. Just for fun run this command:
$ dig -t SRV _kerberos._tcp.circus.com
;; ANSWER SECTION:
_kerberos._tcp.circus.com. 600 IN SRV 0 100 88 a2.CIRCUS.COM.
_kerberos._tcp.circus.com. 600 IN SRV 0 100 88 a1.CIRCUS.COM.
Now edit the /etc/krb5.conf file:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CIRCUS.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
AD = {
kdc = ad1.circus.com:88
admin_server = ad1.circus.com:749
default_domain = circus.com
}
CIRCUS.COM = {
kdc = ad2.circus.com
kdc = ad1.circus.com
}
[domain_realm]
circus.com = CIRCUS.COM
.circus.com = CIRCUS.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Now test the kerberos install, notice CIRCUS.COM is ALL CAPS:
# kinit judson.bishop@CIRCUS.COM
Password for judson.bishop@CIRCUS.COM:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: judson.bishop@CIRCUS.COM
Valid starting Expires Service principal
03/04/09 10:29:55 03/04/09 20:30:00 krbtgt/CIRCUS.COM@CIRCUS.COM
renew until 03/05/09 10:29:55
So kerberos works.
Samba
And the samba configuration file:
# cat /etc/samba/smb.conf | grep -v -e "\#" -e "\;" | sed /^$/d
[global]
workgroup = AD
password server = ad1.circus.com
realm = AD.CIRCUS.COM
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
obey pam restrictions = yes
allow trusted domains = no
server string = Hostname %v
log file = /var/log/samba/%m.log
realm = AD.CIRCUS.COM
local master = no
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
Join AD
Please notice the ALL CAPS domain. This is to match you kerberos realm.
# net ads join -U judson.bishop@CIRCUS.COM
You may have to set up you /etc/samba/smb.conf file first. Also, if you have trouble here you may have to go into active directory and delete this computer, then join it to the domain again. The delete and add may require a new kinit process as well. Sorry I can’t be of more help, but this tip may save you a considerable amount of time.
Winbind
Install winbind.
# apt-get install winbind
# /etc/init.d/winbind start
Pam
You need to change all of the “common” files in the directory /etc/pam.d:
Go to that directory and then make a backup just in case:
# for I in `ls common*`; do cp $I $I.sav; done
These are files as they are on my test server, the cat just leaves out the comments because some can be verbose.
/etc/pam.d # cat common-auth | grep -v \#
auth sufficient pam_krb5.so ccache=/tmp/krb5cc_%u debug
auth sufficient pam_winbind.so use_first_pass
auth requisite pam_unix.so nullok_secure
auth optional pam_smbpass.so migrate missingok
/etc/pam.d # cat common-password | grep -v \#
password requisite pam_unix.so nullok obscure md5
password optional pam_smbpass.so nullok use_authtok use_first_pass missingok
/etc/pam.d # cat common-session | grep -v \#
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
NSSwitch
Edit your nsswitch configuration file, /etc/nsswich.conf.
The following are just the lines you need to change not the whole file.
/etc/pam.d# cat /etc/nsswitch.conf | grep -v \#
passwd: files winbind
shadow: files winbind
group: files winbind
Testing
# getent passwd judson.bishop
From another server, log into Ubuntu using ssh.
ssh -l judson.bishop server.circus.com
More troubleshooting, if you are having trouble with a user:
# id CIRCUS+judson.bishop
uid=16778342(judson.bishop)
gid=16777729(domain users)
...output removed...
# ls -ldn /home/AD/judson.bishop/
drwxr-xr-x 3 16778342 16777729 4096 Nov 25 15:56 /home/CIRCUS/judson.bishop/
Playing around with acls:
cd /home/AD/e09049/
mkdir Test
getfacl -R Test >getfacl-Test.txt
chmod u+rwx Test/
chmod g+rwx Test/
chmod o-rwx Test/
ls -al
chmod g+s Test/
setfacl -d -m mask:007 Test
chown root:AD+854 Test
And finally to play around with group access:
# chown -R judson.bishop:smbgroup /opt/mr/
# chmod -R ug+rwx,o-rwx /opt/mr/