Authenticating Ubuntu Client to Windows Active Directory

I got the chance to configure one of the old system of my friend running Windows 2000 and Ubuntu 7, (yes it’s not typo) and he wants to authenticate some of his old Ubuntu PCs to Windows AD. Here’s the tutorial for adding Ubuntu box in a Active Directory domain and to authenticate the users with AD

Needed software:
Windows 2000 Advanced Server (function as Domain Controller, AD)
Linux (Ubuntu 6,7)
Winbind
Samba
krb-user
libpam-krb5

Used terms:
AD.freelinuxtutorials.com –> AD Domain
10.201.0.251 –> DC IP address
AD.freelinuxtutorials.com –> Kerberos Realm
10.201.0.193 –> NTP server

Step1: Confirm Connectivity
Confirm network connectivity and name resolution for the Active Directory domain controller. Ping the fully-qualified domain name (FQDN) of the AD DC on your network

root@ubuntuclient#ping AD.freelinuxtutorials.com

If not successful, it could be a DNS issue, you can change the right DNS or add the info using /etc/hosts

Step2: Set the time settings
Time is important for Kerberos, which is used for authentication in Active Directory networks.


/usr/sbin/ntpdate 10.201.0.193

Step3:Setup Kerberos

Install the appropriate client software. This process assumes that you have opened up all the Breezy main and security sources in your sources.list as well as the Universe repository /etc/apt/sources.list
Install the necessary Kerberos packages, you should use the following apt-get command to install the software:



$sudo apt-get install krb5-user libpam-krb5
Modify the /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = AD.freelinuxtutorials.com
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h

[realms]
AD.freelinuxtutorials.com = {
kdc = AD.freelinuxtutorials.com:88
admin_server = AD.freelinuxtutorials.com:749
default_domain = freelinuxtutorials.com
}

[domain_realm]
.freelinuxtutorials.com = freelinuxtutorials.com
freelinuxtutorials.com = freelinuxtutorials.com

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Step4: Testing

Request a Ticket-Granting Ticket (TGT) by issuing the kinit command and Check if ticket request was valid using the klist command.

Sample output:

root@ubuntu:~# kinit Administrator@AD.freelinuxtutorials.com
Password for Administrator@AD.freelinuxtutorials.com:
root@ubuntu:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@AD.freelinuxtutorials.com

Valid starting Expires Service principal
06/21/19 14:52:09 06/22/19 00:56:06 krbtgt/AD.freelinuxtutorials.com@AD.freelinuxtutorials.com
renew until 06/22/19 14:52:09

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

At this point, your Kerberos installation and configuration is operating correctly

 

Step5: Join AD domain
Install winbind and samba


apt-get install winbind samba

 /etc/samba/smb.conf

[global]
workgroup = AD
hosts allow = 10.201.0. 10.200.0. 127.
password server = AD.freelinuxtutorials.com
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = yes
winbind separator = /
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
realm = AD.freelinuxtutorials.com

Be sure to restart the Samba and Winbind services after changing the /etc/samba/smb.conf file:   



root@ubuntu:~# /etc/init.d/winbind stop
root@ubuntu:~# /etc/init.d/samba restart
root@ubuntu:~# /etc/init.d/winbind start

 


Join the domain:
net ads join –U Administrator@AD.freelinuxtutorials.com
password:XXXXXXXXXXXX
Using short domain name – AD
Joined ‘ubuntu’ to realm ‘AD.freelinuxtutorials.com’

Step6: Testing the AD join


wbinfo -u

You should get a list of the users of the domain.
And a list of the groups.


wbinfo -g

Step7: Setup the Authentication

Modify /etc/nsswitch.conf

passwd: files winbind
group: files winbind
shadow: files compat winbind
hosts: files dns wins winbind
networks: files
protocols: db files winbind
services: db files winbind
ethers: db files
rpc: db files
netgroup: nis files winbind

Step8: Testing winbind nsswitch

Check Winbind nsswitch module with getent.
getent passwd
getent group

Step9: Modify PAM
Go to /etc/pam.d

/etc/pam.d/common-account

account sufficient pam_winbind.so
account sufficient pam_krb5.so minimum_uid=1000
account required pam_unix.so nullok_secure
account [default=bad success=ok user_unknown=ignore service_err=ignore system_er
r=ignore] pam_krb5.so

/etc/pam.d/common-auth

auth sufficient pam_winbind.so
auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass
auth required pam_unix.so
auth sufficient pam_group.so use_first_pass

/etc/pam.d/common-session

session required pam_unix.so
session optional pam_foreground.so
session optional pam_krb5.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

/etc/pam.d/sudo

#%PAM-1.0
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required pam_deny.so
@include common-account

/etc/pam.d/samba

@include common-auth
@include common-account
@include common-session
@include common-password

/etc/pam.d/common-password

password required pam_unix.so nullok obscure min=4 max=8 md5
password required pam_unix.so nullok obscure min=4 max=50 md5

Step10: Create the domain directory in /home


#mkdir /home/AD

Easy steps for the configuration files

All config files can be get via wget on http://10.201.0.193/script
Nsswitch.conf, krb5.conf , smb.conf located on script folder
Pam.d config files located on script/pam
e.g
#cd /etc/
#wget http://10.201.0.193/script/krb5.conf

#cd /etc/samba
#wget http://10.201.0.193/script/smb.conf

You can add boot up script on /etc/rc.local
vi /root/script.sh

/usr/sbin/ntpdate 10.201.0.193
/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start

Save and exit.

Make the script executable


#chmod +x /root/script

Under /etc/rc.local, append the script so it will run during start-up


/root/script.sh

About the author

Free Linux

View all posts

Leave a Reply