Authenticating Linux clients against MS Active Directory
| Line 100: | Line 100: | ||
A somewhat working pam_mount configuration is (<tt>/etc/security/pam_mount.conf.xml</tt>): | A somewhat working pam_mount configuration is (<tt>/etc/security/pam_mount.conf.xml</tt>): | ||
| + | <syntaxhighlight lang="xml"> | ||
<?xml version="1.0" encoding="utf-8" ?> | <?xml version="1.0" encoding="utf-8" ?> | ||
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> | <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> | ||
| Line 107: | Line 108: | ||
<pam_mount> | <pam_mount> | ||
| − | + | ||
| − | + | <debug enable="0" /> | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | <debug enable=" | + | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
<mntoptions deny="suid,dev" /> | <mntoptions deny="suid,dev" /> | ||
<mntoptions allow="*" /> | <mntoptions allow="*" /> | ||
| Line 136: | Line 119: | ||
<logout wait="100000" hup="yes" term="yes" kill="no" /> | <logout wait="100000" hup="yes" term="yes" kill="no" /> | ||
| − | |||
| − | |||
<volume pgrp="domain users" server="dtu-storage.win.dtu.dk" path="" mountpoint="home/WIN" fstype="cifs" /> | <volume pgrp="domain users" server="dtu-storage.win.dtu.dk" path="" mountpoint="home/WIN" fstype="cifs" /> | ||
| Line 148: | Line 129: | ||
</pam_mount> | </pam_mount> | ||
| − | + | ||
There are problems with multiple mounts and mounts that hang upon logout. | There are problems with multiple mounts and mounts that hang upon logout. | ||
Revision as of 21:31, 8 July 2013
Contents |
Authenticating Linux clients against MS Active Directory
The page describes the necessary steps to enable Ubuntu 12.04 clients to authenticate users against AIT's Active Directory (AD) server. Groups and settings in DTU-Basen can be used on the clients, as well as, user home directories from dtu-storage.
The setup is heavily inspired by the following manual for RHEL systems: Linux-AD
Install Samba and Kerberos:
$ sudo apt-get install samba krb5-user winbind smbfs
Setup Kerberos (/etc/krb5.conf):
[libdefaults]
default_realm = WIN.DTU.DK
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
WIN.DTU.DK = {
default_domain = win.dtu.dk
}
[domain_realm] .win.dtu.dk = WIN.DTU.DK win.dtu.dk = WIN.DTU.DK
Setup Samba (/etc/samba/smb.conf):
#======================= Global Settings =======================
[global] workgroup = WIN server string = kapok syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ADS realm = WIN.DTU.DK netbios name = elek-aut-01
idmap config * : backend = rid idmap config * : range = 5000-100000000 idmap config * : base_rid = 0 template shell = /bin/bash template homedir = /home/%D/%U winbind use default domain = true winbind offline logon = false winbind enum users = No winbind enum groups = No winbind nested groups = Yes allow trusted domains = No
Add the machine to the AD
Get a Kerberos ticket by issuing:
$ sudo kinit <campusnet-login>@WIN.DTU.DK
Add the PC to the AD domain by issuing:
$ sudo net ads join -U <campusnet-login>
The PC name needs to start with "elek-" (when dealing with DTU-Elektro machines). The name should be the same as "netbios name" in the Samba configuration file. Dual-boot Windows machines that already has an "elek-" name must be given a different name to avoid conflicting AD instances. (Even WinXP and Win7 can't share the same AD instance).
Add Winbind to the nsswitch configuration. (/etc/nsswitch.conf):
passwd: nis compat winbind group: nis compat winbind shadow: nis compat winbind hosts: files dns wins mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Check that
$ wbinfo -u
gives a list of all AD users. (This might take a while).
Automatic mounting of home directory
By installing "pam_mount" it is possible to automatically mount AD users home directory upon login. The package is installed by:
$ sudo apt-get install libpam-mount
A skeleton homedrive (mount point) can be created using pam_mkhomedir. This is done by adding session required pam_mkhomedir.so skel=/etc/skel umask=0077 to /etc/pam.d/common-session just before pam_mount. Listing of /etc/pam.d/common-session:
session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_unix.so session optional pam_winbind.so session required pam_mkhomedir.so skel=/etc/skel umask=0077 session optional pam_mount.so session optional pam_ck_connector.so nox11
A somewhat working pam_mount configuration is (/etc/security/pam_mount.conf.xml): <syntaxhighlight lang="xml">
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <debug enable="0" /> <mntoptions deny="suid,dev" /> <mntoptions allow="*" /> <mntoptions deny="*" /> --> <mntoptions require="nosuid,nodev" /> <logout wait="100000" hup="yes" term="yes" kill="no" /> <volume pgrp="domain users" server="dtu-storage.win.dtu.dk" path="" mountpoint="home/WIN" fstype="cifs" /> <cifsmount>mount -t cifs //%(SERVER)/%(USER) %(MNTPT)/%(USER) -o "username=%(USER),uid=%(USERUID),gid=%(USERGID),file_mode=0700,dir_mode=0700%(before=\",\" OPTIONS)" </cifsmount> <umount>umount %(MNTPT)/%(USER)</umount> <mkmountpoint enable="1" remove="false" /> </pam_mount>
There are problems with multiple mounts and mounts that hang upon logout.
