Heya all,

Been a long time since i updated and wrote something.. so here goes. weeks back we decided that spending money renewing licences for paid apps and software was draining on the company pockets and thus we decided to moved to Open Source.

we decided and we stick to Ubuntu being a popular brand and having a wide array of free applications that suite our needs.

After looking and looking on the web i finally found a tutorial that really work with the setup that we had in mind.

The current setup that we had was 1 Domain controller with windows 2008 Server R2 running Active Directory, DHCP, DNS. It was also serving as our file server storing html/php files using SVN & tortoise SVN. (being a small web designing comany).

The Workstations were Windows 7 running notepad ++, outlook for emails, and office products for document writing. other tid bits like 7zip, chrome/mozilla, netbeans.

So after carefully going through my plan and selecting the workstation operating system (in this case ubuntu) we desided that we would keep our windows Server 2008 R2 as is since we already paid and bought the license for it. we also do have licences for base OS already purchased but wanted to migrate to Linux since the company was expanding and that would mean buying additional licences.

below i would show you how to authenticate ubuntu (in my case i used Ubuntu 14.04) to active directory using winbind.

In this article i would assume that you have already in place the active directory server properly configured, and you have already install ubuntu with apt-get update/upgrade.

Step 1: Install winbind and other helper packages

# apt-get install winbind samba libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user

Of course, you'll need to install the dependencies as well. Just say yes to whatever apt-get comes up with.

Step 2: Setup Kerberos authentication.AD uses standard (for once) Kerberos for authentication, which easily fits in with Linux.

Kerberos configuration is located at:

/etc/krb5.conf

The following is my working krb5.conf:

[libdefaults] ticket_lifetime = 24000 default_realm = DOMAIN.COM default_tgs_entypes = rc4-hmac des-cbc-md5 default_tkt__enctypes = rc4-hmac des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-md5 dns_lookup_realm = true dns_lookup_kdc = true dns_fallback = yes

[realms] DOMAIN.COM = { kdc = server.domain.com:88

default_domain = domain.com }

[domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM

[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log

Capitalization matters! The realm name is just your domain controller's address in all caps

Step 3: Kerbs authentication

Once saved, test the setup with the following command. In this test, I'm looking for myself (administrator) in the Kerbs realm of DOMAIN.COM controlled by the server at domain.com

# kinit administrator@DOMAIN.COM

This should go down like the test user, and you should receive a password prompt for the specified user, and receive nothing back upon completion. Step 4: winbind setup (the real fun begins now)

The default configuration given to you be Ubuntu is lengthy and a bit difficult to read. A much simpler one is given below, you will need to tune my configuration to suit your needs. The file is located at:

/etc/samba/smb.conf

Code:

[global]

# netbios name = DOMAIN workgroup = DOMAIN security = ADS realm = DOMAIN.COM encrypt passwords = yes password server = server.domain.com

idmap config *:backend = rid idmap config *:range = 50000 - 99999 #5000-100000 # idmap config *:ldap_url = ldap://server.domain.com

# winbind allow trusted domains = no winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes

template shell = /bin/bash

If you have to modify this file, It is recommend not messing with the idmap section unless you know exactly what you're doing. Step 5: Configure nss to make domain accounts locally available. The nss configuration is located at:

/etc/nsswitch.conf

All you need to do is append winbind to the end of the passwd and group lines. Like this:

Code:

passwd: compat winbind group: compat winbind shadow: compat

hosts: files dns networks: files

protocols: db files services: db files ethers: db files rpc: db files

netgroup: nis

Step 6: Joining the domain.

Easiest part of the whole tutorial:

Code:

# net ads join -k

You may get a DNS error, but the important bit is the successful domain joining message. As long as it informs you of this, you are fine. Once joined, start or restart the following three services with this command:

Code:

# service winbind restart; service nmbd restart; service smbd restart

Note: it helps to define this chain as a function for easy refreshed in the future. winbind will crap out on you if you aren't joined to a domain, so no shortcuts. Step 7: Testing winbind setup. Hopefully you've made it this far, this is about when you'll start hitting enormous brick walls. Chin up! The rid backend will enumerate all domain accounts and groups and add them to a local database (not /etc/passwd). You need to first verify rid has correctly mapped out UID's and other info.

Code:

# wbinfo -u

# wbinfo -g

# wbinfo -i administartor (or user)

# getent passwd

# getend group (noticed that getend did not work and it worked when i used getent)

All 5 commands must return correct information before you can proceed. wbinfo -u: all domain users wbinfo -g: all domain groups wbinfo -i administrator (or user): user information for administrator (or user)

getent passwd: all locally available accounts. Domain accounts will be at the bottom. getent group: all locally available groups. Domain groups will be at the bottom.

If wbinfo -u and -g are successful, but you get this for wbinfo -i Administrator (or user):

Code:

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user administrator (or User)

That likely indicates something wrong in the idmap section and is very bad. The above configuration posted is confirmed to work fine with Ubuntu 14.04 and the versions listed above. It could also mean the user you asked for does not exist.

If wbinfo -i Administrator (or user) returns this:

Code:

administrator (or user):*:4294967295:4294967295:administrator:/home/BFS/administrator:/bin/bash

This is also very bad. winbind is not properly enumerating UID/GID's from the domain. If you nss configuration is alright, then this is almost certainly caused by bad idmap options. Again, the smb.conf file posted above is confirmed to work. The same goes for getent passwd and groups. If the id's on the users or groups are 4294967295 and not within the range specified, this is wrong and will not function correctly. Take another look at your idmap section. Just in case you did, it should be noted the idmap backend = ad does not do what you think it does. This will attempt to pull all user information from the directory, including UID, login shell, etc. If you did not set these for each user in the domain on the DC, this won't work since there will be nothing to pull down! The UNIX attributes tab for each user is where you will need to go if you insist on going this route. I will stick with the rid method in this tutorial. The Samba page gives the options needed to use each backend correctly. After each configuration file edit, be it smb.conf, nsswitch.conf, etc. you need to restart all Samba services:

Code:

# redo() { service winbind restart; service nmbd restart; service smbd restart; }

# redo

winbind stop/waiting winbind start/running, process 30540

nmbd stop/waiting nmbd start/running, process 30556

smbd stop/waiting smbd start/running, process 30568

Step 8: PAM integration. If you made it this far congratulations! The worst is now over! PAM configuration is nice and easy, just run:

Code:

pam-auth-update

Ensure the Winbind NT/Active Directory authentication box is checked. PAM by default does not create new home directories.

so run this to append to your PAM configuration:

Code:

echo 'session required pam_mkhomedir.so skel=/etc/skel umask=0022' >> /etc/pam.d/common-account

To test your new domain authentication setup, simply try logging in:

Code:

# login

AND.... you have a home directory and login using the domain credentials!!

Note: you'll need to change and add the following so that you are able to login through the login screen using your Active Directory user authentication.:

Lightdm file is located at:

/usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf

Add the following Command to enable other authentications (non-local)

Code:

greeter-show-manual-login=true

to disable gues login add the following to the conf file:

Code:

allow-guest=false

The original Article can be found in link

To compliment the software that were used on windows. we have used the following

For used

Notepad ++ notepad qq

netbeans netbeans

Office libreoffice

IE/chrome chromium/Firefox

Tortoise SVN RabittSVN

Hope this article helps others trying to migrate to Linux. I thought i should put in this articles because of the difficulties i faced trying to get this setup working. Let me know your feedback on this.

#ActiveDirectory #ubuntu #Integration #winbind #LinuxActiveDirectoryAuthentication