Okay, I'm actually describing a dilemma that I had with an Ubuntu rollout into a purely Windows domain.
I'll describe the steps needed to add your Linux servers to the domain, allow a group of users shell access, allow sudo access for a group, and still permit root logins on the local machine.
Domain Information
First, let's define some domain information -- keep in mind that the letter case of the terms below is relevant and important:
WORKGROUP
MYDOMAIN.NET
dc01.mydomain.netwith an IP of
192.168.0.5
john(why not)
linux01
192.168.0.10
255.255.255.0
192.168.0.1
1. Now that the particulars are out of the way, go ahead and do a basic build of Ubuntu Server 7.04 without DNS or LAMP services. You can add those later. Or, if you already have a custom box up and running, you can use it, too.
2. As part of the initial install in Ubuntu, you'll need to create an initial username and password on Ubuntu. For the sake of this howto, the username will be "Bob".
Windows AD Setup
3. The base build of Ubuntu will take about 10 minutes or so. In the meantime, open Active Directory Users and Computers for your domain and create:
Ubuntu Config
4. Complete your Ubuntu build and reboot the machine when prompted.
5. Log in as Bob.
6. Become root:
sudo su -
7. Type Bob's password when prompted by the sudo command.
8. Set a root password if you don't already have one:
passwd
9. Once you have a root password, make sure your clock is up to date:
ntpdate 192.168.0.5
10. While we're at it, let's add a cron job to automatically update the clock once per day. You could use crontab -e or you can use this instead:
echo "45 8 * * * ntpdate 192.168.0.5" >> /var/spool/cron/crontabs/root
This will add 45 8 * * * ntpdate 192.168.0.5 to the end of root's crontab file to update the clock at 8:45AM every day. It will take effect after a reboot, but don't reboot yet.
11. Make a backup of /etc/hosts
cp /etc/hosts /etc/hosts.bak
12. Then edit /etc/hosts and make sure you have only these two lines
127.0.0.1 localhost
192.168.0.10 linux01 linux01.mydomain.net
Note: I don't have any IPV6 switches in any of my production level environments, so I don't use it -- can't help if you need it in yours.
13. Fetch a few needed programs:
apt-get -y install krb5-user libpam-krb5 krb5-config libkrb53 libkadm55
14. Once those programs are installed, you'll need to change /etc/krb5.conf, but be sure to make a backup.
15. Now, edit /etc/krb5.conf, delete its contents, then replace with this:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = MYDOMAIN.NET
[realms]
MYDOMAIN.NET = {
kdc = dc01.mydomain.net:88
admin_server = dc01.mydomain.net:464
default_domain = MYDOMAIN.NET
}
[domain_realm]
.mydomain.net = MYDOMAIN.NET
mydomain.net = MYDOMAIN.NET
[login]
krb4_convert = true
krb4_get_tickets = false
16. Get a ticket-granting ticket from your domain controller:
kinit john@MYDOMAIN.NET
You'll be prompted for John's password for mydomain.net.
17. Now that you have a ticket, you can install winbind and samba:
apt-get -y install winbind samba
18. Make a backup of /etc/samba/smb.conf then edit the file, delete its contents, then add:
[global]
security = ads
realm = MYDOMAIN.NET
password server = 192.168.0.5
workgroup = WORKGROUP
idmap uid = 10000-200000
idmap gid = 10000-200000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
You may be able to spot some of the obvious settings in here, but we're also setting the UID and GID numbers that Linux should assign to our AD users when they authenticate, the home directory and default shell of new AD users, and whether Samba should ever assert itself (rather, not) as the domain master browser whenever a Samba election takes place. Normally, your domain controller has that role.
19. Restart Winbind and Samba in the right order:
/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start
init 6
21. Once the machine restarts, log in as root. You did set a root password, yes?
22. Get another ticket-granting ticket from your domain controller:
kinit john@MYDOMAIN.NET
23. Type John's password when prompted.
Edit: Apparently this reboot is not required to join the domain. Just move to the next step:
24. Attempt to join the domain:
net ads join
25. You should see a confirmation that the machine was successfully joined. If you get a failure, be sure to check: network, /etc/hosts for the right IP address and name of the new server, that your clock and time zone settings are accurate and up to date.
26. For grins, check your domain controller to see if linux01 was added to the Computers OU.
27. Reboot. Yes, just joining the domain requires a reboot:
init 6
28. Once rebooted, log back in as root then get another ticket-granting ticket:
kinit john@MYDOMAIN.NET
Of course, type John's password when prompted.
29. Now we need to attempt to enumerate all users and groups from our AD server:
wbinfo -u
The wbinfo command may take a few seconds or several minutes to run -- it's going to dump every username from Active Directory to stdout. Be patient.
30. If it worked, repeat the process for groups:
wbinfo -g
31. Backup then replace /etc/nsswitch.conf with the following:
passwd: compat winbind
group: compat winbind
shadow: compat
32. Attempt to get users' authentication information from AD:
getent passwd
33. Then repeat for groups:
getent group
34. Backup and replace these files with the text shown:
/etc/pam.d/common-account
account [default=1 success=ignore] pam_succeed_if.so quiet uid >= 10000
account required pam_succeed_if.so debug user ingroup linuxusers
account sufficient pam_winbind.so
account required pam_unix.so
/etc/pam.d/common-auth
auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
/etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
/etc/pam.d/sudo
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required pam_deny.so
@include common-account
35. Note that the /etc/pam.d/common-account file is where we define which AD group can have login rights. In this case, it's linuxusers.
36. To define who has sudo or administrative rights on this machine, we have to edit /etc/sudoers -- best to do that with the visudo command -- then add this line to the end of it:
%linuxadmins ALL=(ALL) ALL
37. Create a login directory for your domain users:
mkdir /home/WORKGROUP
38. Reboot the machine one more time. When it comes back up, attempt to log in with testuser1, which you created early on in the process. You should be able to log in. Once logged in, attempt to sudo a command. For example, type
sudo cat /root/.bash_history
then provide testuser1's domain password then the command should fail (as expected). This is because that user is a member of the linuxusers AD security group and only members of the linuxadmins AD security group would have sudo access.
39. Log out of the testuser1 account then log in as testuser2 with his domain password. Now, try the same sudo command as testuser2:
sudo cat /root/.bash_history
Once you give it testuser2's domain password, you should see the results of the ifconfig command.
40. Remember the user, Bob, that you created during the installation? As testuser2, try to delete Bob's account and home directory:
sudo userdel bob
41. If you already authenticated to run the ifconfig command, you won't be prompted for your password again. Otherwise, provide it, and the user Bob should be deleted. Don't forget to delete Bob's home directory, too:
rm -rf /home/bob
Congratulations, your domain authentication on Ubuntu 7.04 is complete. There may, in fact, be a much, much easier way to do this -- probably just a one-line command for all I know -- but I have no idea what it would be.
2 comments:
John -
Thanks so much for this post - I have been looking for detailed instuctions on how to get my Ububtu 8.04 server into my domain. It work the first time I tried it. I wish all the Ubuntu documentation was a through as your. I hope you consider publishng other tricks as I am sure others will find it as helpful as I did.
Again thanks for the post - I am encouraged to continue to move forward with Ubuntu!!
Respectfully -
ingram
Worked for me, you're a superstar!
Post a Comment