Linux / Unix‎ > ‎

Ubuntu Active Directory integration

WinBind Linux Active Directory Domain integration : guide for UBUNTU 12.04



Install required and usefull packages :


apt-get install winbind samba heimdal-clients heimdal-clients-x libpam-heimdal libgssapi3-heimdal libsasl2-modules-gssapi-heimdal libsasl2-modules-ldap 
apt-get install openldap-utils auth-client-config ssh ntp



Service auto-start


update-rc.d winbind enable



check key system configuration files :

 

 /etc/resolv.conf 

nameserver ?
nameserver ?
search domain1 domaine2 ...
domain your-domain
 
 

/etc/hosts 

127.0.0.1             localhost
X.X.X.X                srv001.nomblot.org      srv001
 


/etc/nsswitch.conf 

passwd: files winbind db
group: files winbind db
shadow: files winbind


/etc/krb5.conf 

[logging]
        default = FILE:/var/log/krb.log
        kdc = FILE:/var/log/kdc.log
        admin_server = FILE:/var/log/kadmin.log

[libdefaults]
        default_realm = NOMBLOT.ORG
        default_tgs_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
        default_tkt_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
        permitted_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
        dns_lookup_realm = true
        dns_lookup_kdc = true
        udp_preference_limit = 0

[domain_realm]
	.cloud.nomblot.org = NOMBLOT.ORG
        .nomblot.org = NOMBLOT.ORG

[realms]
        NOMBLOT.ORG = {
                kdc = srv003.nomblot.org.com:88
                kpasswd_server = srv003.nomblot.org:464
        }


/etc/nsswitch.conf 

[global]
        server string = %h
        workgroup = NOMBLOT
        realm = nombot.org
        security = ads
        domain master = no
        local master = no
        allow trusted domains = no
        socket options = TCP_NODELAY
        template homedir = /home/%U
        template shell = /bin/bash
        kerberos method = secrets and keytab
	password server = *
	client ntlmv2 auth = yes

        idmap config NOMBLOT:backend = ad
        idmap config NOMBLOT:default = yes
        idmap config NOMBLOT:schema_mode = rfc2307
        idmap config NOMBLOT:range = 500 - 300000000
	idmap config *:backend = ad
        idmap config *:range = 500 - 300000000
	
        idmap cache time = 1209600
        idmap negative cache time = 1209600
	username map cache time	= 300
	winbind cache time = 300
	
        winbind expand groups = 10
        winbind use default domain = yes
	winbind refresh tickets = yes
        winbind nss info = rfc2307
        winbind offline logon = yes
        winbind enum users = no
        winbind enum groups = no
	winbind nested groups = yes
	winbind reconnect delay = 5

	# bug winbind, if set to yes cause winbind cache ignored
	winbind normalize names = no


        dns proxy = no
        log file = /var/log/samba/log.%m
	log level = 0 idmap:0 winbind:1
        max log size = 1000
        obey pam restrictions = yes
        pam password change = yes
	name resolve order = host
	create krb5 conf = no
	private dir = /var/lib/samba
	state directory = /var/lib/samba
	cache directory = /var/cache/samba
	lock directory = /var/lib/samba
	pid directory = /var/run
	dos charset = ASCII
	unix charset = UTF8
	display charset = UTF8
	invalid users = root daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody libuuid syslog messagebus colord lightdm whoopsie avahi-autoipd avahi usbmux kernoops pulse rtkit saned speech-dispatcher hplip sshd


Join system 


#net ads join -U AdminLoginName


Create keytab:
#net ads keytab create -U AdminLoginName
 

add service to keytab (Used for kerberised service like apache, squid, ...)

#net ads keytab add HTTP -U AdminLoginName

 List services from keytab

 #net ads keytab list 

 

 

Configure OpenSSH 

Edit and add to /etc/ssh/sshd_config.conf :

GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes

 

Configure LDAP GSSAPI 

Edit and modify /etc/ldap/ldap.conf :

URI     ldap://srv003.nomblot.org  ldap://srv004.nomblot.org
BASE    DC=NOMBLOT,DC=ORG
SASL_MACHINE_CCACHE    FILE:/etc/krb5.ccache
SASL_MACHINE_KEYTAB    /etc/krb5.keytab
LDAP_VERSION    3
 
 
 

Apache2 with Kerberos

aptitude install libapache2-mod-auth-kerb libapache2-mod-auth-sys-group libapache2-mod-authz-unixgroup apache2
a2enmod auth_kerb authz_unixgroup

  

create HTTP  service in key tab,  copy keytab for apache, and fix access rights :

net ads keytab add HTTP -U AdminLoginName
cp /etc/krb5.keytab /etc/apache2/http.keytab
chown www-data:www-data /etc/apache2/http.keytab 
chmod 600 /etc/apache2/http.keytab  

 


 

Lines to insert on a site to use Kerberos authentication:

AuthName "Zone Kerberos"
AuthType Kerberos
KrbAuthRealms NOMBLOT.ORG
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbSaveCredentials off
KrbServiceName HTTP
Krb5Keytab /etc/apache2/http.keytab
AuthzUnixgroup on
Require group nomdugroupe
Require user nomduuser
Require valid-user

 

 

Configure internet browsers

Firefox (Linux and Windows)!

about:config
network.negotiate-auth.trusted-uris (default: empty) – nomblot.org
network.negotiate-auth.delegation-uris (default: empty) - nomblot.org
 

Chromium and google chrome on linux

Chrome (on linux) needs to be launched with:

$chromium-browser --auth-server-whitelist="*.nomblot.org" --auth-negotiate-delegate-whitelist="*.nomblot.org"
$google-chrome --auth-server-whitelist="*.nomblot.org" --auth-negotiate-delegate-whitelist="*.nomblot.org"
 
 

MISC & TIPS

Destroy credentials

$kdestroy

List credentials

$klist

Leave the domain

#net ads leave -U AdminLoginName

 

 

Debug :

 AD :

check AD machine account properties (with ADSEDIT) :  ServicePrincipalName must exist

 

 

Winbind :

stop winbind daemon and run it in debug mode :

service winbind stop

winbindd -S -i -d4 -n

 

 


NET :


net ads join -U pat -S my-AD-server -d 10


SSH :

 ssh , server side :
/usr/sbin/sshd -d -p 2222
 
 ssh , client side :
ssh -vvvv srvnnn-bes -p 2222 -d 20
 
 

TIPS :

 

In case of virtual machine duplicate, do remove /var/lib/samba files, join machine again.

 

get user groups details

wbinfo -r pnomblot | xargs -i  wbinfo --gid-info={}
or 
net ads user info pnomblot
 
 
getent group / passwd not returning AD users/groups
 
enum must be set to yes to make this work
 
If you’re getting bad id information on a linux system using winbind, you can flush the winbind cache to trigger an update. To do this, run:
net cache flush
 

 

Attention, le groupe primaire n'est pas utilisable (fixé à "Utilisateurs du domaine" pour la pluspart des users) !

recopier "utilisateurs du domaine" dans un groupe ne fonctionne pas non plus !

Comments