Difference between revisions of "Linux Winbind Setup"
Jump to navigation
Jump to search
(creation of winbind setup howto) |
|||
| (22 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | == Hostname == | ||
| + | |||
| + | Put the machines hostname in /etc/hostname | ||
| + | |||
| + | '''thing2''' | ||
| + | |||
| + | And set the fqdn in /etc/hosts | ||
| + | |||
| + | 127.0.0.1 '''thing2'''.ad.pumpingstationone.org localhost '''thing2''' | ||
| + | |||
== Installation == | == Installation == | ||
| + | |||
| + | |||
| + | === Arch Linux === | ||
sudo pacman -S krb5 samba | sudo pacman -S krb5 samba | ||
| + | |||
| + | === Debian === | ||
| + | |||
| + | sudo apt-get install krb5-user libnss-winbind libpam-winbind ntp samba winbind | ||
| + | |||
| + | === Ubuntu === | ||
| + | |||
| + | sudo apt-get install krb5-user ntp samba winbind | ||
| + | |||
| + | * Default Kerberos version 5 realm: AD.PUMPINGSTATIONONE.ORG | ||
== /etc/nsswitch.conf == | == /etc/nsswitch.conf == | ||
| Line 24: | Line 47: | ||
== /etc/samba/smb.conf == | == /etc/samba/smb.conf == | ||
| + | |||
| + | If there is an existing smb.conf file, move it: | ||
| + | |||
| + | sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.default | ||
| + | |||
[global] | [global] | ||
workgroup = PS1 | workgroup = PS1 | ||
| Line 39: | Line 67: | ||
idmap config *:range = 70001-80000 | idmap config *:range = 70001-80000 | ||
idmap config *:backend = tdb | idmap config *:backend = tdb | ||
| − | + | template shell = /bin/bash | |
| + | |||
| + | == Join the domain == | ||
| + | Use your account, you must be in the Domain Admins group. If you are adding a machine and are not in the Domain Admins group, Join the [[Systems Group]] and ask. | ||
| + | |||
| + | sudo net ads join -U '''administrator'''@AD.PUMPINGSTATIONONE.ORG | ||
| + | |||
| + | == /etc/pam.d/system-auth == | ||
| + | |||
| + | === Ubuntu === | ||
| + | |||
| + | Ubuntu sets up pam_winbind.so automatically. | ||
| + | |||
| + | === Arch === | ||
| + | |||
| + | In Arch, make the following changes to system-auth | ||
| + | |||
| + | %PAM-1.0 | ||
| + | |||
| + | auth required pam_env.so | ||
| + | auth sufficient pam_unix.so try_first_pass nullok | ||
| + | auth required pam_winbind.so use_first_pass use_authtok | ||
| + | auth optional pam_permit.so | ||
| + | |||
| + | account sufficient pam_unix.so | ||
| + | account sufficient pam_winbind.so use_first_pass use_authtok | ||
| + | account optional pam_permit.so | ||
| + | account required pam_time.so | ||
| + | |||
| + | password sufficient pam_unix.so try_first_pass nullok sha512 shadow | ||
| + | password sufficient pam_winbind.so use_first_pass use_authtok | ||
| + | password optional pam_permit.so | ||
| + | |||
| + | session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 | ||
| + | session required pam_limits.so | ||
| + | session required pam_env.so | ||
| + | session sufficient pam_unix.so | ||
| + | session sufficient pam_winbind.so use_first_pass use_authtok | ||
| + | session optional pam_permit.so | ||
| + | |||
| + | == /etc/sudoers.d/domain_admins == | ||
| + | |||
| + | %domain\ admins ALL=(ALL:ALL) ALL | ||
| + | %PS1\\domain\ admins ALL=(ALL:ALL) ALL | ||
| + | |||
| + | |||
| + | Then make sure the file has proper permissions: | ||
| + | |||
| + | sudo chmod 0440 /etc/sudoers.d/domain_admins | ||
| + | |||
| + | == pam_mkhomdir.so == | ||
| + | |||
| + | pam_mkhomdir is responsible for creating the home directory of users that don't have one. Without it you get the following message. | ||
| + | |||
| + | Could not chdir to home directory /home/PS1/username: No such file or directory | ||
| + | |||
| + | === ubuntu === | ||
| + | |||
| + | Create a file called /usr/share/pam-configs/my_mkhomedir: | ||
| + | |||
| + | Name: activate mkhomedir | ||
| + | Default: yes | ||
| + | Priority: 900 | ||
| + | Session-Type: Additional | ||
| + | Session: | ||
| + | required pam_mkhomedir.so umask=0022 skel=/etc/skel | ||
| + | |||
| + | and then run: | ||
| + | sudo pam-auth-update | ||
| + | |||
| + | |||
| + | == /etc/lightdm/lightdm.conf == | ||
| + | |||
| + | Ubuntu Only, enable showing the other ''user'' login. | ||
| + | |||
| + | [SeatDefaults] | ||
| + | user-session=ubuntu | ||
| + | greeter-session=unity-greeter | ||
| + | autologin-user=ps1member | ||
| + | '''greeter-show-manual-login=true''' | ||
Latest revision as of 21:26, 5 September 2015
Hostname
Put the machines hostname in /etc/hostname
thing2
And set the fqdn in /etc/hosts
127.0.0.1 thing2.ad.pumpingstationone.org localhost thing2
Installation
Arch Linux
sudo pacman -S krb5 samba
Debian
sudo apt-get install krb5-user libnss-winbind libpam-winbind ntp samba winbind
Ubuntu
sudo apt-get install krb5-user ntp samba winbind
- Default Kerberos version 5 realm: AD.PUMPINGSTATIONONE.ORG
/etc/nsswitch.conf
Add winbind to the passwd and group lines like so:
passwd: files winbind group: files winbind shadow: files
/etc/krb5.conf
Set the default realm to AD.PUMPINGSTATIONONE.ORG (caps matter)
[libdefaults]
default_realm = AD.PUMPINGSTATIONONE.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
/etc/samba/smb.conf
If there is an existing smb.conf file, move it:
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.default
[global] workgroup = PS1 realm = AD.PUMPINGSTATIONONE.ORG security = ADS encrypt passwords = Yes winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind trusted domains only = No winbind nss info = rfc2307 idmap config shortdomainname:range = 500-40000 idmap config shortdomainname:schema_mode = rfc2307 idmap config shortdomainname:backend = ad idmap config *:range = 70001-80000 idmap config *:backend = tdb template shell = /bin/bash
Join the domain
Use your account, you must be in the Domain Admins group. If you are adding a machine and are not in the Domain Admins group, Join the Systems Group and ask.
sudo net ads join -U administrator@AD.PUMPINGSTATIONONE.ORG
/etc/pam.d/system-auth
Ubuntu
Ubuntu sets up pam_winbind.so automatically.
Arch
In Arch, make the following changes to system-auth
%PAM-1.0 auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_winbind.so use_first_pass use_authtok auth optional pam_permit.so account sufficient pam_unix.so account sufficient pam_winbind.so use_first_pass use_authtok account optional pam_permit.so account required pam_time.so password sufficient pam_unix.so try_first_pass nullok sha512 shadow password sufficient pam_winbind.so use_first_pass use_authtok password optional pam_permit.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session required pam_env.so session sufficient pam_unix.so session sufficient pam_winbind.so use_first_pass use_authtok session optional pam_permit.so
/etc/sudoers.d/domain_admins
%domain\ admins ALL=(ALL:ALL) ALL %PS1\\domain\ admins ALL=(ALL:ALL) ALL
Then make sure the file has proper permissions:
sudo chmod 0440 /etc/sudoers.d/domain_admins
pam_mkhomdir.so
pam_mkhomdir is responsible for creating the home directory of users that don't have one. Without it you get the following message.
Could not chdir to home directory /home/PS1/username: No such file or directory
ubuntu
Create a file called /usr/share/pam-configs/my_mkhomedir:
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
and then run:
sudo pam-auth-update
/etc/lightdm/lightdm.conf
Ubuntu Only, enable showing the other user login.
[SeatDefaults] user-session=ubuntu greeter-session=unity-greeter autologin-user=ps1member greeter-show-manual-login=true