Edit WYSIWYGattachfile Attach PDF Raw View►More Actions▼More Actions


Restore topic to revision: You will be able to review the topic before saving it to a new revision

Copy text and form data to a new topic (no attachments will be copied though).
Name of copy:
You will be able to review the copied topic before saving

Rename/move topic... scans links in all public webs (recommended)
Rename/move topic... scans links in Main web only
Delete topic... scans links in all public webs (recommended)
Delete topic... scans links in Main web only

Revision Date Username Comment
1523 May 2012 - 11:13GregSilverman 
1415 May 2012 - 14:31sqv? 
1315 May 2012 - 11:18sqv? 
1215 May 2012 - 09:04sqv? 
1111 May 2012 - 16:35AaronZirbes 
1011 May 2012 - 15:59NatalyaPortnov 
911 May 2012 - 15:56AaronZirbes 
811 May 2012 - 15:40NatalyaPortnov 
711 May 2012 - 15:32AaronZirbes 
626 Apr 2011 - 09:06AaronZirbes 
earlier first

Render style:     Context:


 History: r15 < r14 < r13 < r12 < r11
You are here: UMWiki>Main Web>WikiUsers>AaronZirbes>UbuntuAndActiveDirectory (23 May 2012, GregSilverman)

Ubuntu Linux and Active Directory

Overview

This guide is designed to help you get an Ubuntu Server or Ubuntu Workstation setup as a member of Active Directory. Ubuntu Linux can use samba to act as a Workstation, File Server, or Print Server

This guide covers setting up samba as a File Server, or as a workstation. The print server functionality is not covered in this guide, but the basic file server setup should be enough to get you going

Pre-Configuration

You must have a computer account created in active directory ready to use by this samba host before you begin. Please follow the UMNAD naming scheme when creating a computer account. Please see the following url for details on naming standards. https://www1.umn.edu/umnad/oua/index.html

If this is a server, you should have already registered this machine in service gateway. http://go4service.umn.edu/

This guide will use the server name dept-MYHOST.ad.umn.edu

OS Installation

  • warning Warning: There is a bug in Samba that is used in Ubuntu 9.10 and older that prevents you from joining an Active Directory hosted on Windows 2008 servers. As UMNAD is a Windows Server 2008 directory, you must use a version of samba that is 3.4.2 or newer. The version of Samba used in Ubuntu 10.4 is 3.4.7 or greater.
  • For File server setup: download the Ubuntu Server ISO image from here: http://local-mirror.cs.umn.edu/ubuntu-releases/10.04/
  • Install Ubuntu 10.4 according to your preferences.
    • For File server setup: it is a good idea to put the shares on their own partition
  • When prompted for a username, choose a username that is NOT in ad.umn.edu. This will be your fall-back username to log into the system if Active Directory is inaccessible

  • For File server setup: when you get to the Software selection screen, choose Samba Server.

  • After the system is installed, make sure to install all updates. You can optionally set your apt sources to us the local U of MN mirror by issuing the following command
    sudo sed -i -e 's/us.archive.ubuntu.com/local-mirror.cs.umn.edu/g' /etc/apt/sources.list
    sudo apt-get update
    sudo apt-get dist-upgrade
    sudo reboot
    
  • If this will be a workstation
    sudo apt-get install smbfs libpam-mount
    
  • If you did not choose Samba server as an option during system setup, you can install the required packages later from the command line by issuing the following command
    sudo apt-get install samba winbind smbclient
  • Install Kerberos (when asked, set Default Kerberos 5 realm (or domain) to AD.UMN.EDU)
    sudo apt-get install krb5-user
    
    • Default Kerberos 5 realm (or domain): AD.UMN.EDU
  • If this is NOT a hosted machine (running on iron, not running virtually), then Install NTPd
  • warning Warning: Only Install this on the underlying virtualization host, or a stand-alone server
    • If you install this on a virtual guest, it will fight with the hypervisor every time it tries to adjust the clock.
      sudo apt-get install ntp
      

Configuration

  • Network
    • For File server setup: ensure your network interface is statically assigned. Here is an example: /etc/network/interfaces file
      auto eth0
      iface eth0 inet static
              address 160.94.999.1
              netmask 255.255.255.0
              network 160.94.999.0
              broadcast 160.94.999.255
              gateway 160.94.999.126
              # dns-* options are implemented by the resolvconf package, if installed
              dns-nameservers 128.101.101.101 134.84.84.84
              dns-search ad.umn.edu
      
  • hosts file
    • edit hosts file /etc/hosts so that the host has the proper FQDN in ad.umn.edu. Remember to sudo vim /etc/hosts so you are able to save your edits afterwards.
      160.94.999.x   dept-MYHOST.ad.umn.edu dept-MYHOST
      
      IDEA! replace 160.94.999.x with your host's actual IP address, and make sure it doesn't start with 127.0....
  • Hostname
    • Ensure the FQDN is in /etc/hostname
      dept-MYHOST
      
  • Configure DOMAIN and SEARCH parameters
  • For File server, configure /etc/resolv.conf file
    • IDEA!, If you manually configured your network settings, ensure that the search and domain parameters are set to ad.umn.edu
      domain ad.umn.edu
      search ad.umn.edu
      
  • If NTP was installed, Configure NTPd
    • Add the following two server lines to your /etc/ntp.conf file
      server ns.nts.umn.edu
      server nss.nts.umn.edu
      

Configure Kerberos

  • Change the following setting in your /etc/krb5.conf file
    [libdefaults]
            default_realm = AD.UMN.EDU
            dns_fallback = yes
            ticket_lifetime = 36000
    
    [domain_realm]
            .umn.edu = AD.UMN.EDU
            .ad.umn.edu = AD.UMN.EDU
    

Configure Samba

  • IDEA! You'll have to customize the following two options in the file below
    • server string
    • netbios name
  • Set the following options in your /etc/samba/smb.conf file
    #======================= Global Settings =======================
    
    [global]
    
    # Change this to the workgroup/NT-domain name your Samba server will part of
       workgroup = AD
    
    # server string is the equivalent of the NT Description field
       server string = My Departmental Samba Server
       netbios name = dept-MYHOST
    # This will prevent nmbd to search for NetBIOS names through DNS.
       dns proxy = no
       realm = AD.UMN.EDU
       local master = no
    
    #### Debugging/Accounting ####
    
    # This tells Samba to use a separate log file for each machine
    # that connects
       log file = /var/log/samba/log.%m
    
    # Cap the size of the individual log files (in KiB).
       max log size = 1000
    
    # We want Samba to log a minimum amount of information to syslog. Everything
    # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
    # through syslog you should set the following parameter to something higher.
       syslog = 0
    
    # Do something sensible when Samba crashes: mail the admin a backtrace
       panic action = /usr/share/samba/panic-action %d
    
    # Logins go to `last`
       wtmp directory = /var/log
       utmp = yes
       utmp directory = /var/run
    
    ####### Authentication #######
    
       # AD Membership pointers
       security = ADS
    
       # NTLMv2 Security options
       client ntlmv2 auth = yes
       ntlm auth = no
    
       # CVE-2000-1200
       # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1200
       guest account = nobody
       restrict anonymous = 2
    
       # Active Directory user mapping options
       # Commented out options can be enabled if AD turns on Unix Extenstions for AD
       idmap backend = tdb
       idmap uid = 16777216-33554431
       idmap gid = 16777216-33554431
       idmap config AD:backend = rid
       idmap config AD:range = 100000-999999
    ;   idmap config AD:schema_mode = rfc2307
    
       template shell = /bin/bash
       template homedir = /home/%D/%U
       winbind separator = +
       winbind use default domain = yes
       winbind offline logon = true
       winbind enum users = no
       winbind enum groups = no
       winbind refresh tickets = true
    
    ########## Network  ###########
    
       # Only use the new AD port
       smb ports = 445
    
       # Increased throughput
       socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    
    ########## Printing ##########
    
    # Disable Printer Sharing
       load printers = no
    
    ######### Begin Shares #########
    # ...
    

Joining Active Directory

Now it's time to join UMNAD
  • Reboot first
    sudo reboot
    
    • Yes, you can restart the samba services, but a reboot only takes 10 seconds.
  • Make sure that you add the computer, dept-MYHOST, to the AD group in the "Active Directory Users and Computers" utility in Windows.
  • In order to run the following commands, you will need (or know someone who has) an U of MN Active Directory OU Admin account. In this example, we'll assume the OU admin uses the login: deptouadmin
    sudo kinit deptouadmin@AD.UMN.EDU
    sudo net ads join -U deptouadmin
    
  • Restart the Samba winbind service
    sudo service winbind restart
    

Post Configuration

The following needs to be done after joining the domain
  • Change the following lines in /etc/nsswitch.conf
passwd:         compat winbind
group:          compat winbind

Local logins

For the most part, Ubuntu 10.4 sets up PAM for AD logins out of the "box". This can be a bad thing, or a good thing... depending on your use case.

warning If you DO NOT want every one in AD to be able to log into your machine locally, or via SSH if it is installed, do the following.

  • Decide which group you want to have access to login to your machine. For this example I'm going to use dept-users.
  • Add the parameter require_membership_of=AD+Dept-Group-Name to the pam_winbind.so setting in /etc/pam.d/common-auth
    • for example:
      auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
      
      becomes
      auth    [success=1 default=ignore]      pam_winbind.so require_membership_of=AD+Dept-Group-Name krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
      
    • IDEA! Warning, this is CASE SENSITIVE, so check to make sure you match the case of the group name exactly.

  • You'll need to create the home directory folder
    sudo mkdir /home/AD
    
  • It's also nice to automatically create home directories at login if they don't exist. You can do this by adding the following line to /etc/pam.d/common-session right after the pam_winbind.so line
    # Make home directories
    session required pam_mkhomedir.so umask=0022 skel=/etc/skel
    

Ubuntu 11.10 and 12.04

Ubuntu 11.10, and 12.04 don't give you the option to login as another users at the login screen by default.

  • This has to be configured via
    echo "greeter-hide-users=true" | sudo tee -a /etc/lightdm/lightdm.conf
    
  • Disable guest login
    echo "allow-guest=false" | sudo tee -a /etc/lightdm/lightdm.conf
    

Sudo access

You might want to add your ouadmins to the /etc/sudoers list.
  • You can do this by adding the following to your /etc/sudoers file
    %dept-ouadmins ALL=(ALL) ALL
    

TODO

  • Adding Shares
  • Sharing CUPS Printers
  • Mapping AD Shared Folders on a Client

-- AaronZirbes - 31 Mar 2010

Topic revision: r15 - 23 May 2012 - 11:13:18 - GregSilverman
UMWiki is the University of Minnesota's Collaborative Wiki.

email: wiki@umn.edu

List of All Webs


A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

 
UMWiki UMWiki
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding UMWiki? Send feedback