Linux Winbind Setup

From Pumping Station: One Wiki
Jump to: navigation, search


Put the machines hostname in /etc/hostname


And set the fqdn in /etc/hosts localhost thing2


Arch Linux

   sudo pacman -S krb5 samba


   sudo apt-get install krb5-user libnss-winbind libpam-winbind ntp samba winbind


   sudo apt-get install krb5-user ntp samba winbind
  • Default Kerberos version 5 realm: AD.PUMPINGSTATIONONE.ORG


Add winbind to the passwd and group lines like so:

   passwd: files winbind
   group: files winbind
   shadow: files


Set the default realm to AD.PUMPINGSTATIONONE.ORG (caps matter)

           default_realm = AD.PUMPINGSTATIONONE.ORG
           dns_lookup_realm = true
           dns_lookup_kdc = true
           ticket_lifetime = 24h
           forwardable = yes


If there is an existing smb.conf file, move it:

   sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.default
   	workgroup = PS1
   	security = ADS
   	encrypt passwords = Yes
   	winbind enum users = Yes
   	winbind enum groups = Yes
   	winbind use default domain = Yes
   	winbind trusted domains only = No
   	winbind nss info = rfc2307
   	idmap config shortdomainname:range = 500-40000
   	idmap config shortdomainname:schema_mode = rfc2307
   	idmap config shortdomainname:backend = ad
   	idmap config *:range = 70001-80000
   	idmap config *:backend = tdb
   	template shell = /bin/bash

Join the domain

Use your account, you must be in the Domain Admins group. If you are adding a machine and are not in the Domain Admins group, Join the Systems Group and ask.

   sudo net ads join -U administrator@AD.PUMPINGSTATIONONE.ORG



Ubuntu sets up automatically.


In Arch, make the following changes to system-auth

   auth      required
   auth      sufficient     try_first_pass nullok
   auth      required use_first_pass use_authtok
   auth      optional
   account   sufficient
   account   sufficient use_first_pass use_authtok
   account   optional
   account   required
   password  sufficient     try_first_pass nullok sha512 shadow
   password  sufficient use_first_pass use_authtok
   password  optional
   session   required skel=/etc/skel/ umask=0022
   session   required
   session   required
   session   sufficient
   session   sufficient use_first_pass use_authtok
   session   optional


   %domain\ admins ALL=(ALL:ALL) ALL
   %PS1\\domain\ admins ALL=(ALL:ALL) ALL

Then make sure the file has proper permissions:

   sudo chmod 0440 /etc/sudoers.d/domain_admins

pam_mkhomdir is responsible for creating the home directory of users that don't have one. Without it you get the following message.

   Could not chdir to home directory /home/PS1/username: No such file or directory


Create a file called /usr/share/pam-configs/my_mkhomedir:

   Name: activate mkhomedir
   Default: yes
   Priority: 900
   Session-Type: Additional
           required               umask=0022 skel=/etc/skel

and then run:

   sudo pam-auth-update


Ubuntu Only, enable showing the other user login.