特殊:Badtitle/NS100:ActiveDirectoryWinbindHowto:修订间差异

来自Ubuntu中文
跳到导航跳到搜索
Wikibot留言 | 贡献
无编辑摘要
Wikibot留言 | 贡献
无编辑摘要
 
(未显示同一用户的18个中间版本)
第1行: 第1行:
{{From|https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto}}
{{From|https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto}}
{{Languages|UbuntuHelp:ActiveDirectoryWinbindHowto}}
{{Languages|UbuntuHelp:ActiveDirectoryWinbindHowto}}
This Howto describes how to add a Ubuntu box in a Active Directory domain and to authenticate the users with AD.  
== Introduction ==
 
This Howto describes how to add an Ubuntu box in an Active Directory domain and to authenticate the users with AD.
==== Used software ====
=== Used terms ===
{|border="1" cellspacing="0"
|'''Name'''||'''Version'''
|-
|MS Windows Server|| 2003 standard sp1
|-
|Linux||Ubuntu Breezy 5.10
|-
|Winbind||3.0.14a-Ubuntu
|-
|Samba||3.0.14a-Ubuntu
|-
|krb5-user||1.3.6-1
|-
|libpam-krb5||1.0-12
|}
 
==== Used terms ====
 
{|border="1" cellspacing="0"
{|border="1" cellspacing="0"
|'''term'''||'''definition'''
|'''term'''||'''definition'''
第43行: 第25行:
|ntp.example.com||timeserver (NTP)
|ntp.example.com||timeserver (NTP)
|}
|}
 
== Kerberos ==
=== Confirm Connectivity ===
The first step in joining an Active Directory domain is to install and configure Kerberos.  See [[UbuntuHelp:Samba/Kerberos|Samba/Kerberos]] for details.
The first step to configuring an Ubuntu client for participation in an Active Directory (AD) network is to confirm network connectivity and name resolution for the Active Directory domain controller. An easy way to verify both of these is to ping the fully-qualified domain name (FQDN) of the AD DC on your network.
== Join AD domain ==
 
=== Required software ===
<pre><nowiki>
You need to install the '''winbind''' and  '''samba''' packages. The packages '''smbfs''' and '''smbclient''' are useful for mounting network shares and copying files.
root@linuxwork:~# ping win2k3.lab.example.com
 
PING win2k3.lab.example.com (10.0.0.1) 56(84) bytes of data.
64 bytes from win2k3.lab.example.com (10.0.0.1): icmp_seq=1 ttl=128 time=0.176ms
</nowiki></pre>
 
The output of the ping response shows successful resolution of the FQDN to an IP Address, and the confirmation of connectivity between your Ubuntu workstation and the AD DC.
 
=== Time settings ===
Time is essential for Kerberos, which is used for authentication in Active Directory networks. The easiest way to ensure correct time syncronization is to use a NTP-Server. Every Active Directory Domain Controller is also an NTP server, so for best results, use the FQDN of an AD DC in Ubuntu's default ''ntpdate'' application, which syncs time at startup or on demand.
 
For Kubuntu 7.10 (and likely other versions as well) ntpdate does not pull the servername from any config files, instead it expects the NTP server as an argument on the commandlineTherefore it is simplest to work with the options of adjust date and time of the GUI clock. Choose set date and time automatically, and then enter your AD DC as the NTP server. If it is reading from the config files then set things up in /etc/default/ntpdate as below.
 
 
file: <code><nowiki>/etc/default/ntpdate</nowiki></code>
<pre><nowiki>
# servers to check
NTPSERVERS="win2k3.lab.example.com"
# additional options for ntpdate
NTPOPTIONS="-u"
</nowiki></pre>
 
<pre><nowiki>
root@linuxwork:~# /etc/init.d/ntpdate restart
 
* Synchronizing clock to win2k3.lab.example.com...    [ ok ]
</nowiki></pre>
 
=== FQDN ===
A valid FQDN is essential for Kerberos and Active Directory. Active Directory is heavily dependent upon DNS, and it is likely that your Active Directory Domain Controllers are also running the Microsoft DNS server package. Here, we will edit the local hosts file on your Ubuntu workstation to make sure that your FQDN is resolvable.
 
file: <code><nowiki>/etc/hosts</nowiki></code>
<pre><nowiki>
127.0.0.1 linuxwork.lab.example.com localhost linuxwork
</nowiki></pre>
 
You can test your configurating by PINGING your own FQDN. The output should be similar to the PING output above, from the Network Connectivity test (of course, the FQDN will be your own, and the IP address will be 127.0.0.1).
 
=== Set up Kerberos ===
The first step in setting up Kerberos is to install the appropriate client software.
 
==== Required software ====
To properly install the necessary Kerberos packages, you need to install the '''krb5-user''' and '''libpam-krb5''' packages from the '''Universe Repository.'''
 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png If you do not intend to acquire a Kerberos ticket at login, you need not install the ''libpam-krb5'' package.
 
This command will also fetch the additional packages ''krb5-config'', ''libkrb53'', and ''libkadm55''.
 
The ''krb5-config'' installation will present a prompt:
 
<pre><nowiki>
What are the Kerberos servers for your realm?
win2k3.lab.example.com
 
What is the administrative server for your Kerberos realm?
win2k3.lab.example.com
</nowiki></pre>
 
These prompts should be answered according to the Active Directory Domain Controller in charge of your domain. The ''krb5-config'' process customize the <code><nowiki>/etc/krb5.conf</nowiki></code> file for your installation. In most cases, this config file will work successfully, but if you want a more streamlined config file (e.g., without all the Kerberos 4 cruft), you can use the following as a template:
 
file: <code><nowiki>/etc/krb5.conf</nowiki></code>
<pre><nowiki>
[logging]
default = FILE:/var/log/krb5.log
 
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = LAB.EXAMPLE.COM
#  dns_lookup_realm = false
#  dns_lookup_kdc = true
 
[realms]
LAB.EXAMPLE.COM = {
kdc = win2k3.lab.example.com:88
admin_server = win2k3.lab.example.com:464
default_domain = LAB.EXAMPLE.COM
}
 
[domain_realm]
.lab.example.com = LAB.EXAMPLE.COM
lab.example.com = LAB.EXAMPLE.COM
</nowiki></pre>
 
Notice the two "DNS" directive are commented out. You can elect to use DNS to find Kerberos realm servers, or you can elect to use the <code><nowiki>krb5.conf</nowiki></code> file to define Kerberos realm servers. If you elect to use DNS, uncomment the two lines above and instead comment or remove the entire directive for your realm under the <code><nowiki>[realms]</nowiki></code> heading.
 
''' Testing '''
 
Request a Ticket-Granting Ticket (TGT) by issuing the <code><nowiki>kinit</nowiki></code> command, as shown (you can use any valid domain account; it doesn't have to be Administrator. You can also omit the domain name from the command if the "default_realm" directive is properly applied in the <code><nowiki>/etc/krb5.conf</nowiki></code> file.
 
<pre><nowiki>
root@linuxwork:~# kinit [email protected]
Password for [email protected]: ****
</nowiki></pre>
 
Check if ticket request was valid using the <code><nowiki>klist</nowiki></code> command.
<pre><nowiki>
root@linuxwork:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected].COM
 
Valid starting    Expires            Service principal
01/21/05 10:28:51  01/21/05 20:27:43 krbtgt/[email protected]
renew until 01/21/05 20:28:51
</nowiki></pre>
 
At this point, your Kerberos installation and configuration is operating correctly. You can release your test ticket by issuing the <code><nowiki>kdestroy</nowiki></code> command.
 
=== Join AD domain ===
 
==== Required software ====
You need to install the '''winbind''' and  '''samba''' packages. You can also install the '''smbfs''' and '''smbclient''' packages too.
 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png For Windows 2003 Server SP1 Winbind version 3.0.14a is necessary. In Hoary is only version 3.0.10, but you can find 3.0.14a in Breezy.
 
 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png The package ''smbfs'' is optional, but includes useful client utilities, including the '''smbmount''' command. Also useful is the ''smbclient'' package, which includes an FTP-like client for SMB shares.
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png The package ''smbfs'' is optional, but includes useful client utilities, including the '''smbmount''' command. Also useful is the ''smbclient'' package, which includes an FTP-like client for SMB shares.
 
=== Join ===
==== Join ====
The first step in joining the Active Directory domain is to edit <code><nowiki>/etc/samba/smb.conf</nowiki></code>:
 
file: <code><nowiki> /etc/samba/smb.conf </nowiki></code>
file: <code><nowiki> /etc/samba/smb.conf </nowiki></code>
<pre><nowiki>
<pre><nowiki>
[global]
[global]
security = ads
        security = ads
realm = LAB.EXAMPLE.COM
        realm = LAB.EXAMPLE.COM
password server = 10.0.0.1
        password server = 10.0.0.1
# note that workgroup is the 'short' domain name
# note that workgroup is the 'short' domain name
workgroup = LAB
        workgroup = LAB
#      winbind separator = +
#      winbind separator = +
idmap uid = 10000-20000
        idmap uid = 10000-20000
idmap gid = 10000-20000
        idmap gid = 10000-20000
winbind enum users = yes
        winbind enum users = yes
winbind enum groups = yes
        winbind enum groups = yes
template homedir = /home/%D/%U
        template homedir = /home/%D/%U
template shell = /bin/bash
        template shell = /bin/bash
client use spnego = yes
        client use spnego = yes
client ntlmv2 auth = yes
        client ntlmv2 auth = yes
encrypt passwords = yes
        encrypt passwords = yes
winbind use default domain = yes
        winbind use default domain = yes
restrict anonymous = 2
        restrict anonymous = 2
# to avoid the workstation from
# trying to become a master browser
# on your windows network add the
# following lines
domain master = no
local master = no
preferred master = no
os level = 0
 
</nowiki></pre>
</nowiki></pre>
 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png Adding valid users = @"Domain Users" to the [global] section will allow all Domain Users to see all of the shares avaliable without a password. This is the equivlient to allowing "Everyone" to read all shares. If you want to restrict reading a share then you will have to specify valid users for that share. 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png The "winbind use default domain" parameter is useful in single-domain enterprises and makes winbind assume that all user authentications should be performed in the domain to which winbind is joined. Omit this parameter if your environment includes multiple domains or if your account domain differs from the resource domain. The "winbind separator" directive is optional, and the default value is the usual backslash "\" Domain and User separator. You can use "+" if you know of a specific reason "\" will not work in your environment.
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png The "winbind use default domain" parameter is useful in single-domain enterprises and causes winbind to treat any username that isn't qualified with a domain name as a username in the domain to which winbind is joined. Omit this parameter if you are concerned about confusion between local accounts on your systems and accounts in the default domain. The "winbind separator" directive is optional, and the default value is the usual backslash "\" Domain and User separator. You can use "+" if you know of a specific reason "\" will not work in your environment.
 
Be sure to restart the Samba and Winbind services after changing the <code><nowiki>/etc/samba/smb.conf</nowiki></code> file:
Be sure to restart the Samba and Winbind services after changing the <code><nowiki>/etc/samba/smb.conf</nowiki></code> file:
<pre><nowiki>
<pre><nowiki>
root@linuxwork:~# /etc/init.d/winbind stop
sudo /etc/init.d/winbind stop
root@linuxwork:~# /etc/init.d/samba restart
sudo /etc/init.d/samba restart
root@linuxwork:~# /etc/init.d/winbind start
sudo /etc/init.d/winbind start
</nowiki></pre>
</nowiki></pre>
 
Request a valid Kerberos TGT for an account using '''kinit''', which is allowed to join a workstation into the AD domain.
Request a valid Kerberos TGT for an account using kinit, which is allowed to join a workstation into the AD domain.
Now join to the domain, if the ticket was valid you should not need to supply a password - even if prompted you should be able to leave it blank.
Now join to the domain, if the ticket was valid you should not need to supply a password - even if prompted you should be able to leave it blank.
 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png This next step gave me the error: <code><nowiki> kinit(v5): Cannot resolve network address for KDC in realm LAB.EXAMPLE.COM while getting initial credentials</nowiki></code> even though <code><nowiki>nslookup win2k3</nowiki></code> and <code><nowiki>host 10.0.0.1</nowiki></code> would both return the correct entries. To correct this problem, I had to edit my <code><nowiki>/etc/hosts</nowiki></code> file and add the following to it: <code><nowiki>10.0.0.1  win2k3.lab.example.com</nowiki></code>
<pre><nowiki>
<pre><nowiki>
root@linuxwork:~# net ads join
sudo kinit Administrator@EXAMPLE.COM
sudo net ads join
Using short domain name – LAB
Using short domain name – LAB
Joined 'linuxwork' to realm 'LAB.EXAMPLE.COM'
Joined 'linuxwork' to realm 'LAB.EXAMPLE.COM'
</nowiki></pre>
</nowiki></pre>
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png If the Kerberos auth was valid, you should not get asked for a password. However, if you are not working as root and are instead using sudo to perform the necessary tasks, use the command <code><nowiki>sudo net ads join -U username</nowiki></code> and supply your password when prompted. Otherwise, you will be asked to authenticate as [email protected] instead of a valid account name.
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png If the Kerberos auth was valid, you should not get asked for a password. However, if you are not working as root and are instead using sudo to perform the necessary tasks, use the command <code><nowiki>sudo net ads join -U username</nowiki></code> and supply your password when prompted. Otherwise, you will be asked to authenticate as [email protected] instead of a valid account name.
 
You can also supply a password if you don't want to get prompted. Just use <code><nowiki>net ads join -U <username>%<password></nowiki></code> for this. Maybe it's useful for unattended installations where you want to add machines to an AD automatically.
==== Testing ====
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png If your Active Directory server is not running DDNS as well (eg. if you're running a separate DNS server) you may get the error:
<pre><nowiki>
<pre><nowiki>
# wbinfo -u
sudo net ads join
Failed to join domain: failed to find DC for domain LAB.EXAMPLE.COM
</nowiki></pre>
</nowiki></pre>
You should get a list of the users of the domain.
To fix this, specify the AD server to the "net join" command:
 
And a list of the groups. Be patient these queries can take time.
<pre><nowiki>
<pre><nowiki>
# wbinfo -g
sudo net ads join -S WIN2K3 -U <username>%<password>
</nowiki></pre>
</nowiki></pre>
 
You'll get a warning about not being able to update DNS, but you will successfully join the AD!
=== Setup Authentication ===
=== Testing ===
==== nsswitch ====
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png Using a clean install of 10.04, I did not have to modify any PAM files to get authentication working. I had to edit common-session to get the home directories created, but that is it.
 
== Setup Authentication ==
=== nsswitch ===
file: <code><nowiki>/etc/nsswitch.conf</nowiki></code>
file: <code><nowiki>/etc/nsswitch.conf</nowiki></code>
<pre><nowiki>
<pre><nowiki>
第239行: 第93行:
shadow:        compat
shadow:        compat
</nowiki></pre>
</nowiki></pre>
 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png I needed to add <code><nowiki>hosts:  files dns</nowiki></code> to <code><nowiki>/etc/nsswitch.conf</nowiki></code> to avoid the settings in <code><nowiki>/etc/hosts</nowiki></code> to be ignored.
==== Testing ====
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png Don´t forget to restart winbind again after editing /etc/nsswitch.conf!!!
=== Testing ===
You can check that the Domain has successfully been joined by:
<pre><nowiki>
wbinfo -u
</nowiki></pre>
You should get a list of the users of the domain.
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png I needed to make '''<code><nowiki>shadow:  compat winbind</nowiki></code>''' in <code><nowiki>/etc/nsswitch.conf</nowiki></code> to make wbinfo -u work.
And a list of the groups. Be patient these queries can take time.
<pre><nowiki>
wbinfo -g
</nowiki></pre>
Check Winbind nsswitch module with '''getent'''.
Check Winbind nsswitch module with '''getent'''.
 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png This step may or may not work. If you only see local users, try connecting with a Windows machine anyways. (Tested under Ubuntu 9.10 x64)
<pre><nowiki>
<pre><nowiki>
root@linuxwork:~# getent passwd
sudo getent passwd


root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/bash
第252行: 第117行:
...
...
</nowiki></pre>
</nowiki></pre>
Note that the domain name (here, "LAB+") is displayed by getent '''only''' if you have '''not''' set
''winbind use default domain = yes'' in smb.conf.
<pre><nowiki>
<pre><nowiki>
root@linuxwork:~# getent group
sudo getent group


root:x:0:
root:x:0:
第266行: 第133行:
...
...
</nowiki></pre>
</nowiki></pre>
 
=== PAM ===
==== PAM ====
With this config you can access the workstation with local accounts or with domain accounts. On the first login of a domain user a home directory will be created. This PAM configuration assumes that the system will be used primarily with domain accounts. If the opposite is true (i.e., the system will be used primarily with local accounts), the order of ''pam_winbind.so'' and ''pam_unix.so'' should be reversed. When used with local accounts, the configuration shown here will result in a failed authentication to the Windows/Samba DC for each login and sudo use. This can litter the DC's event log. Likewise, if local accounts are checked first, the /var/log/auth.log will be littered with failed logon attempts each time a domain account is accessed.
With this config you can access the workstation with local accounts or with domain accounts. On the first login of a domain user a home directory will be created. This PAM configuration assumes that the system will be used primarily with domain accounts. If the opposite is true (i.e., the system will be used primarily with local accounts), the order of ''pam_winbind.so'' and ''pam_unix.so'' should be reversed. When used with local accounts, the configuration shown here will result in a failed authentication to the Windows/Samba DC for each login and sudo use. This can litter the DC's event log. Likewise, if local accounts are checked first, the /var/log/auth.log will be littered with failed logon attempts each time a domain account is accessed.
 
'''Note:''' You can use pam-auth-update to add the necessary entries for winbind authentication.
<pre><nowiki>
sudo pam-auth-update
</nowiki></pre>
This PAM configuration does not acquire a Kerberos TGT at login. To acquire a ticket, use ''kinit'' after logging in, and consider using ''kdestroy'' in a logout script.
This PAM configuration does not acquire a Kerberos TGT at login. To acquire a ticket, use ''kinit'' after logging in, and consider using ''kdestroy'' in a logout script.
file: <code><nowiki>/etc/pam.d/common-account</nowiki></code>
file: <code><nowiki>/etc/pam.d/common-account</nowiki></code>
<pre><nowiki>
<pre><nowiki>
第277行: 第145行:
account required        pam_unix.so
account required        pam_unix.so
</nowiki></pre>
</nowiki></pre>
file: <code><nowiki>/etc/pam.d/common-auth</nowiki></code>
file: <code><nowiki>/etc/pam.d/common-auth</nowiki></code>
<pre><nowiki>
<pre><nowiki>
第284行: 第151行:
auth required  pam_deny.so
auth required  pam_deny.so
</nowiki></pre>
</nowiki></pre>
 
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png On a Ubuntu 7.10 (Gutsy Gibbon) and 9.04 (Jaunty Jackalope) systems, these changes to pam.d/common-auth result in not being able to log in as a local user, for example by ssh. Your luck may be better, but test immediately just in case.
This one allows login for AD users '''and''' local users (tested with Ubuntu 9.10)
file: <code><nowiki>/etc/pam.d/common-auth</nowiki></code>
<pre><nowiki>
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_winbind.so require_membership_of=domänen-admins use_first_pass
auth requisite  pam_deny.so
auth required  pam_permit.so
auth optional  pam_ecryptfs.so unwrap
</nowiki></pre>
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png ecryptfs does not work with AD users. Login is successful with local users and AD users which are members of AD group ''domänen-admins''
file: <code><nowiki>/etc/pam.d/common-session</nowiki></code>
file: <code><nowiki>/etc/pam.d/common-session</nowiki></code>
<pre><nowiki>
<pre><nowiki>
第290行: 第167行:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
</nowiki></pre>
</nowiki></pre>
file: <code><nowiki>/etc/pam.d/sudo</nowiki></code>
file: <code><nowiki>/etc/pam.d/sudo</nowiki></code>
<pre><nowiki>
<pre><nowiki>
第299行: 第175行:
@include common-account
@include common-account
</nowiki></pre>
</nowiki></pre>
 
== Final configuration ==
=== Final configuration ===
Each domain needs a directory in /home/.
Each domain needs a directory in /home/.
<pre><nowiki>
<pre><nowiki>
root@linuxwork:~# mkdir /home/LAB
sudo mkdir /home/LAB
</nowiki></pre>
</nowiki></pre>
=== One last thing ===
=== One last thing ===
If you want to be able to use an active directory account, to manage your ubuntu box, you need to add it to the sudoers file. For that, you will need to edit the file /etc/group an add your username to the admin group, and whatever other group you need(plugdev,audio,cdrom just to mention a few). it will be like:
If you want to be able to use an active directory account to manage your Ubuntu box, you need to add it to the sudoers file. For that, you will need to edit the file /etc/group an add your username to the admin group and whatever other group you need(plugdev,audio,cdrom just to mention a few). it will be like:
<pre><nowiki>
<pre><nowiki>
.......
.......
第313行: 第187行:
.......
.......
</nowiki></pre>
</nowiki></pre>
Where olduser, is your current linux user, and ActiveDirectoryUser, is the new administrator.  
Where, olduser, is your current linux user and, ActiveDirectoryUser, is the new administrator.
Another way to make a Domain Group, a sudoer in your ubuntu, is to edit the file /etc/sudoers (using the command 'visudo') and add the following line
Another way to make a Domain Group a sudoer in your ubuntu is to edit the file /etc/sudoers (using the command 'visudo') and add the following line
<pre><nowiki>
<pre><nowiki>
%adgroup ALL=(ALL) ALL
%adgroup ALL=(ALL) ALL
</nowiki></pre>
</nowiki></pre>
Where adgroup, it's a group from your active directory. take in mind, that spaces in the group name are not allowed, maybe you can use '%Domain\ admins' but i haven't tested.
Where, adgroup, is a group from your active directory. Keep in mind that spaces in the group name are not allowed.  You can use '%domain\ admins', without quotes.
 
=== Usage ===
=== Usage ===
Logon with DOMAIN+USERNAME, unless you included "winbind use default domain" in your ''smb.conf'', in which case you may log in using only USERNAME.
Logon with DOMAIN+USERNAME, unless you included "winbind use default domain" in your ''smb.conf'', in which case you may log in using only USERNAME.
<pre><nowiki>
<pre><nowiki>
login: LAB+manuel
login: LAB+manuel
第329行: 第201行:
LAB+manuel@linuxwork:~$
LAB+manuel@linuxwork:~$
</nowiki></pre>
</nowiki></pre>
=== Automatic Kerberos Ticket Refresh ===
=== Automatic Kerberos Ticket Refresh ===
To have pam_winbind automatically refresh the kerberos ticket
To have pam_winbind automatically refresh the kerberos ticket
Add the <code><nowiki> winbind refresh tickets </nowiki></code> line to <code><nowiki> smb.conf </nowiki></code>:
Add the <code><nowiki> winbind refresh tickets </nowiki></code> line to <code><nowiki> smb.conf </nowiki></code>:
file: <code><nowiki> /etc/samba/smb.conf </nowiki></code>
file: <code><nowiki> /etc/samba/smb.conf </nowiki></code>
<pre><nowiki>
<pre><nowiki>
#      winbind separator = +
#      winbind separator = +
winbind refresh tickets = yes
        winbind refresh tickets = yes
idmap uid = 10000-20000
        idmap uid = 10000-20000
</nowiki></pre>
</nowiki></pre>
And modify <code><nowiki>/etc/pam.d/common-auth</nowiki></code>:
And modify <code><nowiki>/etc/pam.d/common-auth</nowiki></code>:
file: <code><nowiki>/etc/pam.d/common-auth</nowiki></code>
file: <code><nowiki>/etc/pam.d/common-auth</nowiki></code>
<pre><nowiki>
<pre><nowiki>
第350行: 第217行:
auth required  pam_deny.so
auth required  pam_deny.so
</nowiki></pre>
</nowiki></pre>
 
== Troubleshooting ==
 
If the Winbind PAM module in <code><nowiki>/var/log/auth.log</nowiki></code> says that the AD-user is not existing restart winbind. It might be best to restart the whole workstation.
=== Troubleshooting ===
If the Winbind PAM module in <code><nowiki>/var/log/auth.log</nowiki></code> says, that the AD-user is not existing, restart winbind. Probably it's best to restart the whole workstation.
 
<pre><nowiki>
<pre><nowiki>
root@linuxwork:~# /etc/init.d/winbind start
sudo /etc/init.d/winbind restart
</nowiki></pre>
</nowiki></pre>
If when logging into the machine one gets a "no logon servers" error winbind\samba may not be starting properly.  Try restarting them manually, and then logging in.
If when logging into the machine one gets a "no logon servers" error winbind\samba may not be starting properly.  Try restarting them manually, and then logging in.
-If a manual restart works, then to fix this issue one needs to change scripts S20samba and S20winbind to S25samba and S25winbind in the /etc/rc2.d, rc3.d, rc4.d, rc5.d folders.  The understanding is that this causes samba and winbind to startup later in the boot order for each runlevel.  So that they start after S24avahi-daemon. If you then find that you must wait a bit before you can log in, you need to set "winbind enum users" and "winbind enum groups" in /etc/samba/smb.conf to 'no'.
-If a manual restart works, then to fix this issue one needs to change scripts S20samba and S20winbind to S25samba and S25winbind in the /etc/rc2.d, rc3.d, rc4.d, rc5.d folders.  The understanding is that this causes samba and winbind to startup later in the boot order for each runlevel.  So that they start after S24avahi-daemon. If you then find that you must wait a bit before you can log in, you need to set "winbind enum users" and "winbind enum groups" in /etc/samba/smb.conf to 'no'.
'''name service cache daemon'''
'''name service cache daemon'''
The name service cache daemon (nscd) can interfere with winbind, as winbind maintains its own cache. Remove it.
The name service cache daemon (nscd) can interfere with winbind, as winbind maintains its own cache. Remove it.
<pre><nowiki>
<pre><nowiki>
sudo apt-get remove nscd
sudo apt-get remove nscd
</nowiki></pre>
</nowiki></pre>
 
'''Some names or groups are resolved with getent, but others are not'''
'''Some names or groups are not resolved with getent, but others are'''
The range of your idmap parameter is not wide enough to encompass all the users or groups
The range of your idmap parameter is not wide enough to encompass all the users or groups
<pre><nowiki>
<pre><nowiki>
idmap uid = 16777216-33554431
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
idmap gid = 16777216-33554431
</nowiki></pre>
</nowiki></pre>
 
'''Adding more than one Linux machine to a Windows network'''
==== External Docs ====
The above procedure allows you to add as many Linux machines as you like. However, the UID assigned to a given user may not be the same across all the machines. It created file ownership & rights issues when files/folders are shared between these machines. See [https://answers.launchpad.net/ubuntu/+question/21806 Question #21806] on https://answers.launchpad.net/ubuntu/ for details. Therefore it is advisable to specify the UID mapping method
 
<pre><nowiki>
Also see  
idmap backend = rid:YOURDOMAIN=70000-1000000
[http://wiki.randompage.org/index.php/Using_Samba_on_Debian_Linux_to_authenticate_against_Active_Directory  Using Samba on Debian Linux to authenticate against Active Directory] on randompage.org. It largely mirrors this page but has a little more detail.
idmap uid = 70000-1000000
 
idmap gid = 70000-1000000
==== Automated Methods ====
winbind use default domain = yes
 
security = ADS
The [https://help.ubuntu.com/community/ActiveDirectoryWinbind-SADMS SADMS] package allows for automated joining to Active Directory through a GUI interface.
</nowiki></pre>
The newer syntax is (with old style you can get NT_STATUS_OBJECT_NAME_COLLISION in /var/log/samba/log.winbindd)
<pre><nowiki>
idmap domains = YOURDOMAIN
idmap config YOURDOMAIN:backend = rid
idmap config YOURDOMAIN:range = 70000-1000000
winbind use default domain = yes
security = ADS
</nowiki></pre>
== Resources ==
Also see
* [http://wiki.randompage.org/index.php/DistOS:Linux:Debian:Samba Using Samba on Debian Linux to authenticate against Active Directory] on randompage.org. It largely mirrors this page but has a little more detail.
* The [http://wiki.samba.org/index.php/Samba_&_Active_Directory Samba and Active Directory Wiki] contains very detailed instructions.
=== Automated Methods ===
The [[UbuntuHelp:ActiveDirectoryWinbind-SADMS|SADMS]] package allows for automated joining to Active Directory through a GUI interface.
[http://sadms.sourceforge.net/]
[http://sadms.sourceforge.net/]
----
----
'''Note:''' this guide has been tested on Ubuntu 8.04 (Hardy Heron).
'''Note:''' For a working tutorial tested and fully functional on Ubuntu 9.04 Jaunty Jackalope visit [http://ubuntuforums.org/showthread.php?p=7863547#post7863547].
----
----
[[category:CategorySecurity]]
[[category:CategorySecurity]]


[[category:UbuntuHelp]]
[[category:UbuntuHelp]]

2010年5月19日 (三) 17:15的最新版本

{{#ifexist: :ActiveDirectoryWinbindHowto/zh | | {{#ifexist: ActiveDirectoryWinbindHowto/zh | | {{#ifeq: {{#titleparts:ActiveDirectoryWinbindHowto|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:ActiveDirectoryWinbindHowto|1|-1|}} | zh | | }}

Introduction

This Howto describes how to add an Ubuntu box in an Active Directory domain and to authenticate the users with AD.

Used terms

term definition
AD Active Directory
DC Domain Controller
lab.example.com AD domain
win2k3.lab.example.com DC FQDN
10.0.0.1 DC IP
LAB.EXAMPLE.COM Kerberos Realm
linuxwork computername of the Ubuntu workstation
linuxwork.lab.example.com FQDN of the Ubuntu workstation
ntp.example.com timeserver (NTP)

Kerberos

The first step in joining an Active Directory domain is to install and configure Kerberos. See Samba/Kerberos for details.

Join AD domain

Required software

You need to install the winbind and samba packages. The packages smbfs and smbclient are useful for mounting network shares and copying files. IconsPage?action=AttachFile&do=get&target=IconNote.png The package smbfs is optional, but includes useful client utilities, including the smbmount command. Also useful is the smbclient package, which includes an FTP-like client for SMB shares.

Join

The first step in joining the Active Directory domain is to edit /etc/samba/smb.conf: file: /etc/samba/smb.conf

[global]
        security = ads
        realm = LAB.EXAMPLE.COM
        password server = 10.0.0.1
# note that workgroup is the 'short' domain name
        workgroup = LAB
#       winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2

IconsPage?action=AttachFile&do=get&target=IconNote.png Adding valid users = @"Domain Users" to the [global] section will allow all Domain Users to see all of the shares avaliable without a password. This is the equivlient to allowing "Everyone" to read all shares. If you want to restrict reading a share then you will have to specify valid users for that share. IconsPage?action=AttachFile&do=get&target=IconNote.png The "winbind use default domain" parameter is useful in single-domain enterprises and causes winbind to treat any username that isn't qualified with a domain name as a username in the domain to which winbind is joined. Omit this parameter if you are concerned about confusion between local accounts on your systems and accounts in the default domain. The "winbind separator" directive is optional, and the default value is the usual backslash "\" Domain and User separator. You can use "+" if you know of a specific reason "\" will not work in your environment. Be sure to restart the Samba and Winbind services after changing the /etc/samba/smb.conf file:

sudo /etc/init.d/winbind stop
sudo /etc/init.d/samba restart
sudo /etc/init.d/winbind start

Request a valid Kerberos TGT for an account using kinit, which is allowed to join a workstation into the AD domain. Now join to the domain, if the ticket was valid you should not need to supply a password - even if prompted you should be able to leave it blank. IconsPage?action=AttachFile&do=get&target=IconNote.png This next step gave me the error: kinit(v5): Cannot resolve network address for KDC in realm LAB.EXAMPLE.COM while getting initial credentials even though nslookup win2k3 and host 10.0.0.1 would both return the correct entries. To correct this problem, I had to edit my /etc/hosts file and add the following to it: 10.0.0.1 win2k3.lab.example.com

sudo kinit [email protected]
sudo net ads join
Using short domain name – LAB
Joined 'linuxwork' to realm 'LAB.EXAMPLE.COM'

IconsPage?action=AttachFile&do=get&target=IconNote.png If the Kerberos auth was valid, you should not get asked for a password. However, if you are not working as root and are instead using sudo to perform the necessary tasks, use the command sudo net ads join -U username and supply your password when prompted. Otherwise, you will be asked to authenticate as [email protected] instead of a valid account name. You can also supply a password if you don't want to get prompted. Just use net ads join -U <username>%<password> for this. Maybe it's useful for unattended installations where you want to add machines to an AD automatically. IconsPage?action=AttachFile&do=get&target=IconNote.png If your Active Directory server is not running DDNS as well (eg. if you're running a separate DNS server) you may get the error:

sudo net ads join
Failed to join domain: failed to find DC for domain LAB.EXAMPLE.COM

To fix this, specify the AD server to the "net join" command:

sudo net ads join -S WIN2K3 -U <username>%<password>

You'll get a warning about not being able to update DNS, but you will successfully join the AD!

Testing

IconsPage?action=AttachFile&do=get&target=IconNote.png Using a clean install of 10.04, I did not have to modify any PAM files to get authentication working. I had to edit common-session to get the home directories created, but that is it.

Setup Authentication

nsswitch

file: /etc/nsswitch.conf

passwd:         compat winbind
group:          compat winbind
shadow:         compat

IconsPage?action=AttachFile&do=get&target=IconNote.png I needed to add hosts: files dns to /etc/nsswitch.conf to avoid the settings in /etc/hosts to be ignored. IconsPage?action=AttachFile&do=get&target=IconNote.png Don´t forget to restart winbind again after editing /etc/nsswitch.conf!!!

Testing

You can check that the Domain has successfully been joined by:

wbinfo -u

You should get a list of the users of the domain. IconsPage?action=AttachFile&do=get&target=IconNote.png I needed to make shadow: compat winbind in /etc/nsswitch.conf to make wbinfo -u work. And a list of the groups. Be patient these queries can take time.

wbinfo -g

Check Winbind nsswitch module with getent. IconsPage?action=AttachFile&do=get&target=IconNote.png This step may or may not work. If you only see local users, try connecting with a Windows machine anyways. (Tested under Ubuntu 9.10 x64)

sudo getent passwd

root:x:0:0:root:/root:/bin/bash
...
LAB+administrator:x:10000:10000:Administrator:/home/LAB/administrator:/bin/bash
LAB+gast:x:10001:10001:Gast:/home/LAB/gast:/bin/bash
...

Note that the domain name (here, "LAB+") is displayed by getent only if you have not set winbind use default domain = yes in smb.conf.

sudo getent group

root:x:0:
daemon:x:1:
bin:x:2:
...
LAB+organisations-admins:x:10005:administrator
LAB+domänen-admins:x:10006:manuel,administrator
LAB+domänen-benutzer:x:10000:
LAB+domänen-gäste:x:10001:
LAB+linux-admins:x:10004:manuel
...

PAM

With this config you can access the workstation with local accounts or with domain accounts. On the first login of a domain user a home directory will be created. This PAM configuration assumes that the system will be used primarily with domain accounts. If the opposite is true (i.e., the system will be used primarily with local accounts), the order of pam_winbind.so and pam_unix.so should be reversed. When used with local accounts, the configuration shown here will result in a failed authentication to the Windows/Samba DC for each login and sudo use. This can litter the DC's event log. Likewise, if local accounts are checked first, the /var/log/auth.log will be littered with failed logon attempts each time a domain account is accessed. Note: You can use pam-auth-update to add the necessary entries for winbind authentication.

sudo pam-auth-update

This PAM configuration does not acquire a Kerberos TGT at login. To acquire a ticket, use kinit after logging in, and consider using kdestroy in a logout script. file: /etc/pam.d/common-account

account sufficient       pam_winbind.so
account required         pam_unix.so

file: /etc/pam.d/common-auth

auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required   pam_deny.so

IconsPage?action=AttachFile&do=get&target=IconNote.png On a Ubuntu 7.10 (Gutsy Gibbon) and 9.04 (Jaunty Jackalope) systems, these changes to pam.d/common-auth result in not being able to log in as a local user, for example by ssh. Your luck may be better, but test immediately just in case. This one allows login for AD users and local users (tested with Ubuntu 9.10) file: /etc/pam.d/common-auth

auth sufficient	pam_unix.so nullok_secure
auth sufficient pam_winbind.so require_membership_of=domänen-admins use_first_pass
auth requisite  pam_deny.so
auth required   pam_permit.so
auth optional   pam_ecryptfs.so unwrap

IconsPage?action=AttachFile&do=get&target=IconNote.png ecryptfs does not work with AD users. Login is successful with local users and AD users which are members of AD group domänen-admins file: /etc/pam.d/common-session

session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

file: /etc/pam.d/sudo

auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required   pam_deny.so

@include common-account

Final configuration

Each domain needs a directory in /home/.

sudo mkdir /home/LAB

One last thing

If you want to be able to use an active directory account to manage your Ubuntu box, you need to add it to the sudoers file. For that, you will need to edit the file /etc/group an add your username to the admin group and whatever other group you need(plugdev,audio,cdrom just to mention a few). it will be like:

.......
admin:x:117:olduser,ActiveDirectoryUser
.......

Where, olduser, is your current linux user and, ActiveDirectoryUser, is the new administrator. Another way to make a Domain Group a sudoer in your ubuntu is to edit the file /etc/sudoers (using the command 'visudo') and add the following line

%adgroup	ALL=(ALL) ALL

Where, adgroup, is a group from your active directory. Keep in mind that spaces in the group name are not allowed. You can use '%domain\ admins', without quotes.

Usage

Logon with DOMAIN+USERNAME, unless you included "winbind use default domain" in your smb.conf, in which case you may log in using only USERNAME.

login: LAB+manuel
Password: *****
...
LAB+manuel@linuxwork:~$

Automatic Kerberos Ticket Refresh

To have pam_winbind automatically refresh the kerberos ticket Add the winbind refresh tickets line to smb.conf : file: /etc/samba/smb.conf

#       winbind separator = +
        winbind refresh tickets = yes
        idmap uid = 10000-20000

And modify /etc/pam.d/common-auth: file: /etc/pam.d/common-auth

auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required   pam_deny.so

Troubleshooting

If the Winbind PAM module in /var/log/auth.log says that the AD-user is not existing restart winbind. It might be best to restart the whole workstation.

sudo /etc/init.d/winbind restart

If when logging into the machine one gets a "no logon servers" error winbind\samba may not be starting properly. Try restarting them manually, and then logging in. -If a manual restart works, then to fix this issue one needs to change scripts S20samba and S20winbind to S25samba and S25winbind in the /etc/rc2.d, rc3.d, rc4.d, rc5.d folders. The understanding is that this causes samba and winbind to startup later in the boot order for each runlevel. So that they start after S24avahi-daemon. If you then find that you must wait a bit before you can log in, you need to set "winbind enum users" and "winbind enum groups" in /etc/samba/smb.conf to 'no'. name service cache daemon The name service cache daemon (nscd) can interfere with winbind, as winbind maintains its own cache. Remove it.

sudo apt-get remove nscd

Some names or groups are resolved with getent, but others are not The range of your idmap parameter is not wide enough to encompass all the users or groups

idmap uid = 16777216-33554431
idmap gid = 16777216-33554431

Adding more than one Linux machine to a Windows network The above procedure allows you to add as many Linux machines as you like. However, the UID assigned to a given user may not be the same across all the machines. It created file ownership & rights issues when files/folders are shared between these machines. See Question #21806 on https://answers.launchpad.net/ubuntu/ for details. Therefore it is advisable to specify the UID mapping method

idmap backend = rid:YOURDOMAIN=70000-1000000
idmap uid = 70000-1000000
idmap gid = 70000-1000000
winbind use default domain = yes
security = ADS

The newer syntax is (with old style you can get NT_STATUS_OBJECT_NAME_COLLISION in /var/log/samba/log.winbindd)

idmap domains = YOURDOMAIN
idmap config YOURDOMAIN:backend = rid
idmap config YOURDOMAIN:range = 70000-1000000
winbind use default domain = yes
security = ADS

Resources

Also see

Automated Methods

The SADMS package allows for automated joining to Active Directory through a GUI interface. [1]


Note: this guide has been tested on Ubuntu 8.04 (Hardy Heron). Note: For a working tutorial tested and fully functional on Ubuntu 9.04 Jaunty Jackalope visit [2].