Authenticating Linux clients against MS Active Directory

From Rsewiki
Revision as of 20:17, 8 July 2013 by Sh (talk | contribs) (Created page with "== The page describes the necessary steps to enable Ubuntu 12.04 clients to authenticate users against AIT's Active Directory (AD) server. Groups and settings in DTU-Basen can...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

== The page describes the necessary steps to enable Ubuntu 12.04 clients to authenticate users against AIT's Active Directory (AD) server. Groups and settings in DTU-Basen can be used on the clients, as well as, user home directories from dtu-storage.

The setup is heavily inspired by the following manual for RHEL systems: Linux-AD

Install Samba and Kerberos:

$ sudo apt-get install samba krb5-user winbind smbfs

Setup Kerberos (/etc/krb5.conf):

[libdefaults]
	default_realm = WIN.DTU.DK
	dns_lookup_realm = true
	dns_lookup_kdc = true
	ticket_lifetime = 24h
	renew_lifetime = 7d
	forwardable = true

[realms]
WIN.DTU.DK = {
	default_domain = win.dtu.dk
}
[domain_realm]
.win.dtu.dk = WIN.DTU.DK
win.dtu.dk = WIN.DTU.DK

Setup Samba (/etc/samba/smb.conf):

#======================= Global Settings =======================
[global]
   workgroup = WIN
   server string = kapok
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ADS
   realm = WIN.DTU.DK
   netbios name = elek-aut-01
   idmap config * : backend = rid
   idmap config * : range = 5000-100000000
   idmap config * : base_rid = 0
   template shell = /bin/bash
   template homedir = /home/%D/%U
   winbind use default domain = true
   winbind offline logon = false
   winbind enum users = No
   winbind enum groups = No
   winbind nested groups = Yes
   allow trusted domains = No

Add the machine to the AD

Get a Kerberos ticket by issuing:

$ sudo kinit <campusnet-login>@WIN.DTU.DK

Add the PC to the AD domain by issuing:

$ sudo net ads join -U <campusnet-login>

The PC name needs to start with "elek-" (when dealing with DTU-Elektro machines). The name should be the same as "netbios name" in the Samba configuration file. Dual-boot Windows machines that already has an "elek-" name must be given a different name to avoid conflicting AD instances. (Even WinXP and Win7 can't share the same AD instance).

Add Winbind to the nsswitch configuration. (/etc/nsswitch.conf):

passwd:         nis compat winbind
group:          nis compat winbind
shadow:         nis compat winbind 

hosts:          files dns wins mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Check that

$ wbinfo -u

gives a list of all AD users. (This might take a while).

Automatic mounting of home directory

By installing "pam_mount" it is possible to automatically mount AD users home directory upon login. The package is installed by:

$ sudo apt-get install libpam-mount

A somewhat working pam_mount configuration is (/etc/security/pam_mount.conf.xml):

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">

<pam_mount>


<debug enable="1" />





<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<mntoptions require="nosuid,nodev" />

<logout wait="100000" hup="yes" term="yes" kill="no" />


<volume pgrp="domain users" server="dtu-storage.win.dtu.dk" path="" mountpoint="home/WIN" fstype="cifs" />

<cifsmount>mount -t cifs //%(SERVER)/%(USER) %(MNTPT)/%(USER) -o "username=%(USER),uid=%(USERUID),gid=%(USERGID),file_mode=0700,dir_mode=0700%(before=\",\" OPTIONS)"
</cifsmount> 

<umount>umount %(MNTPT)/%(USER)</umount>

<mkmountpoint enable="1" remove="false" />

</pam_mount>

There are problems with multiple mounts and mounts that hang upon logout.