Ubuntu Join Active Directory

Posted on May 19, 2010 by Judson Bishop

I wrote similar documentation for work and decided to make it generic enough for others to do this. For all I know there is now some GUI tool that does this, however, I believe it’s best to know what’s going on in the background in order to troubleshoot when something goes wrong.

NTP
First set up ntp, because AD, really kerberos, relies upon exact time and DNS.

# apt-get install ntp

Change this line in /etc/ntp.conf

# You do need to talk to an NTP server or two.
server ntp.circus.com

Restart ntp.

# /etc/init.d/ntp restart

Kerberos
Install Kerberos stuff, these will bring some dependencies with them.

# apt-get install krb5-config krb5-user libpam-krb5 libkadm55

Now for a DNS trivia example. Just for fun run this command:

$ dig -t SRV _kerberos._tcp.circus.com

;; ANSWER SECTION:
_kerberos._tcp.circus.com. 600  IN      SRV     0 100 88 a2.CIRCUS.COM.
_kerberos._tcp.circus.com. 600  IN      SRV     0 100 88 a1.CIRCUS.COM.

Now edit the /etc/krb5.conf file:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = CIRCUS.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
AD = {
kdc = ad1.circus.com:88
admin_server = ad1.circus.com:749
default_domain = circus.com
}

CIRCUS.COM = {
kdc = ad2.circus.com
kdc = ad1.circus.com
}

[domain_realm]
circus.com = CIRCUS.COM
.circus.com = CIRCUS.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Now test the kerberos install, notice CIRCUS.COM is ALL CAPS:

# kinit judson.bishop@CIRCUS.COM
Password for judson.bishop@CIRCUS.COM:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: judson.bishop@CIRCUS.COM

Valid starting     Expires            Service principal
03/04/09 10:29:55  03/04/09 20:30:00  krbtgt/CIRCUS.COM@CIRCUS.COM
renew until 03/05/09 10:29:55

So kerberos works.

Samba
And the samba configuration file:

# cat /etc/samba/smb.conf | grep -v -e "\#" -e "\;" | sed /^$/d
[global]
   workgroup = AD
   password server = ad1.circus.com
   realm = AD.CIRCUS.COM
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind separator = +
   winbind enum users = yes
   winbind enum groups = yes
   obey pam restrictions = yes
   allow trusted domains = no
   server string = Hostname %v
   log file = /var/log/samba/%m.log
   realm = AD.CIRCUS.COM
   local master = no
   load printers = yes
   cups options = raw
[homes]
	comment = Home Directories
	browseable = no
	writable = yes
	valid users = %S
[printers]
	comment = All Printers
	path = /var/spool/samba
	browseable = no
	guest ok = no
	writable = no
	printable = yes

Join AD
Please notice the ALL CAPS domain. This is to match you kerberos realm.

# net ads join -U judson.bishop@CIRCUS.COM

You may have to set up you /etc/samba/smb.conf file first. Also, if you have trouble here you may have to go into active directory and delete this computer, then join it to the domain again. The delete and add may require a new kinit process as well. Sorry I can’t be of more help, but this tip may save you a considerable amount of time.

Winbind
Install winbind.

# apt-get install winbind
# /etc/init.d/winbind start

Pam
You need to change all of the “common” files in the directory /etc/pam.d:
Go to that directory and then make a backup just in case:

# for I in `ls common*`; do cp $I $I.sav; done

These are files as they are on my test server, the cat just leaves out the comments because some can be verbose.

/etc/pam.d # cat common-auth | grep -v \#
auth    sufficient      pam_krb5.so ccache=/tmp/krb5cc_%u debug
auth    sufficient      pam_winbind.so use_first_pass
auth    requisite       pam_unix.so nullok_secure
auth    optional        pam_smbpass.so migrate missingok

/etc/pam.d # cat common-password | grep -v \#
password   requisite   pam_unix.so nullok obscure md5
password   optional   pam_smbpass.so nullok use_authtok use_first_pass missingok

/etc/pam.d # cat common-session | grep -v \#
session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022


NSSwitch

Edit your nsswitch configuration file, /etc/nsswich.conf.
The following are just the lines you need to change not the whole file.

/etc/pam.d# cat /etc/nsswitch.conf | grep -v \#
passwd:     files winbind
shadow:     files winbind
group:      files winbind


Testing

# getent passwd judson.bishop
# getent group
# wbinfo -t
# wbinfo -u
# wbinfo -g
# net ads testjoin
# net ads info

From another server, log into Ubuntu using ssh.

ssh -l judson.bishop server.circus.com

More troubleshooting, if you are having trouble with a user:

# id CIRCUS+judson.bishop
uid=16778342(judson.bishop)
gid=16777729(domain users)
...output removed...
# ls -ldn /home/AD/judson.bishop/
drwxr-xr-x 3 16778342 16777729 4096 Nov 25 15:56 /home/CIRCUS/judson.bishop/

Playing around with acls:

 cd /home/AD/e09049/
 mkdir Test
 getfacl -R Test >getfacl-Test.txt
 chmod u+rwx Test/
 chmod g+rwx Test/
 chmod o-rwx Test/
 ls -al
 chmod g+s Test/
 setfacl -d -m mask:007 Test
 chown root:AD+854 Test

And finally to play around with group access:

# chown -R judson.bishop:smbgroup /opt/mr/
# chmod -R ug+rwx,o-rwx /opt/mr/
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s