“UbuntuHelp:ActiveDirectoryWinbindHowto”的版本间的差异
来自Ubuntu中文
小 |
小 |
||
第2行: | 第2行: | ||
{{Languages|UbuntuHelp:ActiveDirectoryWinbindHowto}} | {{Languages|UbuntuHelp:ActiveDirectoryWinbindHowto}} | ||
This Howto describes how to add a Ubuntu box in a Active Directory domain and to authenticate the users with AD. | This Howto describes how to add a Ubuntu box in a Active Directory domain and to authenticate the users with AD. | ||
− | |||
==== Used software ==== | ==== Used software ==== | ||
{|border="1" cellspacing="0" | {|border="1" cellspacing="0" | ||
第19行: | 第18行: | ||
|libpam-krb5||1.0-12 | |libpam-krb5||1.0-12 | ||
|} | |} | ||
− | |||
==== Used terms ==== | ==== Used terms ==== | ||
− | |||
{|border="1" cellspacing="0" | {|border="1" cellspacing="0" | ||
|'''term'''||'''definition''' | |'''term'''||'''definition''' | ||
第43行: | 第40行: | ||
|ntp.example.com||timeserver (NTP) | |ntp.example.com||timeserver (NTP) | ||
|} | |} | ||
− | |||
=== Confirm Connectivity === | === Confirm Connectivity === | ||
The first step to configuring an Ubuntu client for participation in an Active Directory (AD) network is to confirm network connectivity and name resolution for the Active Directory domain controller. An easy way to verify both of these is to ping the fully-qualified domain name (FQDN) of the AD DC on your network. | The first step to configuring an Ubuntu client for participation in an Active Directory (AD) network is to confirm network connectivity and name resolution for the Active Directory domain controller. An easy way to verify both of these is to ping the fully-qualified domain name (FQDN) of the AD DC on your network. | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
root@linuxwork:~# ping win2k3.lab.example.com | root@linuxwork:~# ping win2k3.lab.example.com | ||
− | |||
PING win2k3.lab.example.com (10.0.0.1) 56(84) bytes of data. | PING win2k3.lab.example.com (10.0.0.1) 56(84) bytes of data. | ||
64 bytes from win2k3.lab.example.com (10.0.0.1): icmp_seq=1 ttl=128 time=0.176ms | 64 bytes from win2k3.lab.example.com (10.0.0.1): icmp_seq=1 ttl=128 time=0.176ms | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
The output of the ping response shows successful resolution of the FQDN to an IP Address, and the confirmation of connectivity between your Ubuntu workstation and the AD DC. | The output of the ping response shows successful resolution of the FQDN to an IP Address, and the confirmation of connectivity between your Ubuntu workstation and the AD DC. | ||
− | |||
=== Time settings === | === Time settings === | ||
Time is essential for Kerberos, which is used for authentication in Active Directory networks. The easiest way to ensure correct time syncronization is to use a NTP-Server. Every Active Directory Domain Controller is also an NTP server, so for best results, use the FQDN of an AD DC in Ubuntu's default ''ntpdate'' application, which syncs time at startup or on demand. | Time is essential for Kerberos, which is used for authentication in Active Directory networks. The easiest way to ensure correct time syncronization is to use a NTP-Server. Every Active Directory Domain Controller is also an NTP server, so for best results, use the FQDN of an AD DC in Ubuntu's default ''ntpdate'' application, which syncs time at startup or on demand. | ||
− | |||
For Kubuntu 7.10 (and likely other versions as well) ntpdate does not pull the servername from any config files, instead it expects the NTP server as an argument on the commandline. Therefore it is simplest to work with the options of adjust date and time of the GUI clock. Choose set date and time automatically, and then enter your AD DC as the NTP server. If it is reading from the config files then set things up in /etc/default/ntpdate as below. | For Kubuntu 7.10 (and likely other versions as well) ntpdate does not pull the servername from any config files, instead it expects the NTP server as an argument on the commandline. Therefore it is simplest to work with the options of adjust date and time of the GUI clock. Choose set date and time automatically, and then enter your AD DC as the NTP server. If it is reading from the config files then set things up in /etc/default/ntpdate as below. | ||
− | |||
− | |||
file: <code><nowiki>/etc/default/ntpdate</nowiki></code> | file: <code><nowiki>/etc/default/ntpdate</nowiki></code> | ||
<pre><nowiki> | <pre><nowiki> | ||
第69行: | 第58行: | ||
NTPOPTIONS="-u" | NTPOPTIONS="-u" | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
root@linuxwork:~# /etc/init.d/ntpdate restart | root@linuxwork:~# /etc/init.d/ntpdate restart | ||
− | |||
* Synchronizing clock to win2k3.lab.example.com... [ ok ] | * Synchronizing clock to win2k3.lab.example.com... [ ok ] | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
=== FQDN === | === FQDN === | ||
A valid FQDN is essential for Kerberos and Active Directory. Active Directory is heavily dependent upon DNS, and it is likely that your Active Directory Domain Controllers are also running the Microsoft DNS server package. Here, we will edit the local hosts file on your Ubuntu workstation to make sure that your FQDN is resolvable. | A valid FQDN is essential for Kerberos and Active Directory. Active Directory is heavily dependent upon DNS, and it is likely that your Active Directory Domain Controllers are also running the Microsoft DNS server package. Here, we will edit the local hosts file on your Ubuntu workstation to make sure that your FQDN is resolvable. | ||
− | |||
file: <code><nowiki>/etc/hosts</nowiki></code> | file: <code><nowiki>/etc/hosts</nowiki></code> | ||
<pre><nowiki> | <pre><nowiki> | ||
127.0.0.1 linuxwork.lab.example.com localhost linuxwork | 127.0.0.1 linuxwork.lab.example.com localhost linuxwork | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
You can test your configurating by PINGING your own FQDN. The output should be similar to the PING output above, from the Network Connectivity test (of course, the FQDN will be your own, and the IP address will be 127.0.0.1). | You can test your configurating by PINGING your own FQDN. The output should be similar to the PING output above, from the Network Connectivity test (of course, the FQDN will be your own, and the IP address will be 127.0.0.1). | ||
− | |||
=== Set up Kerberos === | === Set up Kerberos === | ||
The first step in setting up Kerberos is to install the appropriate client software. | The first step in setting up Kerberos is to install the appropriate client software. | ||
− | |||
==== Required software ==== | ==== Required software ==== | ||
To properly install the necessary Kerberos packages, you need to install the '''krb5-user''' and '''libpam-krb5''' packages from the '''Universe Repository.''' | To properly install the necessary Kerberos packages, you need to install the '''krb5-user''' and '''libpam-krb5''' packages from the '''Universe Repository.''' | ||
− | |||
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png If you do not intend to acquire a Kerberos ticket at login, you need not install the ''libpam-krb5'' package. | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png If you do not intend to acquire a Kerberos ticket at login, you need not install the ''libpam-krb5'' package. | ||
− | |||
This command will also fetch the additional packages ''krb5-config'', ''libkrb53'', and ''libkadm55''. | This command will also fetch the additional packages ''krb5-config'', ''libkrb53'', and ''libkadm55''. | ||
− | |||
The ''krb5-config'' installation will present a prompt: | The ''krb5-config'' installation will present a prompt: | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
What are the Kerberos servers for your realm? | What are the Kerberos servers for your realm? | ||
win2k3.lab.example.com | win2k3.lab.example.com | ||
− | |||
What is the administrative server for your Kerberos realm? | What is the administrative server for your Kerberos realm? | ||
win2k3.lab.example.com | win2k3.lab.example.com | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
These prompts should be answered according to the Active Directory Domain Controller in charge of your domain. The ''krb5-config'' process customize the <code><nowiki>/etc/krb5.conf</nowiki></code> file for your installation. In most cases, this config file will work successfully, but if you want a more streamlined config file (e.g., without all the Kerberos 4 cruft), you can use the following as a template: | These prompts should be answered according to the Active Directory Domain Controller in charge of your domain. The ''krb5-config'' process customize the <code><nowiki>/etc/krb5.conf</nowiki></code> file for your installation. In most cases, this config file will work successfully, but if you want a more streamlined config file (e.g., without all the Kerberos 4 cruft), you can use the following as a template: | ||
− | |||
file: <code><nowiki>/etc/krb5.conf</nowiki></code> | file: <code><nowiki>/etc/krb5.conf</nowiki></code> | ||
<pre><nowiki> | <pre><nowiki> | ||
[logging] | [logging] | ||
default = FILE:/var/log/krb5.log | default = FILE:/var/log/krb5.log | ||
− | |||
[libdefaults] | [libdefaults] | ||
ticket_lifetime = 24000 | ticket_lifetime = 24000 | ||
第119行: | 第93行: | ||
# dns_lookup_realm = false | # dns_lookup_realm = false | ||
# dns_lookup_kdc = true | # dns_lookup_kdc = true | ||
− | |||
[realms] | [realms] | ||
LAB.EXAMPLE.COM = { | LAB.EXAMPLE.COM = { | ||
第126行: | 第99行: | ||
default_domain = LAB.EXAMPLE.COM | default_domain = LAB.EXAMPLE.COM | ||
} | } | ||
− | |||
[domain_realm] | [domain_realm] | ||
.lab.example.com = LAB.EXAMPLE.COM | .lab.example.com = LAB.EXAMPLE.COM | ||
lab.example.com = LAB.EXAMPLE.COM | lab.example.com = LAB.EXAMPLE.COM | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
Notice the two "DNS" directive are commented out. You can elect to use DNS to find Kerberos realm servers, or you can elect to use the <code><nowiki>krb5.conf</nowiki></code> file to define Kerberos realm servers. If you elect to use DNS, uncomment the two lines above and instead comment or remove the entire directive for your realm under the <code><nowiki>[realms]</nowiki></code> heading. | Notice the two "DNS" directive are commented out. You can elect to use DNS to find Kerberos realm servers, or you can elect to use the <code><nowiki>krb5.conf</nowiki></code> file to define Kerberos realm servers. If you elect to use DNS, uncomment the two lines above and instead comment or remove the entire directive for your realm under the <code><nowiki>[realms]</nowiki></code> heading. | ||
− | |||
''' Testing ''' | ''' Testing ''' | ||
− | |||
Request a Ticket-Granting Ticket (TGT) by issuing the <code><nowiki>kinit</nowiki></code> command, as shown (you can use any valid domain account; it doesn't have to be Administrator. You can also omit the domain name from the command if the "default_realm" directive is properly applied in the <code><nowiki>/etc/krb5.conf</nowiki></code> file. | Request a Ticket-Granting Ticket (TGT) by issuing the <code><nowiki>kinit</nowiki></code> command, as shown (you can use any valid domain account; it doesn't have to be Administrator. You can also omit the domain name from the command if the "default_realm" directive is properly applied in the <code><nowiki>/etc/krb5.conf</nowiki></code> file. | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
root@linuxwork:~# kinit [email protected] | root@linuxwork:~# kinit [email protected] | ||
Password for [email protected]: **** | Password for [email protected]: **** | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
Check if ticket request was valid using the <code><nowiki>klist</nowiki></code> command. | Check if ticket request was valid using the <code><nowiki>klist</nowiki></code> command. | ||
<pre><nowiki> | <pre><nowiki> | ||
第148行: | 第115行: | ||
Ticket cache: FILE:/tmp/krb5cc_0 | Ticket cache: FILE:/tmp/krb5cc_0 | ||
Default principal: [email protected] | Default principal: [email protected] | ||
− | |||
Valid starting Expires Service principal | Valid starting Expires Service principal | ||
01/21/05 10:28:51 01/21/05 20:27:43 krbtgt/[email protected] | 01/21/05 10:28:51 01/21/05 20:27:43 krbtgt/[email protected] | ||
renew until 01/21/05 20:28:51 | renew until 01/21/05 20:28:51 | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
At this point, your Kerberos installation and configuration is operating correctly. You can release your test ticket by issuing the <code><nowiki>kdestroy</nowiki></code> command. | At this point, your Kerberos installation and configuration is operating correctly. You can release your test ticket by issuing the <code><nowiki>kdestroy</nowiki></code> command. | ||
− | |||
=== Join AD domain === | === Join AD domain === | ||
− | |||
==== Required software ==== | ==== Required software ==== | ||
You need to install the '''winbind''' and '''samba''' packages. You can also install the '''smbfs''' and '''smbclient''' packages too. | You need to install the '''winbind''' and '''samba''' packages. You can also install the '''smbfs''' and '''smbclient''' packages too. | ||
− | |||
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png For Windows 2003 Server SP1 Winbind version 3.0.14a is necessary. In Hoary is only version 3.0.10, but you can find 3.0.14a in Breezy. | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png For Windows 2003 Server SP1 Winbind version 3.0.14a is necessary. In Hoary is only version 3.0.10, but you can find 3.0.14a in Breezy. | ||
− | |||
− | |||
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png The package ''smbfs'' is optional, but includes useful client utilities, including the '''smbmount''' command. Also useful is the ''smbclient'' package, which includes an FTP-like client for SMB shares. | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png The package ''smbfs'' is optional, but includes useful client utilities, including the '''smbmount''' command. Also useful is the ''smbclient'' package, which includes an FTP-like client for SMB shares. | ||
− | |||
==== Join ==== | ==== Join ==== | ||
− | |||
file: <code><nowiki> /etc/samba/smb.conf </nowiki></code> | file: <code><nowiki> /etc/samba/smb.conf </nowiki></code> | ||
<pre><nowiki> | <pre><nowiki> | ||
第196行: | 第154行: | ||
preferred master = no | preferred master = no | ||
os level = 0 | os level = 0 | ||
− | |||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png The "winbind use default domain" parameter is useful in single-domain enterprises and makes winbind assume that all user authentications should be performed in the domain to which winbind is joined. Omit this parameter if your environment includes multiple domains or if your account domain differs from the resource domain. The "winbind separator" directive is optional, and the default value is the usual backslash "\" Domain and User separator. You can use "+" if you know of a specific reason "\" will not work in your environment. | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png The "winbind use default domain" parameter is useful in single-domain enterprises and makes winbind assume that all user authentications should be performed in the domain to which winbind is joined. Omit this parameter if your environment includes multiple domains or if your account domain differs from the resource domain. The "winbind separator" directive is optional, and the default value is the usual backslash "\" Domain and User separator. You can use "+" if you know of a specific reason "\" will not work in your environment. | ||
− | |||
Be sure to restart the Samba and Winbind services after changing the <code><nowiki>/etc/samba/smb.conf</nowiki></code> file: | Be sure to restart the Samba and Winbind services after changing the <code><nowiki>/etc/samba/smb.conf</nowiki></code> file: | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
root@linuxwork:~# /etc/init.d/winbind stop | root@linuxwork:~# /etc/init.d/winbind stop | ||
第208行: | 第162行: | ||
root@linuxwork:~# /etc/init.d/winbind start | root@linuxwork:~# /etc/init.d/winbind start | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
Request a valid Kerberos TGT for an account using kinit, which is allowed to join a workstation into the AD domain. | Request a valid Kerberos TGT for an account using kinit, which is allowed to join a workstation into the AD domain. | ||
Now join to the domain, if the ticket was valid you should not need to supply a password - even if prompted you should be able to leave it blank. | Now join to the domain, if the ticket was valid you should not need to supply a password - even if prompted you should be able to leave it blank. | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
root@linuxwork:~# net ads join | root@linuxwork:~# net ads join | ||
第218行: | 第170行: | ||
</nowiki></pre> | </nowiki></pre> | ||
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png If the Kerberos auth was valid, you should not get asked for a password. However, if you are not working as root and are instead using sudo to perform the necessary tasks, use the command <code><nowiki>sudo net ads join -U username</nowiki></code> and supply your password when prompted. Otherwise, you will be asked to authenticate as [email protected] instead of a valid account name. | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png If the Kerberos auth was valid, you should not get asked for a password. However, if you are not working as root and are instead using sudo to perform the necessary tasks, use the command <code><nowiki>sudo net ads join -U username</nowiki></code> and supply your password when prompted. Otherwise, you will be asked to authenticate as [email protected] instead of a valid account name. | ||
− | |||
==== Testing ==== | ==== Testing ==== | ||
<pre><nowiki> | <pre><nowiki> | ||
第224行: | 第175行: | ||
</nowiki></pre> | </nowiki></pre> | ||
You should get a list of the users of the domain. | You should get a list of the users of the domain. | ||
− | |||
And a list of the groups. Be patient these queries can take time. | And a list of the groups. Be patient these queries can take time. | ||
<pre><nowiki> | <pre><nowiki> | ||
# wbinfo -g | # wbinfo -g | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
=== Setup Authentication === | === Setup Authentication === | ||
==== nsswitch ==== | ==== nsswitch ==== | ||
− | |||
file: <code><nowiki>/etc/nsswitch.conf</nowiki></code> | file: <code><nowiki>/etc/nsswitch.conf</nowiki></code> | ||
<pre><nowiki> | <pre><nowiki> | ||
第239行: | 第187行: | ||
shadow: compat | shadow: compat | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
==== Testing ==== | ==== Testing ==== | ||
Check Winbind nsswitch module with '''getent'''. | Check Winbind nsswitch module with '''getent'''. | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
root@linuxwork:~# getent passwd | root@linuxwork:~# getent passwd | ||
− | |||
root:x:0:0:root:/root:/bin/bash | root:x:0:0:root:/root:/bin/bash | ||
... | ... | ||
第254行: | 第199行: | ||
<pre><nowiki> | <pre><nowiki> | ||
root@linuxwork:~# getent group | root@linuxwork:~# getent group | ||
− | |||
root:x:0: | root:x:0: | ||
daemon:x:1: | daemon:x:1: | ||
第266行: | 第210行: | ||
... | ... | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
==== PAM ==== | ==== PAM ==== | ||
With this config you can access the workstation with local accounts or with domain accounts. On the first login of a domain user a home directory will be created. This PAM configuration assumes that the system will be used primarily with domain accounts. If the opposite is true (i.e., the system will be used primarily with local accounts), the order of ''pam_winbind.so'' and ''pam_unix.so'' should be reversed. When used with local accounts, the configuration shown here will result in a failed authentication to the Windows/Samba DC for each login and sudo use. This can litter the DC's event log. Likewise, if local accounts are checked first, the /var/log/auth.log will be littered with failed logon attempts each time a domain account is accessed. | With this config you can access the workstation with local accounts or with domain accounts. On the first login of a domain user a home directory will be created. This PAM configuration assumes that the system will be used primarily with domain accounts. If the opposite is true (i.e., the system will be used primarily with local accounts), the order of ''pam_winbind.so'' and ''pam_unix.so'' should be reversed. When used with local accounts, the configuration shown here will result in a failed authentication to the Windows/Samba DC for each login and sudo use. This can litter the DC's event log. Likewise, if local accounts are checked first, the /var/log/auth.log will be littered with failed logon attempts each time a domain account is accessed. | ||
− | |||
This PAM configuration does not acquire a Kerberos TGT at login. To acquire a ticket, use ''kinit'' after logging in, and consider using ''kdestroy'' in a logout script. | This PAM configuration does not acquire a Kerberos TGT at login. To acquire a ticket, use ''kinit'' after logging in, and consider using ''kdestroy'' in a logout script. | ||
− | |||
file: <code><nowiki>/etc/pam.d/common-account</nowiki></code> | file: <code><nowiki>/etc/pam.d/common-account</nowiki></code> | ||
<pre><nowiki> | <pre><nowiki> | ||
第277行: | 第218行: | ||
account required pam_unix.so | account required pam_unix.so | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
file: <code><nowiki>/etc/pam.d/common-auth</nowiki></code> | file: <code><nowiki>/etc/pam.d/common-auth</nowiki></code> | ||
<pre><nowiki> | <pre><nowiki> | ||
第284行: | 第224行: | ||
auth required pam_deny.so | auth required pam_deny.so | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
file: <code><nowiki>/etc/pam.d/common-session</nowiki></code> | file: <code><nowiki>/etc/pam.d/common-session</nowiki></code> | ||
<pre><nowiki> | <pre><nowiki> | ||
第290行: | 第229行: | ||
session required pam_mkhomedir.so umask=0022 skel=/etc/skel | session required pam_mkhomedir.so umask=0022 skel=/etc/skel | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
file: <code><nowiki>/etc/pam.d/sudo</nowiki></code> | file: <code><nowiki>/etc/pam.d/sudo</nowiki></code> | ||
<pre><nowiki> | <pre><nowiki> | ||
第296行: | 第234行: | ||
auth sufficient pam_unix.so use_first_pass | auth sufficient pam_unix.so use_first_pass | ||
auth required pam_deny.so | auth required pam_deny.so | ||
− | |||
@include common-account | @include common-account | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
=== Final configuration === | === Final configuration === | ||
Each domain needs a directory in /home/. | Each domain needs a directory in /home/. | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
root@linuxwork:~# mkdir /home/LAB | root@linuxwork:~# mkdir /home/LAB | ||
第319行: | 第254行: | ||
</nowiki></pre> | </nowiki></pre> | ||
Where adgroup, it's a group from your active directory. take in mind, that spaces in the group name are not allowed, maybe you can use '%Domain\ admins' but i haven't tested. | Where adgroup, it's a group from your active directory. take in mind, that spaces in the group name are not allowed, maybe you can use '%Domain\ admins' but i haven't tested. | ||
− | |||
=== Usage === | === Usage === | ||
Logon with DOMAIN+USERNAME, unless you included "winbind use default domain" in your ''smb.conf'', in which case you may log in using only USERNAME. | Logon with DOMAIN+USERNAME, unless you included "winbind use default domain" in your ''smb.conf'', in which case you may log in using only USERNAME. | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
login: LAB+manuel | login: LAB+manuel | ||
第329行: | 第262行: | ||
LAB+manuel@linuxwork:~$ | LAB+manuel@linuxwork:~$ | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
=== Automatic Kerberos Ticket Refresh === | === Automatic Kerberos Ticket Refresh === | ||
To have pam_winbind automatically refresh the kerberos ticket | To have pam_winbind automatically refresh the kerberos ticket | ||
− | |||
Add the <code><nowiki> winbind refresh tickets </nowiki></code> line to <code><nowiki> smb.conf </nowiki></code>: | Add the <code><nowiki> winbind refresh tickets </nowiki></code> line to <code><nowiki> smb.conf </nowiki></code>: | ||
− | |||
file: <code><nowiki> /etc/samba/smb.conf </nowiki></code> | file: <code><nowiki> /etc/samba/smb.conf </nowiki></code> | ||
<pre><nowiki> | <pre><nowiki> | ||
第341行: | 第271行: | ||
idmap uid = 10000-20000 | idmap uid = 10000-20000 | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
And modify <code><nowiki>/etc/pam.d/common-auth</nowiki></code>: | And modify <code><nowiki>/etc/pam.d/common-auth</nowiki></code>: | ||
− | |||
file: <code><nowiki>/etc/pam.d/common-auth</nowiki></code> | file: <code><nowiki>/etc/pam.d/common-auth</nowiki></code> | ||
<pre><nowiki> | <pre><nowiki> | ||
第350行: | 第278行: | ||
auth required pam_deny.so | auth required pam_deny.so | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
− | |||
=== Troubleshooting === | === Troubleshooting === | ||
If the Winbind PAM module in <code><nowiki>/var/log/auth.log</nowiki></code> says, that the AD-user is not existing, restart winbind. Probably it's best to restart the whole workstation. | If the Winbind PAM module in <code><nowiki>/var/log/auth.log</nowiki></code> says, that the AD-user is not existing, restart winbind. Probably it's best to restart the whole workstation. | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
root@linuxwork:~# /etc/init.d/winbind start | root@linuxwork:~# /etc/init.d/winbind start | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
If when logging into the machine one gets a "no logon servers" error winbind\samba may not be starting properly. Try restarting them manually, and then logging in. | If when logging into the machine one gets a "no logon servers" error winbind\samba may not be starting properly. Try restarting them manually, and then logging in. | ||
− | |||
-If a manual restart works, then to fix this issue one needs to change scripts S20samba and S20winbind to S25samba and S25winbind in the /etc/rc2.d, rc3.d, rc4.d, rc5.d folders. The understanding is that this causes samba and winbind to startup later in the boot order for each runlevel. So that they start after S24avahi-daemon. If you then find that you must wait a bit before you can log in, you need to set "winbind enum users" and "winbind enum groups" in /etc/samba/smb.conf to 'no'. | -If a manual restart works, then to fix this issue one needs to change scripts S20samba and S20winbind to S25samba and S25winbind in the /etc/rc2.d, rc3.d, rc4.d, rc5.d folders. The understanding is that this causes samba and winbind to startup later in the boot order for each runlevel. So that they start after S24avahi-daemon. If you then find that you must wait a bit before you can log in, you need to set "winbind enum users" and "winbind enum groups" in /etc/samba/smb.conf to 'no'. | ||
− | |||
'''name service cache daemon''' | '''name service cache daemon''' | ||
− | |||
The name service cache daemon (nscd) can interfere with winbind, as winbind maintains its own cache. Remove it. | The name service cache daemon (nscd) can interfere with winbind, as winbind maintains its own cache. Remove it. | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
sudo apt-get remove nscd | sudo apt-get remove nscd | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
'''Some names or groups are not resolved with getent, but others are''' | '''Some names or groups are not resolved with getent, but others are''' | ||
The range of your idmap parameter is not wide enough to encompass all the users or groups | The range of your idmap parameter is not wide enough to encompass all the users or groups | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
idmap uid = 16777216-33554431 | idmap uid = 16777216-33554431 | ||
idmap gid = 16777216-33554431 | idmap gid = 16777216-33554431 | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
==== External Docs ==== | ==== External Docs ==== | ||
− | |||
Also see | Also see | ||
[http://wiki.randompage.org/index.php/Using_Samba_on_Debian_Linux_to_authenticate_against_Active_Directory Using Samba on Debian Linux to authenticate against Active Directory] on randompage.org. It largely mirrors this page but has a little more detail. | [http://wiki.randompage.org/index.php/Using_Samba_on_Debian_Linux_to_authenticate_against_Active_Directory Using Samba on Debian Linux to authenticate against Active Directory] on randompage.org. It largely mirrors this page but has a little more detail. | ||
− | |||
==== Automated Methods ==== | ==== Automated Methods ==== | ||
− | |||
The [https://help.ubuntu.com/community/ActiveDirectoryWinbind-SADMS SADMS] package allows for automated joining to Active Directory through a GUI interface. | The [https://help.ubuntu.com/community/ActiveDirectoryWinbind-SADMS SADMS] package allows for automated joining to Active Directory through a GUI interface. | ||
[http://sadms.sourceforge.net/] | [http://sadms.sourceforge.net/] |
2007年11月30日 (五) 15:12的版本
This Howto describes how to add a Ubuntu box in a Active Directory domain and to authenticate the users with AD.
目录
Used software
Name | Version |
MS Windows Server | 2003 standard sp1 |
Linux | Ubuntu Breezy 5.10 |
Winbind | 3.0.14a-Ubuntu |
Samba | 3.0.14a-Ubuntu |
krb5-user | 1.3.6-1 |
libpam-krb5 | 1.0-12 |
Used terms
term | definition |
AD | Active Directory |
DC | Domain Controller |
lab.example.com | AD domain |
win2k3.lab.example.com | DC FQDN |
10.0.0.1 | DC IP |
LAB.EXAMPLE.COM | Kerberos Realm |
linuxwork | computername of the Ubuntu workstation |
linuxwork.lab.example.com | FQDN of the Ubuntu workstation |
ntp.example.com | timeserver (NTP) |
Confirm Connectivity
The first step to configuring an Ubuntu client for participation in an Active Directory (AD) network is to confirm network connectivity and name resolution for the Active Directory domain controller. An easy way to verify both of these is to ping the fully-qualified domain name (FQDN) of the AD DC on your network.
root@linuxwork:~# ping win2k3.lab.example.com PING win2k3.lab.example.com (10.0.0.1) 56(84) bytes of data. 64 bytes from win2k3.lab.example.com (10.0.0.1): icmp_seq=1 ttl=128 time=0.176ms
The output of the ping response shows successful resolution of the FQDN to an IP Address, and the confirmation of connectivity between your Ubuntu workstation and the AD DC.
Time settings
Time is essential for Kerberos, which is used for authentication in Active Directory networks. The easiest way to ensure correct time syncronization is to use a NTP-Server. Every Active Directory Domain Controller is also an NTP server, so for best results, use the FQDN of an AD DC in Ubuntu's default ntpdate application, which syncs time at startup or on demand.
For Kubuntu 7.10 (and likely other versions as well) ntpdate does not pull the servername from any config files, instead it expects the NTP server as an argument on the commandline. Therefore it is simplest to work with the options of adjust date and time of the GUI clock. Choose set date and time automatically, and then enter your AD DC as the NTP server. If it is reading from the config files then set things up in /etc/default/ntpdate as below.
file: /etc/default/ntpdate
# servers to check NTPSERVERS="win2k3.lab.example.com" # additional options for ntpdate NTPOPTIONS="-u"
root@linuxwork:~# /etc/init.d/ntpdate restart * Synchronizing clock to win2k3.lab.example.com... [ ok ]
FQDN
A valid FQDN is essential for Kerberos and Active Directory. Active Directory is heavily dependent upon DNS, and it is likely that your Active Directory Domain Controllers are also running the Microsoft DNS server package. Here, we will edit the local hosts file on your Ubuntu workstation to make sure that your FQDN is resolvable.
file: /etc/hosts
127.0.0.1 linuxwork.lab.example.com localhost linuxwork
You can test your configurating by PINGING your own FQDN. The output should be similar to the PING output above, from the Network Connectivity test (of course, the FQDN will be your own, and the IP address will be 127.0.0.1).
Set up Kerberos
The first step in setting up Kerberos is to install the appropriate client software.
Required software
To properly install the necessary Kerberos packages, you need to install the krb5-user and libpam-krb5 packages from the Universe Repository. If you do not intend to acquire a Kerberos ticket at login, you need not install the libpam-krb5 package. This command will also fetch the additional packages krb5-config, libkrb53, and libkadm55. The krb5-config installation will present a prompt:
What are the Kerberos servers for your realm? win2k3.lab.example.com What is the administrative server for your Kerberos realm? win2k3.lab.example.com
These prompts should be answered according to the Active Directory Domain Controller in charge of your domain. The krb5-config process customize the /etc/krb5.conf
file for your installation. In most cases, this config file will work successfully, but if you want a more streamlined config file (e.g., without all the Kerberos 4 cruft), you can use the following as a template:
file: /etc/krb5.conf
[logging] default = FILE:/var/log/krb5.log [libdefaults] ticket_lifetime = 24000 clock_skew = 300 default_realm = LAB.EXAMPLE.COM # dns_lookup_realm = false # dns_lookup_kdc = true [realms] LAB.EXAMPLE.COM = { kdc = win2k3.lab.example.com:88 admin_server = win2k3.lab.example.com:464 default_domain = LAB.EXAMPLE.COM } [domain_realm] .lab.example.com = LAB.EXAMPLE.COM lab.example.com = LAB.EXAMPLE.COM
Notice the two "DNS" directive are commented out. You can elect to use DNS to find Kerberos realm servers, or you can elect to use the krb5.conf
file to define Kerberos realm servers. If you elect to use DNS, uncomment the two lines above and instead comment or remove the entire directive for your realm under the [realms]
heading.
Testing
Request a Ticket-Granting Ticket (TGT) by issuing the kinit
command, as shown (you can use any valid domain account; it doesn't have to be Administrator. You can also omit the domain name from the command if the "default_realm" directive is properly applied in the /etc/krb5.conf
file.
root@linuxwork:~# kinit [email protected] Password for [email protected]: ****
Check if ticket request was valid using the klist
command.
root@linuxwork:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 01/21/05 10:28:51 01/21/05 20:27:43 krbtgt/[email protected] renew until 01/21/05 20:28:51
At this point, your Kerberos installation and configuration is operating correctly. You can release your test ticket by issuing the kdestroy
command.
Join AD domain
Required software
You need to install the winbind and samba packages. You can also install the smbfs and smbclient packages too. For Windows 2003 Server SP1 Winbind version 3.0.14a is necessary. In Hoary is only version 3.0.10, but you can find 3.0.14a in Breezy. The package smbfs is optional, but includes useful client utilities, including the smbmount command. Also useful is the smbclient package, which includes an FTP-like client for SMB shares.
Join
file: /etc/samba/smb.conf
[global] security = ads realm = LAB.EXAMPLE.COM password server = 10.0.0.1 # note that workgroup is the 'short' domain name workgroup = LAB # winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 # to avoid the workstation from # trying to become a master browser # on your windows network add the # following lines domain master = no local master = no preferred master = no os level = 0
The "winbind use default domain" parameter is useful in single-domain enterprises and makes winbind assume that all user authentications should be performed in the domain to which winbind is joined. Omit this parameter if your environment includes multiple domains or if your account domain differs from the resource domain. The "winbind separator" directive is optional, and the default value is the usual backslash "\" Domain and User separator. You can use "+" if you know of a specific reason "\" will not work in your environment.
Be sure to restart the Samba and Winbind services after changing the /etc/samba/smb.conf
file:
root@linuxwork:~# /etc/init.d/winbind stop root@linuxwork:~# /etc/init.d/samba restart root@linuxwork:~# /etc/init.d/winbind start
Request a valid Kerberos TGT for an account using kinit, which is allowed to join a workstation into the AD domain. Now join to the domain, if the ticket was valid you should not need to supply a password - even if prompted you should be able to leave it blank.
root@linuxwork:~# net ads join Using short domain name – LAB Joined 'linuxwork' to realm 'LAB.EXAMPLE.COM'
If the Kerberos auth was valid, you should not get asked for a password. However, if you are not working as root and are instead using sudo to perform the necessary tasks, use the command sudo net ads join -U username
and supply your password when prompted. Otherwise, you will be asked to authenticate as [email protected] instead of a valid account name.
Testing
# wbinfo -u
You should get a list of the users of the domain. And a list of the groups. Be patient these queries can take time.
# wbinfo -g
Setup Authentication
nsswitch
file: /etc/nsswitch.conf
passwd: compat winbind group: compat winbind shadow: compat
Testing
Check Winbind nsswitch module with getent.
root@linuxwork:~# getent passwd root:x:0:0:root:/root:/bin/bash ... LAB+administrator:x:10000:10000:Administrator:/home/LAB/administrator:/bin/bash LAB+gast:x:10001:10001:Gast:/home/LAB/gast:/bin/bash ...
root@linuxwork:~# getent group root:x:0: daemon:x:1: bin:x:2: ... LAB+organisations-admins:x:10005:administrator LAB+domänen-admins:x:10006:manuel,administrator LAB+domänen-benutzer:x:10000: LAB+domänen-gäste:x:10001: LAB+linux-admins:x:10004:manuel ...
PAM
With this config you can access the workstation with local accounts or with domain accounts. On the first login of a domain user a home directory will be created. This PAM configuration assumes that the system will be used primarily with domain accounts. If the opposite is true (i.e., the system will be used primarily with local accounts), the order of pam_winbind.so and pam_unix.so should be reversed. When used with local accounts, the configuration shown here will result in a failed authentication to the Windows/Samba DC for each login and sudo use. This can litter the DC's event log. Likewise, if local accounts are checked first, the /var/log/auth.log will be littered with failed logon attempts each time a domain account is accessed.
This PAM configuration does not acquire a Kerberos TGT at login. To acquire a ticket, use kinit after logging in, and consider using kdestroy in a logout script.
file: /etc/pam.d/common-account
account sufficient pam_winbind.so account required pam_unix.so
file: /etc/pam.d/common-auth
auth sufficient pam_winbind.so auth sufficient pam_unix.so nullok_secure use_first_pass auth required pam_deny.so
file: /etc/pam.d/common-session
session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel
file: /etc/pam.d/sudo
auth sufficient pam_winbind.so auth sufficient pam_unix.so use_first_pass auth required pam_deny.so @include common-account
Final configuration
Each domain needs a directory in /home/.
root@linuxwork:~# mkdir /home/LAB
One last thing
If you want to be able to use an active directory account, to manage your ubuntu box, you need to add it to the sudoers file. For that, you will need to edit the file /etc/group an add your username to the admin group, and whatever other group you need(plugdev,audio,cdrom just to mention a few). it will be like:
....... admin:x:117:olduser,ActiveDirectoryUser .......
Where olduser, is your current linux user, and ActiveDirectoryUser, is the new administrator. Another way to make a Domain Group, a sudoer in your ubuntu, is to edit the file /etc/sudoers (using the command 'visudo') and add the following line
%adgroup ALL=(ALL) ALL
Where adgroup, it's a group from your active directory. take in mind, that spaces in the group name are not allowed, maybe you can use '%Domain\ admins' but i haven't tested.
Usage
Logon with DOMAIN+USERNAME, unless you included "winbind use default domain" in your smb.conf, in which case you may log in using only USERNAME.
login: LAB+manuel Password: ***** ... LAB+manuel@linuxwork:~$
Automatic Kerberos Ticket Refresh
To have pam_winbind automatically refresh the kerberos ticket
Add the winbind refresh tickets
line to smb.conf
:
file: /etc/samba/smb.conf
# winbind separator = + winbind refresh tickets = yes idmap uid = 10000-20000
And modify /etc/pam.d/common-auth
:
file: /etc/pam.d/common-auth
auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE auth sufficient pam_unix.so nullok_secure use_first_pass auth required pam_deny.so
Troubleshooting
If the Winbind PAM module in /var/log/auth.log
says, that the AD-user is not existing, restart winbind. Probably it's best to restart the whole workstation.
root@linuxwork:~# /etc/init.d/winbind start
If when logging into the machine one gets a "no logon servers" error winbind\samba may not be starting properly. Try restarting them manually, and then logging in. -If a manual restart works, then to fix this issue one needs to change scripts S20samba and S20winbind to S25samba and S25winbind in the /etc/rc2.d, rc3.d, rc4.d, rc5.d folders. The understanding is that this causes samba and winbind to startup later in the boot order for each runlevel. So that they start after S24avahi-daemon. If you then find that you must wait a bit before you can log in, you need to set "winbind enum users" and "winbind enum groups" in /etc/samba/smb.conf to 'no'. name service cache daemon The name service cache daemon (nscd) can interfere with winbind, as winbind maintains its own cache. Remove it.
sudo apt-get remove nscd
Some names or groups are not resolved with getent, but others are The range of your idmap parameter is not wide enough to encompass all the users or groups
idmap uid = 16777216-33554431 idmap gid = 16777216-33554431
External Docs
Also see Using Samba on Debian Linux to authenticate against Active Directory on randompage.org. It largely mirrors this page but has a little more detail.
Automated Methods
The SADMS package allows for automated joining to Active Directory through a GUI interface. [1]