Authenticating Linux clients against MS Active Directory
(3 intermediate revisions by one user not shown) | |||
Line 21: | Line 21: | ||
default_domain = win.dtu.dk | default_domain = win.dtu.dk | ||
} | } | ||
− | + | ||
[domain_realm] | [domain_realm] | ||
.win.dtu.dk = WIN.DTU.DK | .win.dtu.dk = WIN.DTU.DK | ||
Line 28: | Line 28: | ||
=== Setup Samba (<tt>/etc/samba/smb.conf</tt>): === | === Setup Samba (<tt>/etc/samba/smb.conf</tt>): === | ||
#======================= Global Settings ======================= | #======================= Global Settings ======================= | ||
− | + | ||
[global] | [global] | ||
workgroup = WIN | workgroup = WIN | ||
− | server string = | + | server string = |
syslog = 0 | syslog = 0 | ||
− | + | ||
panic action = /usr/share/samba/panic-action %d | panic action = /usr/share/samba/panic-action %d | ||
− | + | ||
security = ADS | security = ADS | ||
realm = WIN.DTU.DK | realm = WIN.DTU.DK | ||
− | netbios name = elek-aut-01 | + | netbios name = elek-aut-01 # <--- Insert a suitable name here |
− | + | ||
idmap config * : backend = rid | idmap config * : backend = rid | ||
idmap config * : range = 5000-100000000 | idmap config * : range = 5000-100000000 | ||
Line 86: | Line 86: | ||
A skeleton homedrive (mount point) can be created using pam_mkhomedir. This is done by adding <tt>session required pam_mkhomedir.so skel=/etc/skel umask=0077</tt> to <tt>/etc/pam.d/common-session</tt> just before pam_mount. Listing of <tt>/etc/pam.d/common-session</tt>: | A skeleton homedrive (mount point) can be created using pam_mkhomedir. This is done by adding <tt>session required pam_mkhomedir.so skel=/etc/skel umask=0077</tt> to <tt>/etc/pam.d/common-session</tt> just before pam_mount. Listing of <tt>/etc/pam.d/common-session</tt>: | ||
− | session [default=1] | + | session [default=1] pam_permit.so |
− | session requisite | + | session requisite pam_deny.so |
− | session required | + | session required pam_permit.so |
− | session optional | + | session optional pam_umask.so |
session required pam_unix.so | session required pam_unix.so | ||
− | session optional | + | session optional pam_winbind.so |
session required pam_mkhomedir.so skel=/etc/skel umask=0077 | session required pam_mkhomedir.so skel=/etc/skel umask=0077 | ||
session optional pam_mount.so | session optional pam_mount.so | ||
− | session optional | + | session optional pam_ck_connector.so nox11 |
A somewhat working pam_mount configuration is (<tt>/etc/security/pam_mount.conf.xml</tt>): | A somewhat working pam_mount configuration is (<tt>/etc/security/pam_mount.conf.xml</tt>): | ||
+ | <syntaxhighlight lang="xml"> | ||
<?xml version="1.0" encoding="utf-8" ?> | <?xml version="1.0" encoding="utf-8" ?> | ||
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> | <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> | ||
Line 107: | Line 108: | ||
<pam_mount> | <pam_mount> | ||
− | + | ||
− | + | <debug enable="0" /> | |
− | + | ||
− | + | ||
− | + | ||
− | <debug enable=" | + | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
<mntoptions deny="suid,dev" /> | <mntoptions deny="suid,dev" /> | ||
<mntoptions allow="*" /> | <mntoptions allow="*" /> | ||
Line 136: | Line 119: | ||
<logout wait="100000" hup="yes" term="yes" kill="no" /> | <logout wait="100000" hup="yes" term="yes" kill="no" /> | ||
− | |||
− | |||
<volume pgrp="domain users" server="dtu-storage.win.dtu.dk" path="" mountpoint="home/WIN" fstype="cifs" /> | <volume pgrp="domain users" server="dtu-storage.win.dtu.dk" path="" mountpoint="home/WIN" fstype="cifs" /> | ||
Line 148: | Line 129: | ||
</pam_mount> | </pam_mount> | ||
+ | |||
+ | <i>There are problems with multiple mounts and mounts that hang upon logout.</i> | ||
− | + | In the best of worlds you should now be able to login to the machine using your campusnet login and password, and your home directory should be automtically mounted upon login. |
Latest revision as of 07:42, 9 July 2013
Contents |
[edit] Authenticating Linux clients against MS Active Directory
The page describes the necessary steps to enable Ubuntu 12.04 clients to authenticate users against AIT's Active Directory (AD) server. Groups and settings in DTU-Basen can be used on the clients, as well as, user home directories from dtu-storage.
The setup is heavily inspired by the following manual for RHEL systems: Linux-AD
Install Samba and Kerberos:
$ sudo apt-get install samba krb5-user winbind smbfs
[edit] Setup Kerberos (/etc/krb5.conf):
[libdefaults] default_realm = WIN.DTU.DK dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] WIN.DTU.DK = { default_domain = win.dtu.dk } [domain_realm] .win.dtu.dk = WIN.DTU.DK win.dtu.dk = WIN.DTU.DK
[edit] Setup Samba (/etc/samba/smb.conf):
#======================= Global Settings ======================= [global] workgroup = WIN server string = syslog = 0 panic action = /usr/share/samba/panic-action %d security = ADS realm = WIN.DTU.DK netbios name = elek-aut-01 # <--- Insert a suitable name here idmap config * : backend = rid idmap config * : range = 5000-100000000 idmap config * : base_rid = 0 template shell = /bin/bash template homedir = /home/%D/%U winbind use default domain = true winbind offline logon = false winbind enum users = No winbind enum groups = No winbind nested groups = Yes allow trusted domains = No
[edit] Add the machine to the AD
Get a Kerberos ticket by issuing:
$ sudo kinit <campusnet-login>@WIN.DTU.DK
Add the PC to the AD domain by issuing:
$ sudo net ads join -U <campusnet-login>
The PC name needs to start with "elek-" (when dealing with DTU-Elektro machines). The name should be the same as "netbios name" in the Samba configuration file. Dual-boot Windows machines that already has an "elek-" name must be given a different name to avoid conflicting AD instances. (Even WinXP and Win7 can't share the same AD instance).
Add Winbind to the nsswitch configuration. (/etc/nsswitch.conf):
passwd: nis compat winbind group: nis compat winbind shadow: nis compat winbind hosts: files dns wins mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Check that
$ wbinfo -u
gives a list of all AD users. (This might take a while).
[edit] Automatic mounting of home directory
By installing "pam_mount" it is possible to automatically mount AD users home directory upon login. The package is installed by:
$ sudo apt-get install libpam-mount
A skeleton homedrive (mount point) can be created using pam_mkhomedir. This is done by adding session required pam_mkhomedir.so skel=/etc/skel umask=0077 to /etc/pam.d/common-session just before pam_mount. Listing of /etc/pam.d/common-session:
session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_unix.so session optional pam_winbind.so session required pam_mkhomedir.so skel=/etc/skel umask=0077 session optional pam_mount.so session optional pam_ck_connector.so nox11
A somewhat working pam_mount configuration is (/etc/security/pam_mount.conf.xml): <syntaxhighlight lang="xml">
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <debug enable="0" /> <mntoptions deny="suid,dev" /> <mntoptions allow="*" /> <mntoptions deny="*" /> --> <mntoptions require="nosuid,nodev" /> <logout wait="100000" hup="yes" term="yes" kill="no" /> <volume pgrp="domain users" server="dtu-storage.win.dtu.dk" path="" mountpoint="home/WIN" fstype="cifs" /> <cifsmount>mount -t cifs //%(SERVER)/%(USER) %(MNTPT)/%(USER) -o "username=%(USER),uid=%(USERUID),gid=%(USERGID),file_mode=0700,dir_mode=0700%(before=\",\" OPTIONS)" </cifsmount> <umount>umount %(MNTPT)/%(USER)</umount> <mkmountpoint enable="1" remove="false" /> </pam_mount>
There are problems with multiple mounts and mounts that hang upon logout.
In the best of worlds you should now be able to login to the machine using your campusnet login and password, and your home directory should be automtically mounted upon login.