Friday, November 11, 2011

Joining Ubuntu to Active Directory (Windows Server 2008 R2 Domain)


**** CASE DOES MATTER IN ALL FILES AND COMMANDS ****

sudo apt-get install krb5-user winbind samba ntp ldap-utils

</etc/krb5.conf>
adm@mindtouch:~$ cat /etc/krb5.conf
 [logging]

default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log

[libdefaults]
        default_realm = TEST.UBUNTU.COM
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        TEST.UBUNTU.COM = {
                kdc = dc.test.ubuntu.com
                admin_server = dc.test.ubuntu.com
                default_domain = TEST.UBUNTU.COM
        }

[domain_realm]
        .test.ubuntu.com = TEST.UBUNTU.COM
        test.ubuntu.com = TEST.UBUNTU.COM
        .kerberos.server = TEST.UBUNTU.COM

[login]
        krb4_convert = true
        krb4_get_tickets = false

</etc/smb.conf>

Note: The workgroup is the left most part of the realm.

adm@mindtouch:~$ cat /etc/samba/smb.conf
 [global]
        log file = /var/log/samba/log.%m
        max log size = 1000
        security = ADS
        realm = TEST.UBUNTU.COM
        password server = 10.10.100.25
        workgroup = TEST
        use kerberos keytab = true
        idmap uid = 10000 - 20000
        idmap gid = 10000 - 20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = true
        winbind use default domain = yes
        restrict anonymous = 2

;Communal Files
[files]
        comment = Shared Files
        path = /Storage/
        writeable = yes

;Individual Files - sym link /home/%D to /Storage/

mkdir /Storage
chmod a+rwx /Storage

</etc/nsswitch.conf>
adm@mindtouch:~$ cat /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files mdns4_minimal dns mdns4 wins [NOTFOUND=return]
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

</etc/ntp.conf>

adm@mindtouch:~$ cat /etc/ntp.conf
server dc.test.ubuntu.com


</etc/pam.d/common-account>
adm@mindtouch:~$ cat /etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#


account sufficient      pam_winbind.so
account required        pam_unix.so

</etc/pam.d/common-auth>
adm@mindtouch:~$ cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
#
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# The "md5" option enables MD5 passwords.  Without this option, the
# default is Unix crypt.
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# You can also use the "min" option to enforce the length of the new
# password.
#
# See the pam_unix manpage for other options.

password required pam_unix.so nullok obscure min=4 max=50 md5
password optional pam_smbpass.so nullok use_authtok use_first_pass missingok

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required       pam_cracklib.so retry=3 minlen=6 difok=3
# password required       pam_unix.so use_authtok nullok md5

</etc/pam.d/common-password>
adm@mindtouch:~$ cat /etc/pam.d/common-password
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
#
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# The "md5" option enables MD5 passwords.  Without this option, the
# default is Unix crypt.
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# You can also use the "min" option to enforce the length of the new
# password.
#
# See the pam_unix manpage for other options.

password required pam_unix.so nullok obscure min=4 max=50 md5
password optional pam_smbpass.so nullok use_authtok use_first_pass missingok

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required       pam_cracklib.so retry=3 minlen=6 difok=3
# password required       pam_unix.so use_authtok nullok md5

</etc/pam.d/common-session>
adm@mindtouch:~$ cat /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#
session required        pam_mkhomedir.so umask=0022 skel=/etc/skel

</etc/pam.d/sshd>
adm@mindtouch:~$ cat /etc/pam.d/sshd
# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

# Standard Un*x password updating.
@include common-password

Restart the following services:
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start

kinit adm@TEST.UBUNTU.COM (THE DOMAIN HAS TO BE ALL CAPS!)

Confirm the ticket was obtained: Type: 'klist'

Sync the type with the server: 'net time'

Join the box to the domain:  'net ads join -U adm'

**If it doesn't work, try  'net ads join -U adm@TEST.UBUNTU.COM'.  A lot of the pages I used to trouble shoot errors are posted as links at the bottom of the page.**

Restart the following services again:
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
/etc/init.d/ssh restart

ssh adm@mindtouch

To add Admins to the sudoers file:

</etc/sudoers>
mindtouch:/# cat /etc/sudoers
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL
www-data ALL=(root) NOPASSWD: /etc/init.d/dekiwiki

# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL
%BUILTIN\administrators ALL=(ALL) ALL
%"domain admins" ALL=(ALL) ALL

**This was a preinstalled box that was running the Mindtouch Core Wiki.  To set a static IP and to get the internet to work, I had to add a manual default route by typing 'ip route add default via 10.10.100.1'  This needed to run everytime I rebooted the box.  If I find a way to have it stick, I'll update this.  If you know of a way please post in the comments and I'll update the post. **

Sources:  Link Link Link Link Link Link Link Link Link Link

ShareThis