Linux Winbind Setup

From Pumping Station One
Revision as of 17:13, 3 November 2013 by Hef (talk | contribs) (I suspect Domain controllers don't like the use default domain option, so the second line in sudoers handles that situation)
Jump to navigation Jump to search

Hostname

Put the machines hostname in /etc/hostname 

   thing2

And set the fqdn in /etc/hosts 

   127.0.0.1       thing2.ad.pumpingstationone.org localhost thing2


Installation

Ubuntu

   sudo apt-get install krb5-user ntp samba winbind

Arch Linux

   sudo pacman -S krb5 samba
  • Default Kerberos version 5 realm: AD.PUMPINGSTATIONONE.ORG

/etc/nsswitch.conf

Add winbind to the passwd and group lines like so: 

   passwd: files winbind
   group: files winbind
   shadow: files

/etc/krb5.conf

Set the default realm to AD.PUMPINGSTATIONONE.ORG (caps matter) 

   [libdefaults]
           default_realm = AD.PUMPINGSTATIONONE.ORG
           dns_lookup_realm = true
           dns_lookup_kdc = true
           ticket_lifetime = 24h
           forwardable = yes

/etc/samba/smb.conf

If there is an existing smb.conf file, move it: 

   sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.default

   [global]
   	workgroup = PS1
   	realm = AD.PUMPINGSTATIONONE.ORG
   	security = ADS
   	encrypt passwords = Yes
   	winbind enum users = Yes
   	winbind enum groups = Yes
   	winbind use default domain = Yes
   	winbind trusted domains only = No
   	winbind nss info = rfc2307
   	idmap config shortdomainname:range = 500-40000
   	idmap config shortdomainname:schema_mode = rfc2307
   	idmap config shortdomainname:backend = ad
   	idmap config *:range = 70001-80000
   	idmap config *:backend = tdb
   	template shell = /bin/bash

Join the domain

Use your account, you must be in the Domain Admins group. If you are adding a machine and are not in the Domain Admins group, Join the Systems Group and ask. 

   sudo net ads join -U administrator@AD.PUMPINGSTATIONONE.ORG

/etc/pam.d/system-auth

Ubuntu

Ubuntu sets up pam_winbind.so automatically.

Arch

In Arch, make the following changes to system-auth 

   %PAM-1.0
   
   auth      required  pam_env.so
   auth      sufficient  pam_unix.so     try_first_pass nullok
   auth      required  pam_winbind.so use_first_pass use_authtok
   auth      optional  pam_permit.so
   
   account   sufficient  pam_unix.so
   account   sufficient  pam_winbind.so use_first_pass use_authtok
   account   optional  pam_permit.so
   account   required  pam_time.so
   
   password  sufficient  pam_unix.so     try_first_pass nullok sha512 shadow
   password  sufficient  pam_winbind.so use_first_pass use_authtok
   password  optional  pam_permit.so
   
   session   required  pam_mkhomedir.so skel=/etc/skel/ umask=0022
   session   required  pam_limits.so
   session   required  pam_env.so
   session   sufficient  pam_unix.so
   session   sufficient  pam_winbind.so use_first_pass use_authtok
   session   optional  pam_permit.so

/etc/sudoers.d/domain_admins

   %domain\ admins ALL=(ALL:ALL) ALL
   %PS1\\domain\ admins ALL=(ALL:ALL) ALL


Then make sure the file has proper permissions: 

   sudo chmod 0440 /etc/sudoers.d/domain_admins

pam_mkhomdir.so

pam_mkhomdir is responsible for creating the home directory of users that don't have one. Without it you get the following message. 

   Could not chdir to home directory /home/PS1/username: No such file or directory

ubuntu

Create a file called /usr/share/pam-configs/my_mkhomedir: 

   Name: activate mkhomedir
   Default: yes
   Priority: 900
   Session-Type: Additional
   Session:
           required                        pam_mkhomedir.so umask=0022 skel=/etc/skel

and then run: 

   sudo pam-auth-update


/etc/lightdm/lightdm.conf

Ubuntu Only, enable showing the other user login. 

   [SeatDefaults]
   user-session=ubuntu
   greeter-session=unity-greeter
   autologin-user=ps1member
   greeter-show-manual-login=true
Retrieved from "https://ps1.mywikis.wiki/w/index.php?title=Linux_Winbind_Setup&oldid=11149"