|
[TUTORIAL] AD integration with Ubuntu 14.04 and winbind
So it seems the internet is not short of winbind/smb documentation, but I have yet to find a cohesive start to finish guide for the setup process. So here goes nothing! This guide is for people looking to set up a Linux machine that will authenticate in a 1 forest, 1 domain Active Directory environment.
A bit of advice: be patient. This was one of the most frustrating things I have ever set up, mostly due to old/fragmented help around the internet. I strongly recommend against using Ubuntu's official guide, it's outdated and borderline useless. Hopefully I can save someone from a concussion with this. 1. Install winbind and other helper packages. Here are the versions I used while writing this: winbindd: 4.1.6-Ubuntu samba: 4.1.6-Ubuntu smbd: 4.1.6-Ubuntu nmdb: 4.1.6-Ubuntu The command to install all required packages: Code:
# apt-get install winbind samba libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user2. Setup Kerberos authentication. AD uses standard (for once) Kerberos for authentication, which easily fits in with Linux. The environment I'm working in is as follows: Domain controller: ad.bfs.com (10.0.0.20) DNS server: 10.0.0.20 NetBIOS domain name: BFS Kerberos configuration is located at: Code:
/etc/krb5.confThe following is my working krb5.conf: Code:
[libdefaults]3. Kerbs authentication Once saved, test the setup with the following command. In this test, I'm looking for myself (brian) in the Kerbs realm of AD.BFS.COM controlled by the server at ad.bfs.com. Code:
# kinit brian@AD.BFS.COMOnce you successfully authenticate with the DC, we now need to authenticate an account with binding privileges. In my case, it's my ad-brian account. Code:
# kinit ad-brian@AD.BFS.COM4. winbind setup (the real fun begins now) The default configuration given to you be Ubuntu is lengthy and a bit difficult to read. A much simpler one is given below, you will need to tune my configuration to suit your needs. The file is located at: Code:
/etc/samba/smb.confCode:
[global]5. Configure nss to make domain accounts locally available. The nss configuration is located at: Code:
/etc/nsswitch.confCode:
passwd: compat winbindEasiest part of the whole tutorial: Code:
# net ads join -kOnce joined, start or restart the following three services with this command: Code:
# service winbind restart; service nmbd restart; service smbd restartwinbind will crap out on you if you aren't joined to a domain, so no shortcuts. 7. Testing winbind setup. Hopefully you've made it this far, this is about when you'll start hitting enormous brick walls. Chin up! The rid backend will enumerate all domain accounts and groups and add them to a local database (not /etc/passwd). You need to first verify rid has correctly mapped out UID's and other info. Code:
# wbinfo -uwbinfo -u: all domain users wbinfo -g: all domain groups wbinfo -i brian: user information for brian Code:
brian:*:6106:5513:Brian:/home/BFS/brian:/bin/bashgetent group: all locally available groups. Domain groups will be at the bottom. If wbinfo -u and -g are successful, but you get this for wbinfo -i brian: Code:
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUNDIf wbinfo -i brian returns this: Code:
brian:*:4294967295:4294967295:Brian:/home/BFS/brian:/bin/bashThe same goes for getent passwd and groups. If the id's on the users or groups are 4294967295 and not within the range specified, this is wrong and will not function correctly. Take another look at your idmap section. Just in case you did, it should be noted the idmap backend = ad does not do what you think it does. This will attempt to pull all user information from the directory, including UID, login shell, etc. If you did not set these for each user in the domain on the DC, this won't work since there will be nothing to pull down! The UNIX attributes tab for each user is where you will need to go if you insist on going this route. I will stick with the rid method in this tutorial. The Samba page gives the options needed to use each backend correctly. After each configuration file edit, be it smb.conf, nsswitch.conf, etc. you need to restart all Samba services: Code:
# redo() { service winbind restart; service nmbd restart; service smbd restart; }If you made it this far congratulations! The worst is now over! PAM configuration is nice and easy, just run: Code:
pam-auth-updateCode:
echo 'session required pam_mkhomedir.so skel=/etc/skel umask=0022' >> /etc/pam.d/common-accountCode:
# loginOne tiny downside to this setup is that passwd for domain accounts does not appear to work. I get an error every time, but that's minor anyways. Also, I strongly recommend version locking your winbind, samba, libnss-winbind, and libpam-winbind packages. It is a well-known fact the Samba team loves to drop random syntax changes between versions, and this will almost certainly break your setup. If it works, then leave it at that and don't touch it, you never know what might break from an update. Good luck everyone! If I missed anything, tell me and I'll add it. |
Hey there! Love the post! Two quick things. First, in the section below, you have a typo. getend group should be getent group.
[code]# wbinfo -u # wbinfo -g # wbinfo -i brian # getent passwd # getend group Secondly, and I'm not sure if you had this already set up, but I had to add a line in my /etc/hosts file 127.0.0.1 server server.domain.local I didn't have the server.domain.local in my hosts file, so I had to add it. Other than that, this tutorial worked like butter for me! Thanks! Quote:
|
Whem run the commando kinit andrew@x.local I get this error message.
kinit: KDC reply did not match expectations while getting initial credentials Can someone help me with problem? |
Quote:
Is your DomainName UPPER CASE IN /etc/krb5.conf ? |
That, and also make certain your domain is DNA resolve-able. If you still encounter problems, please post the versions of winbindd, samba, smbd, and nmdb.
-rabbit |
The version for all four is 4.1.6-Ubuntu. I have managed to join Windows client without problems. I have try to change Domain name to uppercase but it didn't helped. Is there something else I should post in this thread, that might explain this problem`?
|
Can you post your /etc/krb5.conf and the full kinit command you're using? You can edit out your domain name if you want, but it'd be easier to understand your setup if you just left it on.
-rabbit |
I use following kinit command.
Code:
# kinit andrew@TEST.localCode:
[libdefaults] |
Access from windows 7 to my home in samba
That such a friend, great guide, I wanted to consult you two points:
In which you mention the user uid shows me this: masterhades: *: 6104: 6122: mastehades: / home / DOMPRU / masterhades: / bin / bash As you comment should be another UID. You could tell me how is this ?. And with regard to access, because I go to a laptop with windows 7 which is within the domain shared access to that server key and asks me immediately, which could be ?. Thanks in advance for the support friend. Atte. Jorge |
Redundant kdc possible?
Thanks for the nice how-to.
In the [realms] section of the krb5.conf, is it possible to add another server name to be able to create a redundant config for the kdc, like I have written below? [realms] AD.BFS.COM = { kdc = ad.bfs.com:88 kdc2 = ad2.bfs.com:88 default_domain = ad.bfs.com } Thanks! |
Rabbit2345, you are my HERO. I have been banging my head against a brick wall for a couple of days over this. I had everything working for a few days then it quit inexplicably..not sure why.. Everything still worked except for getent would return no domain users or groups and when I would try to access the shares it would say "group does not exist" or something like that.
I pretty much had everything setup like yours already, but I corrected anything and everything I had to match your setup anyway. The main change I made that I think may have been the trick that cleared the logjam was changing 'idmap config MYDOMAIN:' to 'idmap config *:' in smb.conf. You also had a bunch of stuff for my krb5.conf that I hadn't seen before. Whatever it was, you saved my bacon. Thank you so much!! -- Josh from Eagle, Idaho (Boise area) -- Ubuntu 14.04 LTS Server with Samba & Winbind as a domain member in Windows 2008 R2 domain. |
Ok well whatever I did solved the getent problem. I can now see all my domain users and groups like I should. But now I can't access the shares at all. I'm going on a business trip for a couple of days but maybe I will post my conf files soon and see if we can figure it out. Thanks again!
Josh |
It was reallyreallyreally useful! Thanks, Rabbit2345.
Just a couple of notes. 1. In krb5.conf Quote:
Quote:
Quote:
Quote:
|
OK back from my business trip. I decided to post a new thread over at http://www.linuxquestions.org/questi...nux-server-73/ called "Ubuntu 14.04 Samba 4 - share permissions stumper" today. Thanks everyone!
|
This guide certainly helped me to get further than I'm able before. That actually makes it a bit frustrating, because while:
Code:
# wbinfo -uI'm not even sure where to look at this point for the issue. So of course I check the logs. Code:
==> /var/log/samba/log.nmbd <==Code:
[realms]Code:
kinit ragekat@DOMAIN.LOCALAny thoughts? |
Quote:
|
Quote:
Code:
kinit ragekat@domain.localCode:
[realms]Disclaimer: Take my suggestions with a grain of salt. I have limited experience with AD and have not tried this guide yet. However, I have done a lot of reading in regards to this topic. Unfortunately I can't even begin to remember where I read that realms stuff needs to be capitalized. Edit: I just re-read the first post and realized that it mentions capitalization. |
Well, the guide didn't have it capitalized, hence why I didn't either. Gave it a shot anyway.
Still not working, I'm afraid. For good measure, I tried `ragekat`, `domain\ragekat` and `DOMAIN\ragekat` as possible login names, but none of them took. Also missing from this guide is a way to restrict logins to a group, and I feel it's possible that might be inclusive rather than exclusive. However, I am a domain admin, so if nothing else, it should at least be letting me on. |
I continue to have the problem so I ssh'd in and tailed my /etc/samba/samba.log in realtime:
Quote:
Quote:
Thanks everyone for your input. |
I ran into a wierd issue with not being able to join the Domain. I realized that ping wasn't working to FQDN of the Domain Controller or to the Domain Name (domain.local). Found out that any domain ending with .local is used by mDNS and therefore it wasn't using DNS at all but rather broadcasting.
Disabled mDNS service avahi-daemon stop systemctl disable avahi-daemon This got DNS working and then I was able to join the domain. Thanks for the wonderful writeup @rabbit2345 |
Hello --
I went through the procedure that you had posted, and it appears to have worked well for me. When I am at the server console, I am able to enter my domain username and password, and I am able to log into the server. The server in question is an Ubuntu 14.04 LTS 64-bit system with Samba 4.3.9 running on it. I had several follow-up questions: 1. How can I configure an SSH connection to the server that will utilize the active directory login? 2. When the login completes, I encounter the following error messages: Quote:
Do you have any thoughts on this? Thanks. |
kinit user@DOMAIN.LOCAL does return password promt.
net ads testjoin returs 'join Ok' Unfortunately, when I try to login it says 'access denied' with domain users. Configuration seems to be ok to me, how do I go about it? |
| All times are GMT -5. The time now is 09:35 PM. |