[Edit] J'ai depuis tested this le full release of Ubuntu 10.04 Server (21/May/2010).
J'ai configured mon Ubuntu 10.04 Server LTS residing on a windows network to authenticate logins using active directory, alors mount a windows share to serve as there home directory.
Here is what I did starting depuis le initial installation of Ubuntu.
-
Get updates
# sudo apt-get update && sudo apt-get upgrade
-
Install an SSH server (sshd)
# sudo apt-get install openssh-server
Some would argue that you should "lock sshd down" by disabling root logins. I figure si votre smart enough to hack an ssh session for a root password, you're probably pas going to be thwarted by le addition of PermitRootLogin no in le /etc/ssh/sshd_config file. If votre paranoid ou pas simply pas convinced alors edit le file ou give le suivant a spin:
# (grep PermitRootLogin /etc/ssh/sshd_config && sudo sed -ri 's/PermitRootLogin ).+/\1no/' /etc/ssh/sshd_conifg) || echo "PermitRootLogin not found. Add it manually."
-
Install requis packages
# sudo apt-get install winbind samba smbfs smbclient ntp krb5-user
-
Do certains basic networking housecleaning in preparation for le spécifique package configurations to come.
-
Determine votre windows domain name, DNS server name, et IP address for le active directory server (for samba). For conveniance I set environment variables for le windows domain et DNS server. For me it was (my AD IP address was 192.168.20.11):
# WINDOMAIN=mydomain.local && WINDNS=srv1.$WINDOMAIN && WINDNS_IP=192.168.20.11
If you want to figure out what votre domain et DNS server is (J'étais contractor et didn't know le network) check out this helpful reference.
-
Nous devons to christen le Linux box on le nouveau network, this is done by editing le host file (replace le DNS of avec le FQDN of le windows DNS):
# sudo sed -ri "s/^(127\.0\.[01]\.1[ \t]).*/\1$(hostname).$WINDOMAIN localhost $(hostname)/" /etc/hosts
-
We should aussi tell le forthcoming installed services où they can find there leader: certains networks will have netbios name lookup services, mais juste in case, ajoutez unn explicit entry in votre /etc/hosts file, in mon configuration I added le entry on le third (3) line:
# sudo sed -ri "3 i $WINDNS_IP $WINDNS" /etc/hosts
-
The authentication et file sharing processes for le Windows et Linux boxes need to have leur clocks agree. Do this avec an NTP service, et on le server version of Ubuntu le NTP service comes installed et configured avec one (1) NTP sever. Add yours avant le Ubuntu one (or replace it entirely). The network J'étais joining had le DNS server serving up le NTP service too.
# sudo sed -ri "s/^(server[ \t]+)(.+)/\1$WINDNS\n\1\2/" /etc/ntp.conf
Redémarrez le NTP daemon:
# sudo /etc/init.d/ntp restart
-
Kerberos configuration.
The instructions that follow here ne sont pas to be taken literally: le values for MYDOMAIN.LOCAL et srv1.mydomain.local need to be replaced avec quel est approprié for votre network quand you edit le files, mais do note that où UPPERCASE is used UPPERCASE is needed.
If, pendant le apt-get install of Kerberos you had le insight to respond to le "default domain" question correctly, then, goody for you, otherwise you'll have to do le following.
-
Edit le (previously installed above) /etc/krb5.conf file.
-
Find le [libdefaults] section et changez le key value pair:
[libdefaults]
default_realm = MYDOMAIN.LOCAL
-
Add le suivant to le [realms] section of le file:
MYDOMAIN.LOCAL = {
`kdc = srv1.mydomain.local`
`admin_server = srv1.mydomain.local`
`default_domain = MYDOMAIN.LOCAL`
}
-
Add le suivant to le [domain_realm] section of le file:
.mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL
-
A nice test at this point is to see si votre AD controller will issue you a kerberos ticket. This n'est pas nécessaire mais it can make certains of you giddy:
# kinit <some_windows_domain_user>
Then to see le ticket:
# klist
You'll see stuff about le ticket cache et expiries et renewals. Once le giddiness subsides, you may as well release/destroy le ticket:
# kdestroy
-
Configure samba.
According to le following:
There are times when CIFS can not be used or another network filesystem choice is better. If kerberos (krb5/SPNEGO) authentication support is needed for added security, then Samba's smbclient or smbfs must be used instead of cifs
Alas, cifs support in le kernel for ubuntu 10.04 (based on kernel version 2.6.32.9) is at version 1.61, et according to le kernel documentation, experimental kerberos implementation has been there depuis version 1.54.
So there you are. J'ai no idea si cifs would work so I give you le samba configuration:
-
Replace /etc/samba/smb.conf (remember J'étais working depuis a clean distro of Ubuntu, so Je n'étais pas worried about breaking anything):
[global]
security = ads
realm = MYDOMAIN.LOCAL
password server = 192.168.20.11
workgroup = MYDOMAIN
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
-
Start et stop various services.
# sudo /etc/init.d/winbind stop
# sudo service smbd restart
# sudo /etc/init.d/winbind start
-
Setup le authentication.
-
Edit le /etc/nsswitch.conf. J'étais able to exécutez le suivant command to get what I needed:
# sed -ri 's/(compat)/\1 winbind/' /etc/nsswitch.conf
Here are le contents of mon /etc/nsswitch.conf file:
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
-
Start et stop various services.
# sudo /etc/init.d/winbind stop
# sudo service smbd restart
# sudo /etc/init.d/winbind start
-
Join le computer to le domain.
Je suis pas convinced this is necessary; particularly parce que of le security option in le smb.conf file (security = ads). Perhaps someone can weigh in on this ...
# sudo net ads join -U any_domain_user_account
You might get an error DNS update failed!, mais that you'll be joined to le domain.
If you get an error about pas being able to find le server, votre DNS records need to be modified. During th Ubuntu installation, le nameserver will often point to votre gateway: le plus routers will do a DNS service. Best practices for windows server administration is le ADC should run DNS as well. In mon case mon /etc/resolve.conf looks like this:
nameserver 192.168.20.11
nameserver 8.8.8.8
The 8.8.8.8 is a google DNS, a fairly reliable backup in case le windows one goes down.
At this point I could login (perhaps après a reboot), home directories didn't exist, mais I could login.
-
CIFS Mounting on Login
This suivant step was le cherry for me; Je n'ai pas want le responsibility of backing up everyone's working directories, et le box Ubuntu was to be running was suspect in terms of reliability. By doing le suivant users could login et see leur windows user directory automagically.
-
Download le pam_mount module:
# sudo apt-get install libpam-mount
I wanted le mount point to point be in le traditional /home/<user> location: this part is configured by le /etc/samba/smb.conf file (template homedir = /home/%U). But I needed it to drill through le share et point to leur own windows directory. Ceci est accomplished by editting le /etc/security/pam_mount.conf.xml file (which despite c'est intention, XML isn't human readable):
-
Add le suivant to /etc/security/pam_mount.conf.xml et alter to suit:
<volume
user="*"
server="srv1.mydomain.local"
path="UserShares"
mountpoint="home"
fstype="cifs"
/>
<cifsmount>mount -t cifs //%(SERVER)/%(VOLUME)/%(USER) %(MNTPT)/%(USER) -o "user=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)"</cifsmount>
Because of mon goofy mount point I had to add this line too:
<umount>umount %(MNTPT)/%(USER)</umount>
And so that le user directories (for le mount point) would be created automatically find le line et make it so:
<mkmountpoint enable="1" remove="false" />
The remove="false" bit is assez important: si c'est set to true, pam_mount.so tries to supprimez le directory mount point qui it ne peut pas do si a user has logged in multiple times. What you end up avec dans ce cas is lots of stray mounts on votre system.
***pam_mount.so encore ne assez deliver as promised. In c'est current form le mounts keep piling up et le home directories ne sont pas being created. Somewhere entre here et le previous Beta 2 release of 10.04 server, it was working. Je ne peux pas recreate this though.
In le mean time for le directory creation Je suis relying on pam_mkhomedir.so, et stuck a line immediately avant le pam_mount.so line to accommodate.
I encore n'ont pas solved le multiple mounting issue. But jusqu'à pam_mount.so is fixed, this is what J'ai got in mon /etc/pam.d/common-session file:***
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_winbind.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_mount.so
Thats it. It worked for me, et J'espère you find it useful.
Numerous resources were considered so I could figure this out. Here is a short list (a number of these links point to mine own questions on le topic):
