Linux Winbind Setup

From Pumping Station: One Wiki
Jump to: navigation, search

Hostname

Put the machines hostname in /etc/hostname

   thing2

And set the fqdn in /etc/hosts

   127.0.0.1       thing2.ad.pumpingstationone.org localhost thing2


Installation

Arch Linux

   sudo pacman -S krb5 samba

Debian

   sudo apt-get install krb5-user libnss-winbind libpam-winbind ntp samba winbind

Ubuntu

   sudo apt-get install krb5-user ntp samba winbind
  • Default Kerberos version 5 realm: AD.PUMPINGSTATIONONE.ORG

/etc/nsswitch.conf

Add winbind to the passwd and group lines like so:

   passwd: files winbind
   group: files winbind
   shadow: files

/etc/krb5.conf

Set the default realm to AD.PUMPINGSTATIONONE.ORG (caps matter)

   [libdefaults]
           default_realm = AD.PUMPINGSTATIONONE.ORG
           dns_lookup_realm = true
           dns_lookup_kdc = true
           ticket_lifetime = 24h
           forwardable = yes

/etc/samba/smb.conf

If there is an existing smb.conf file, move it:

   sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.default
   [global]
   	workgroup = PS1
   	realm = AD.PUMPINGSTATIONONE.ORG
   	security = ADS
   	encrypt passwords = Yes
   	winbind enum users = Yes
   	winbind enum groups = Yes
   	winbind use default domain = Yes
   	winbind trusted domains only = No
   	winbind nss info = rfc2307
   	idmap config shortdomainname:range = 500-40000
   	idmap config shortdomainname:schema_mode = rfc2307
   	idmap config shortdomainname:backend = ad
   	idmap config *:range = 70001-80000
   	idmap config *:backend = tdb
   	template shell = /bin/bash

Join the domain

Use your account, you must be in the Domain Admins group. If you are adding a machine and are not in the Domain Admins group, Join the Systems Group and ask.

   sudo net ads join -U administrator@AD.PUMPINGSTATIONONE.ORG

/etc/pam.d/system-auth

Ubuntu

Ubuntu sets up pam_winbind.so automatically.

Arch

In Arch, make the following changes to system-auth

   %PAM-1.0
   
   auth      required  pam_env.so
   auth      sufficient  pam_unix.so     try_first_pass nullok
   auth      required  pam_winbind.so use_first_pass use_authtok
   auth      optional  pam_permit.so
   
   account   sufficient  pam_unix.so
   account   sufficient  pam_winbind.so use_first_pass use_authtok
   account   optional  pam_permit.so
   account   required  pam_time.so
   
   password  sufficient  pam_unix.so     try_first_pass nullok sha512 shadow
   password  sufficient  pam_winbind.so use_first_pass use_authtok
   password  optional  pam_permit.so
   
   session   required  pam_mkhomedir.so skel=/etc/skel/ umask=0022
   session   required  pam_limits.so
   session   required  pam_env.so
   session   sufficient  pam_unix.so
   session   sufficient  pam_winbind.so use_first_pass use_authtok
   session   optional  pam_permit.so

/etc/sudoers.d/domain_admins

   %domain\ admins ALL=(ALL:ALL) ALL
   %PS1\\domain\ admins ALL=(ALL:ALL) ALL


Then make sure the file has proper permissions:

   sudo chmod 0440 /etc/sudoers.d/domain_admins

pam_mkhomdir.so

pam_mkhomdir is responsible for creating the home directory of users that don't have one. Without it you get the following message.

   Could not chdir to home directory /home/PS1/username: No such file or directory

ubuntu

Create a file called /usr/share/pam-configs/my_mkhomedir:

   Name: activate mkhomedir
   Default: yes
   Priority: 900
   Session-Type: Additional
   Session:
           required                        pam_mkhomedir.so umask=0022 skel=/etc/skel

and then run:

   sudo pam-auth-update


/etc/lightdm/lightdm.conf

Ubuntu Only, enable showing the other user login.

   [SeatDefaults]
   user-session=ubuntu
   greeter-session=unity-greeter
   autologin-user=ps1member
   greeter-show-manual-login=true