I couldn't figure out why when trying to use a host name, like I would on windows, it wouldn't work. It seems that it requires ".local" after the hostname. I can now ping the hosts and map the drives by the hostnames, but dns still won't work. If I find out more I'll update this post.
How to map a windows drive
smb://windowspc.local/c$
Ping the PC
ping windowspc.local
Showing posts with label SMB. Show all posts
Showing posts with label SMB. Show all posts
Wednesday, March 6, 2013
Friday, November 11, 2011
Joining Ubuntu to Active Directory (Windows Server 2008 R2 Domain)
**** CASE DOES MATTER IN ALL FILES AND COMMANDS ****
sudo apt-get install krb5-user winbind samba ntp ldap-utils
</etc/krb5.conf>
adm@mindtouch:~$ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
[libdefaults]
default_realm = TEST.UBUNTU.COM
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
TEST.UBUNTU.COM = {
kdc = dc.test.ubuntu.com
admin_server = dc.test.ubuntu.com
default_domain = TEST.UBUNTU.COM
}
[domain_realm]
.test.ubuntu.com = TEST.UBUNTU.COM
test.ubuntu.com = TEST.UBUNTU.COM
.kerberos.server = TEST.UBUNTU.COM
[login]
krb4_convert = true
krb4_get_tickets = false
</etc/smb.conf>
Note: The workgroup is the left most part of the realm.
adm@mindtouch:~$ cat /etc/samba/smb.conf
[global]
log file = /var/log/samba/log.%m
max log size = 1000
security = ADS
realm = TEST.UBUNTU.COM
password server = 10.10.100.25
workgroup = TEST
use kerberos keytab = true
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = true
winbind use default domain = yes
restrict anonymous = 2
;Communal Files
[files]
comment = Shared Files
path = /Storage/
writeable = yes
;Individual Files - sym link /home/%D to /Storage/
mkdir /Storage
chmod a+rwx /Storage
</etc/nsswitch.conf>
adm@mindtouch:~$ cat /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat hosts: files mdns4_minimal dns mdns4 wins [NOTFOUND=return] networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
</etc/ntp.conf>
adm@mindtouch:~$ cat /etc/ntp.conf
</etc/pam.d/common-account>
adm@mindtouch:~$ cat /etc/pam.d/common-account
</etc/pam.d/common-auth>
adm@mindtouch:~$ cat /etc/pam.d/common-auth
</etc/pam.d/common-password>
adm@mindtouch:~$ cat /etc/pam.d/common-password
</etc/pam.d/common-session>
adm@mindtouch:~$ cat /etc/pam.d/common-session
</etc/pam.d/sshd>
adm@mindtouch:~$ cat /etc/pam.d/sshd
Restart the following services:
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
kinit adm@TEST.UBUNTU.COM (THE DOMAIN HAS TO BE ALL CAPS!)
Confirm the ticket was obtained: Type: 'klist'
Sync the type with the server: 'net time'
Join the box to the domain: 'net ads join -U adm'
**If it doesn't work, try 'net ads join -U adm@TEST.UBUNTU.COM'. A lot of the pages I used to trouble shoot errors are posted as links at the bottom of the page.**
Restart the following services again:
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
/etc/init.d/ssh restart
ssh adm@mindtouch
To add Admins to the sudoers file:
</etc/sudoers>
mindtouch:/# cat /etc/sudoers
**This was a preinstalled box that was running the Mindtouch Core Wiki. To set a static IP and to get the internet to work, I had to add a manual default route by typing 'ip route add default via 10.10.100.1' This needed to run everytime I rebooted the box. If I find a way to have it stick, I'll update this. If you know of a way please post in the comments and I'll update the post. **
Sources: Link Link Link Link Link Link Link Link Link Link
adm@mindtouch:~$ cat /etc/ntp.conf
server dc.test.ubuntu.com
</etc/pam.d/common-account>
adm@mindtouch:~$ cat /etc/pam.d/common-account
# # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # account sufficient pam_winbind.so account required pam_unix.so
</etc/pam.d/common-auth>
adm@mindtouch:~$ cat /etc/pam.d/common-auth
# # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix. # Explanation of pam_unix options: # # The "nullok" option allows users to change an empty password, else # empty passwords are treated as locked accounts. # # The "md5" option enables MD5 passwords. Without this option, the # default is Unix crypt. # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. # # You can also use the "min" option to enforce the length of the new # password. # # See the pam_unix manpage for other options. password required pam_unix.so nullok obscure min=4 max=50 md5 password optional pam_smbpass.so nullok use_authtok use_first_pass missingok # Alternate strength checking for password. Note that this # requires the libpam-cracklib package to be installed. # You will need to comment out the password line above and # uncomment the next two in order to use this. # (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH') # # password required pam_cracklib.so retry=3 minlen=6 difok=3 # password required pam_unix.so use_authtok nullok md5
</etc/pam.d/common-password>
adm@mindtouch:~$ cat /etc/pam.d/common-password
# # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix. # Explanation of pam_unix options: # # The "nullok" option allows users to change an empty password, else # empty passwords are treated as locked accounts. # # The "md5" option enables MD5 passwords. Without this option, the # default is Unix crypt. # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. # # You can also use the "min" option to enforce the length of the new # password. # # See the pam_unix manpage for other options. password required pam_unix.so nullok obscure min=4 max=50 md5 password optional pam_smbpass.so nullok use_authtok use_first_pass missingok # Alternate strength checking for password. Note that this # requires the libpam-cracklib package to be installed. # You will need to comment out the password line above and # uncomment the next two in order to use this. # (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH') # # password required pam_cracklib.so retry=3 minlen=6 difok=3 # password required pam_unix.so use_authtok nullok md5
</etc/pam.d/common-session>
adm@mindtouch:~$ cat /etc/pam.d/common-session
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). The default is pam_unix. # session required pam_mkhomedir.so umask=0022 skel=/etc/skel
</etc/pam.d/sshd>
adm@mindtouch:~$ cat /etc/pam.d/sshd
# PAM configuration for the Secure Shell service # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 # Standard Un*x password updating. @include common-password
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
kinit adm@TEST.UBUNTU.COM (THE DOMAIN HAS TO BE ALL CAPS!)
Confirm the ticket was obtained: Type: 'klist'
Sync the type with the server: 'net time'
Join the box to the domain: 'net ads join -U adm'
**If it doesn't work, try 'net ads join -U adm@TEST.UBUNTU.COM'. A lot of the pages I used to trouble shoot errors are posted as links at the bottom of the page.**
Restart the following services again:
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
/etc/init.d/ssh restart
ssh adm@mindtouch
To add Admins to the sudoers file:
</etc/sudoers>
mindtouch:/# cat /etc/sudoers
# /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Defaults env_reset # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL) ALL www-data ALL=(root) NOPASSWD: /etc/init.d/dekiwiki # Uncomment to allow members of group sudo to not need a password # (Note that later entries override this, so you might need to move # it further down) # %sudo ALL=NOPASSWD: ALL %BUILTIN\administrators ALL=(ALL) ALL %"domain admins" ALL=(ALL) ALL
**This was a preinstalled box that was running the Mindtouch Core Wiki. To set a static IP and to get the internet to work, I had to add a manual default route by typing 'ip route add default via 10.10.100.1' This needed to run everytime I rebooted the box. If I find a way to have it stick, I'll update this. If you know of a way please post in the comments and I'll update the post. **
Sources: Link Link Link Link Link Link Link Link Link Link
Subscribe to:
Posts (Atom)