Client Linux AD » Historique » Version 4
Version 3 (Laurent Flori, 20/11/2019 11:28) → Version 4/6 (Laurent Flori, 20/11/2019 12:00)
h1. Client Linux AD
h3. Install required packages
<pre>apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind</pre>
h3. Reconfigure krb5-config
(probably not needed as you might be asked during package installation)
<pre>dpkg-reconfigure krb5-config</pre>
Answer with the REALM (in case of etb1: ''DOMPEDAGO.ETB1.LAN'')
h3. Test kerberos server
<pre>~# kinit admin (password: eole)
~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@DOMPEDAGO.ETB1.LAN
Valid starting Expires Service principal
20/11/2019 09:33:22 20/11/2019 19:33:22 krbtgt/DOMPEDAGO.ETB1.LAN@DOMPEDAGO.ETB1.LAN
renew until 21/11/2019 09:33:20</pre>
h3. Configure samba
<pre> mv /etc/samba/smb.conf /etc/samba/smb.conf.initial
cat > /etc/samba/smb.conf << EOF
[global]
workgroup = DOMPEDAGO
realm = DOMPEDAGO.ETB1.LAN
netbios name = ubuntu
security = ADS
dns forwarder = 10.1.3.11
idmap config *:range = 2000-2999
idmap config DOMPEDAGO:backend = rid
idmap config DOMPEDAGO:range = 10000-999999
template homedir = /home/adhomes/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
EOF</pre>
h3. Join samba domain
<pre>net ads join -U admin
systemctl restart smbd nmbd winbind</pre>
h3. Modify nsswitch configuration
<pre>#/etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind systemd ldap
group: compat winbind systemd ldap
shadow: compat ldap
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis</pre>
h3. Give it a try:
<code>wbinfo -u</code> should return all local users along domain users <code>wbinfo -g</code> should return all local groups along domain groups
h3. Modify pam configuration
Activate winbind login with:
<pre>pam-auth-update</pre>
Edit /etc/pam.d/common-password to replace winbind line with this one:
<pre>...
password [success=1 default=ignore] pam_winbind.so try_first_pass
...</pre>
If you want to activate homedir creation upon login add the following line at the end of /etc/pam.d/common-account:
<pre>session required pam_mkhomedir.so skel=/etc/skel/ umask=0022</pre>
=== Reboot and test ===
You should be able to log in with domains users (admin,prof.6a….)
h3. Install libpam-mount
**This part is not fully fonctionnal for now**
<pre>apt-get install libpam-mount keyutils
cat > /etc/security/pam_mount.conf.xml << EOF
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<debug enable="0" />
<volume user="*" fstype="cifs" server="scribe" server="10.1.3.11" path="%(DOMAIN_USER)" mountpoint="/home/adhomes/%(DOMAIN_USER)" options="sec=krb5i" options="sec=ntlmssp,nodev,nosuid,mfsymlinks,nobrl,vers=1.0" />
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<mntoptions require="nosuid,nodev" />
<logout wait="0" hup="no" term="no" kill="no" />
<mkmountpoint enable="1" remove="true" />
</pam_mount>
EOF
pam-auth-update
</pre>
h3. Install required packages
<pre>apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind</pre>
h3. Reconfigure krb5-config
(probably not needed as you might be asked during package installation)
<pre>dpkg-reconfigure krb5-config</pre>
Answer with the REALM (in case of etb1: ''DOMPEDAGO.ETB1.LAN'')
h3. Test kerberos server
<pre>~# kinit admin (password: eole)
~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@DOMPEDAGO.ETB1.LAN
Valid starting Expires Service principal
20/11/2019 09:33:22 20/11/2019 19:33:22 krbtgt/DOMPEDAGO.ETB1.LAN@DOMPEDAGO.ETB1.LAN
renew until 21/11/2019 09:33:20</pre>
h3. Configure samba
<pre> mv /etc/samba/smb.conf /etc/samba/smb.conf.initial
cat > /etc/samba/smb.conf << EOF
[global]
workgroup = DOMPEDAGO
realm = DOMPEDAGO.ETB1.LAN
netbios name = ubuntu
security = ADS
dns forwarder = 10.1.3.11
idmap config *:range = 2000-2999
idmap config DOMPEDAGO:backend = rid
idmap config DOMPEDAGO:range = 10000-999999
template homedir = /home/adhomes/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
EOF</pre>
h3. Join samba domain
<pre>net ads join -U admin
systemctl restart smbd nmbd winbind</pre>
h3. Modify nsswitch configuration
<pre>#/etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind systemd ldap
group: compat winbind systemd ldap
shadow: compat ldap
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis</pre>
h3. Give it a try:
<code>wbinfo -u</code> should return all local users along domain users <code>wbinfo -g</code> should return all local groups along domain groups
h3. Modify pam configuration
Activate winbind login with:
<pre>pam-auth-update</pre>
Edit /etc/pam.d/common-password to replace winbind line with this one:
<pre>...
password [success=1 default=ignore] pam_winbind.so try_first_pass
...</pre>
If you want to activate homedir creation upon login add the following line at the end of /etc/pam.d/common-account:
<pre>session required pam_mkhomedir.so skel=/etc/skel/ umask=0022</pre>
=== Reboot and test ===
You should be able to log in with domains users (admin,prof.6a….)
h3. Install libpam-mount
**This part is not fully fonctionnal for now**
<pre>apt-get install libpam-mount keyutils
cat > /etc/security/pam_mount.conf.xml << EOF
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<debug enable="0" />
<volume user="*" fstype="cifs" server="scribe" server="10.1.3.11" path="%(DOMAIN_USER)" mountpoint="/home/adhomes/%(DOMAIN_USER)" options="sec=krb5i" options="sec=ntlmssp,nodev,nosuid,mfsymlinks,nobrl,vers=1.0" />
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<mntoptions require="nosuid,nodev" />
<logout wait="0" hup="no" term="no" kill="no" />
<mkmountpoint enable="1" remove="true" />
</pam_mount>
EOF
pam-auth-update
</pre>