Authenticating Linux clients against MS Active Directory
== The page describes the necessary steps to enable Ubuntu 12.04 clients to authenticate users against AIT's Active Directory (AD) server. Groups and settings in DTU-Basen can be used on the clients, as well as, user home directories from dtu-storage.
The setup is heavily inspired by the following manual for RHEL systems: Linux-AD
Install Samba and Kerberos:
$ sudo apt-get install samba krb5-user winbind smbfs
Contents |
Setup Kerberos (/etc/krb5.conf):
[libdefaults] default_realm = WIN.DTU.DK dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] WIN.DTU.DK = { default_domain = win.dtu.dk }
[domain_realm] .win.dtu.dk = WIN.DTU.DK win.dtu.dk = WIN.DTU.DK
Setup Samba (/etc/samba/smb.conf):
#======================= Global Settings =======================
[global] workgroup = WIN server string = kapok syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ADS realm = WIN.DTU.DK netbios name = elek-aut-01
idmap config * : backend = rid idmap config * : range = 5000-100000000 idmap config * : base_rid = 0 template shell = /bin/bash template homedir = /home/%D/%U winbind use default domain = true winbind offline logon = false winbind enum users = No winbind enum groups = No winbind nested groups = Yes allow trusted domains = No
Add the machine to the AD
Get a Kerberos ticket by issuing:
$ sudo kinit <campusnet-login>@WIN.DTU.DK
Add the PC to the AD domain by issuing:
$ sudo net ads join -U <campusnet-login>
The PC name needs to start with "elek-" (when dealing with DTU-Elektro machines). The name should be the same as "netbios name" in the Samba configuration file. Dual-boot Windows machines that already has an "elek-" name must be given a different name to avoid conflicting AD instances. (Even WinXP and Win7 can't share the same AD instance).
Add Winbind to the nsswitch configuration. (/etc/nsswitch.conf):
passwd: nis compat winbind group: nis compat winbind shadow: nis compat winbind hosts: files dns wins mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Check that
$ wbinfo -u
gives a list of all AD users. (This might take a while).
Automatic mounting of home directory
By installing "pam_mount" it is possible to automatically mount AD users home directory upon login. The package is installed by:
$ sudo apt-get install libpam-mount
A somewhat working pam_mount configuration is (/etc/security/pam_mount.conf.xml):
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <debug enable="1" /> <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" /> <mntoptions require="nosuid,nodev" /> <logout wait="100000" hup="yes" term="yes" kill="no" /> <volume pgrp="domain users" server="dtu-storage.win.dtu.dk" path="" mountpoint="home/WIN" fstype="cifs" /> <cifsmount>mount -t cifs //%(SERVER)/%(USER) %(MNTPT)/%(USER) -o "username=%(USER),uid=%(USERUID),gid=%(USERGID),file_mode=0700,dir_mode=0700%(before=\",\" OPTIONS)" </cifsmount> <umount>umount %(MNTPT)/%(USER)</umount> <mkmountpoint enable="1" remove="false" /> </pam_mount>
There are problems with multiple mounts and mounts that hang upon logout.