Scotech Scotech
Knowledge Base
[ Home | KB | Tools | Requests? ]

Windows Authentication on Ubuntu 9.04

Install these Kerberbos/Samba/Winbind packages.

sudo apt-get install krb5-user
sudo apt-get install libpam-krb5
sudo apt-get install smbfs
sudo apt-get install samba
sudo apt-get install winbind

Tweak the Samba config file for your network.

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.1
sudo vi /etc/samba/smb.conf
#---
[global]
security = ads
realm = DOMAIN.COM
password server = 192.168.1.10
workgroup = DOMAIN
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
# This allows logins w/o specifying DOMAIN
# winbind use default domain = yes
restrict anonymous = 2
#---
sudo /etc/init.d/winbind stop
sudo /etc/init.d/samba restart
sudo /etc/init.d/winbind start

Add the ActiveDirectory server to your hosts.

sudo vi /etc/hosts
#---
192.168.1.10 windows.domain.com
#---

Verify you are using the domain server(s) for DNS.

sudo vi /etc/resolv.conf
#---
nameserver 192.168.1.10
#---

Request a Kerberos ticket and join the domain.

sudo kinit Administrator@DOMAIN.COM
sudo net ads join -U Administrator

Edit the nsswitch.conf file to include Winbind.

sudo vi /etc/nsswitch.conf
#---
passwd: compat winbind
group: compat winbind
shadow: compat winbind
#---

Restart the Winbind service.

sudo /etc/init.d/winbind restart

Configure the PAM authentication mechanisms.

sudo vi /etc/pam.d/common-account
#--- account required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
#---

sudo vi /etc/pam.d/common-auth
#---
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
#---

Create the directory for your domain user homes.

sudo mkdir /home/DOMAIN
sudo chmod 770 /home/DOMAIN
sudo chgrp -R "DOMAIN+domain users" /home/DOMAIN

Optionally you can add domain users into sudoers.

sudo vi /etc/group
#---
admin:x:112:olduser,DOMAIN+newuser
#---

There is obviously a good deal of configuration tweaks that can be done through Samba and the PAM authentication mechanisms. This document should provide you with a good baseline that will get your machine on the domain and accepting domain users.

- Scotech

[ Home | KB | Tools | Email: info@scotech.com ]

© 1996-2010 Scotech. All rights reserved.