Projet

Général

Profil

Client Linux AD » Historique » Version 4

« Précédent - Version 4/6 (diff) - Suivant » - Version actuelle
Laurent Flori, 20/11/2019 12:00


Client Linux AD

Install required packages

apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

Reconfigure krb5-config

(probably not needed as you might be asked during package installation)

dpkg-reconfigure krb5-config

Answer with the REALM (in case of etb1: ''DOMPEDAGO.ETB1.LAN'')

Test kerberos server

~# kinit admin (password: eole)
~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@DOMPEDAGO.ETB1.LAN

Valid starting       Expires              Service principal
20/11/2019 09:33:22  20/11/2019 19:33:22  krbtgt/DOMPEDAGO.ETB1.LAN@DOMPEDAGO.ETB1.LAN
    renew until 21/11/2019 09:33:20

Configure samba

 mv /etc/samba/smb.conf /etc/samba/smb.conf.initial
 cat > /etc/samba/smb.conf << EOF
 [global]
        workgroup = DOMPEDAGO
        realm = DOMPEDAGO.ETB1.LAN
        netbios name = ubuntu
        security = ADS
        dns forwarder = 10.1.3.11

        idmap config *:range = 2000-2999
        idmap config DOMPEDAGO:backend = rid
        idmap config DOMPEDAGO:range = 10000-999999

   template homedir = /home/adhomes/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind nss info = rfc2307
   winbind enum users = yes
   winbind enum groups = yes

  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes
EOF

Join samba domain

net ads join -U admin
systemctl restart smbd nmbd winbind

Modify nsswitch configuration

#/etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind systemd ldap
group:          compat winbind systemd ldap
shadow:         compat ldap
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Give it a try:

wbinfo -u should return all local users along domain users wbinfo -g should return all local groups along domain groups

Modify pam configuration

Activate winbind login with:

pam-auth-update

Edit /etc/pam.d/common-password to replace winbind line with this one:
...
password        [success=1 default=ignore]      pam_winbind.so try_first_pass
...

If you want to activate homedir creation upon login add the following line at the end of /etc/pam.d/common-account:
session    required    pam_mkhomedir.so    skel=/etc/skel/    umask=0022
=== Reboot and test ===

You should be able to log in with domains users (admin,prof.6a….)

Install libpam-mount

This part is not fully fonctionnal for now

apt-get install libpam-mount keyutils
cat > /etc/security/pam_mount.conf.xml << EOF
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
    <debug enable="0" />
    <volume user="*" fstype="cifs" server="scribe" path="%(DOMAIN_USER)" mountpoint="/home/adhomes/%(DOMAIN_USER)" options="sec=krb5i" />
    <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
    <mntoptions require="nosuid,nodev" />
    <logout wait="0" hup="no" term="no" kill="no" />
    <mkmountpoint enable="1" remove="true" />
</pam_mount>
EOF

pam-auth-update