Install required and usefull packages :
apt-get install winbind samba heimdal-clients heimdal-clients-x libpam-heimdal libgssapi3-heimdal libsasl2-modules-gssapi-heimdal libsasl2-modules-ldap
apt-get install openldap-utils auth-client-config ssh ntp
Service auto-start
update-rc.d winbind enable
check key system configuration files :
/etc/resolv.conf
nameserver ?nameserver ?search domain1 domaine2 ...domain your-domain /etc/hosts
127.0.0.1 localhostX.X.X.X srv001.nomblot.org srv001
/etc/nsswitch.conf
passwd: files winbind dbgroup: files winbind dbshadow: files winbind
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb.log
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
[libdefaults]
default_realm = NOMBLOT.ORG
default_tgs_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
default_tkt_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
udp_preference_limit = 0
[domain_realm]
.cloud.nomblot.org = NOMBLOT.ORG
.nomblot.org = NOMBLOT.ORG
[realms]
NOMBLOT.ORG = {
kdc = srv003.nomblot.org.com:88
kpasswd_server = srv003.nomblot.org:464
}
/etc/nsswitch.conf
[global]
server string = %h
workgroup = NOMBLOT
realm = nombot.org
security = ads
domain master = no
local master = no
allow trusted domains = no
socket options = TCP_NODELAY
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets and keytab
password server = *
client ntlmv2 auth = yes
idmap config NOMBLOT:backend = ad
idmap config NOMBLOT:default = yes
idmap config NOMBLOT:schema_mode = rfc2307
idmap config NOMBLOT:range = 500 - 300000000
idmap config *:backend = ad
idmap config *:range = 500 - 300000000
idmap cache time = 1209600
idmap negative cache time = 1209600
username map cache time = 300
winbind cache time = 300
winbind expand groups = 10
winbind use default domain = yes
winbind refresh tickets = yes
winbind nss info = rfc2307
winbind offline logon = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
winbind reconnect delay = 5
# bug winbind, if set to yes cause winbind cache ignored
winbind normalize names = no
dns proxy = no
log file = /var/log/samba/log.%m
log level = 0 idmap:0 winbind:1
max log size = 1000
obey pam restrictions = yes
pam password change = yes
name resolve order = host
create krb5 conf = no
private dir = /var/lib/samba
state directory = /var/lib/samba
cache directory = /var/cache/samba
lock directory = /var/lib/samba
pid directory = /var/run
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
invalid users = root daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody libuuid syslog messagebus colord lightdm whoopsie avahi-autoipd avahi usbmux kernoops pulse rtkit saned speech-dispatcher hplip sshd
Join system
#net ads join -U AdminLoginName
Create keytab:
#net ads keytab create -U AdminLoginName
add service to keytab (Used for kerberised service like apache, squid, ...)
#net ads keytab add HTTP -U AdminLoginName
List services from keytab
#net ads keytab list
Configure OpenSSH
Edit and add to /etc/ssh/sshd_config.conf :
GSSAPIAuthentication yesGSSAPIKeyExchange yesGSSAPICleanupCredentials yes
Configure LDAP GSSAPI
Edit and modify /etc/ldap/ldap.conf :
URI ldap://srv003.nomblot.org ldap://srv004.nomblot.orgBASE DC=NOMBLOT,DC=ORGSASL_MACHINE_CCACHE FILE:/etc/krb5.ccacheSASL_MACHINE_KEYTAB /etc/krb5.keytabLDAP_VERSION 3 Apache2 with Kerberos
aptitude install libapache2-mod-auth-kerb libapache2-mod-auth-sys-group libapache2-mod-authz-unixgroup apache2
a2enmod auth_kerb authz_unixgroup
create HTTP service in key tab, copy keytab for apache, and fix access rights :
net ads keytab add HTTP -U AdminLoginName
cp /etc/krb5.keytab /etc/apache2/http.keytab
chown www-data:www-data /etc/apache2/http.keytab
chmod 600 /etc/apache2/http.keytab
Lines to insert on a site to use Kerberos authentication:
AuthName "Zone Kerberos"AuthType KerberosKrbAuthRealms NOMBLOT.ORGKrbMethodNegotiate onKrbMethodK5Passwd onKrbSaveCredentials offKrbServiceName HTTPKrb5Keytab /etc/apache2/http.keytabAuthzUnixgroup onRequire group nomdugroupeRequire user nomduuserRequire valid-user
Configure internet browsers
Firefox (Linux and Windows)!
about:confignetwork.negotiate-auth.trusted-uris (default: empty) – nomblot.orgnetwork.negotiate-auth.delegation-uris (default: empty) - nomblot.org Chromium and google chrome on linux
Chrome (on linux) needs to be launched with:
$chromium-browser --auth-server-whitelist="*.nomblot.org" --auth-negotiate-delegate-whitelist="*.nomblot.org"$google-chrome --auth-server-whitelist="*.nomblot.org" --auth-negotiate-delegate-whitelist="*.nomblot.org" MISC & TIPS
Destroy credentials
$kdestroy
List credentials
$klist
Leave the domain
#net ads leave -U AdminLoginName
Debug :
AD :
check AD machine account properties (with ADSEDIT) : ServicePrincipalName must exist
Winbind :
stop winbind daemon and run it in debug mode :
service winbind stop
winbindd -S -i -d4 -n
NET :
net ads join -U pat -S my-AD-server -d 10
SSH :
ssh , server side :/usr/sbin/sshd -d -p 2222
ssh , client side :ssh -vvvv srvnnn-bes -p 2222 -d 20
TIPS :
In case of virtual machine duplicate, do remove /var/lib/samba files, join machine again.
get user groups details
wbinfo -r pnomblot | xargs -i wbinfo --gid-info={}
or net ads user info pnomblot
getent group / passwd not returning AD users/groups enum must be set to yes to make this work If you’re getting bad id information on a linux system using winbind, you can flush the winbind cache to trigger an update. To do this, run:net cache flush
Attention, le groupe primaire n'est pas utilisable (fixé à "Utilisateurs du domaine" pour la pluspart des users) !
recopier "utilisateurs du domaine" dans un groupe ne fonctionne pas non plus !