I got the chance to configure one of the old system of my friend running Windows 2000 and Ubuntu 7, (yes it’s not typo) and he wants to authenticate some of his old Ubuntu PCs to Windows AD. Here’s the tutorial for adding Ubuntu box in a Active Directory domain and to authenticate the users with AD
Needed software:
Windows 2000 Advanced Server (function as Domain Controller, AD)
Linux (Ubuntu 6,7)
Winbind
Samba
krb-user
libpam-krb5
Used terms:
AD.freelinuxtutorials.com –> AD Domain
10.201.0.251 –> DC IP address
AD.freelinuxtutorials.com –> Kerberos Realm
10.201.0.193 –> NTP server
Step1: Confirm Connectivity
Confirm network connectivity and name resolution for the Active Directory domain controller. Ping the fully-qualified domain name (FQDN) of the AD DC on your network
root@ubuntuclient#ping AD.freelinuxtutorials.com
If not successful, it could be a DNS issue, you can change the right DNS or add the info using /etc/hosts
Step2: Set the time settings
Time is important for Kerberos, which is used for authentication in Active Directory networks.
/usr/sbin/ntpdate 10.201.0.193
Step3:Setup Kerberos
Install the appropriate client software. This process assumes that you have opened up all the Breezy main and security sources in your sources.list as well as the Universe repository /etc/apt/sources.list
Install the necessary Kerberos packages, you should use the following apt-get command to install the software:
$sudo apt-get install krb5-user libpam-krb5
Modify the /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.freelinuxtutorials.com
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
[realms]
AD.freelinuxtutorials.com = {
kdc = AD.freelinuxtutorials.com:88
admin_server = AD.freelinuxtutorials.com:749
default_domain = freelinuxtutorials.com
}
[domain_realm]
.freelinuxtutorials.com = freelinuxtutorials.com
freelinuxtutorials.com = freelinuxtutorials.com
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Step4: Testing
Request a Ticket-Granting Ticket (TGT) by issuing the kinit command and Check if ticket request was valid using the klist command.
Sample output:
root@ubuntu:~# kinit Administrator@AD.freelinuxtutorials.com
Password for Administrator@AD.freelinuxtutorials.com:
root@ubuntu:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@AD.freelinuxtutorials.comValid starting Expires Service principal
06/21/19 14:52:09 06/22/19 00:56:06 krbtgt/AD.freelinuxtutorials.com@AD.freelinuxtutorials.com
renew until 06/22/19 14:52:09Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
At this point, your Kerberos installation and configuration is operating correctly
Step5: Join AD domain
Install winbind and samba
apt-get install winbind samba
/etc/samba/smb.conf
[global]
workgroup = AD
hosts allow = 10.201.0. 10.200.0. 127.
password server = AD.freelinuxtutorials.com
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = yes
winbind separator = /
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
realm = AD.freelinuxtutorials.com
Be sure to restart the Samba and Winbind services after changing the /etc/samba/smb.conf file:
root@ubuntu:~# /etc/init.d/winbind stop
root@ubuntu:~# /etc/init.d/samba restart
root@ubuntu:~# /etc/init.d/winbind start
Join the domain:
net ads join –U Administrator@AD.freelinuxtutorials.com
password:XXXXXXXXXXXX
Using short domain name – AD
Joined ‘ubuntu’ to realm ‘AD.freelinuxtutorials.com’
Step6: Testing the AD join
wbinfo -u
You should get a list of the users of the domain.
And a list of the groups.
wbinfo -g
Step7: Setup the Authentication
Modify /etc/nsswitch.conf
passwd: files winbind
group: files winbind
shadow: files compat winbind
hosts: files dns wins winbind
networks: files
protocols: db files winbind
services: db files winbind
ethers: db files
rpc: db files
netgroup: nis files winbind
Step8: Testing winbind nsswitch
Check Winbind nsswitch module with getent.
getent passwd
getent group
Step9: Modify PAM
Go to /etc/pam.d
/etc/pam.d/common-account
account sufficient pam_winbind.so
account sufficient pam_krb5.so minimum_uid=1000
account required pam_unix.so nullok_secure
account [default=bad success=ok user_unknown=ignore service_err=ignore system_er
r=ignore] pam_krb5.so/etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass
auth required pam_unix.so
auth sufficient pam_group.so use_first_pass
/etc/pam.d/common-sessionsession required pam_unix.so
session optional pam_foreground.so
session optional pam_krb5.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
/etc/pam.d/sudo
#%PAM-1.0
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required pam_deny.so
@include common-account
/etc/pam.d/samba@include common-auth
@include common-account
@include common-session
@include common-password/etc/pam.d/common-password
password required pam_unix.so nullok obscure min=4 max=8 md5
password required pam_unix.so nullok obscure min=4 max=50 md5
Step10: Create the domain directory in /home
#mkdir /home/AD
Easy steps for the configuration files
All config files can be get via wget on http://10.201.0.193/script
Nsswitch.conf, krb5.conf , smb.conf located on script folder
Pam.d config files located on script/pam
e.g
#cd /etc/
#wget http://10.201.0.193/script/krb5.conf
#cd /etc/samba
#wget http://10.201.0.193/script/smb.conf
You can add boot up script on /etc/rc.local
vi /root/script.sh
/usr/sbin/ntpdate 10.201.0.193
/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start
Save and exit.
Make the script executable
#chmod +x /root/script
Under /etc/rc.local, append the script so it will run during start-up
/root/script.sh