Client Linux AD » Historique » Version 5
« Précédent -
Version 5/6
(diff) -
Suivant » -
Version actuelle
Laurent Flori, 20/11/2019 15:32
Client Linux AD¶
Install required packages¶
apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind
Reconfigure krb5-config¶
(probably not needed as you might be asked during package installation)
dpkg-reconfigure krb5-config
Answer with the REALM (in case of etb1: ''DOMPEDAGO.ETB1.LAN'')
Test kerberos server¶
~# kinit admin (password: eole) ~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@DOMPEDAGO.ETB1.LAN Valid starting Expires Service principal 20/11/2019 09:33:22 20/11/2019 19:33:22 krbtgt/DOMPEDAGO.ETB1.LAN@DOMPEDAGO.ETB1.LAN renew until 21/11/2019 09:33:20
Configure samba¶
mv /etc/samba/smb.conf /etc/samba/smb.conf.initial cat > /etc/samba/smb.conf << EOF [global] workgroup = DOMPEDAGO realm = DOMPEDAGO.ETB1.LAN netbios name = ubuntu security = ADS dns forwarder = 10.1.3.11 idmap config *:range = 2000-2999 idmap config DOMPEDAGO:backend = rid idmap config DOMPEDAGO:range = 10000-999999 template homedir = /home/adhomes/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = false winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes EOF
Join samba domain¶
net ads join -U admin systemctl restart smbd nmbd winbind
Modify nsswitch configuration¶
#/etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind systemd ldap group: compat winbind systemd ldap shadow: compat ldap gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Give it a try:¶
wbinfo -u
should return all local users along domain users wbinfo -g
should return all local groups along domain groups
Modify pam configuration¶
Activate winbind login with:
pam-auth-update
Edit /etc/pam.d/common-password to replace winbind line with this one:
... password [success=1 default=ignore] pam_winbind.so try_first_pass ...
If you want to activate homedir creation upon login add the following line at the end of /etc/pam.d/common-account:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022=== Reboot and test ===
You should be able to log in with domain users (admin,prof.6a….)
Install libpam-mount¶
This part is not fully fonctionnal for now
apt-get install libpam-mount keyutils cat > /etc/security/pam_mount.conf.xml << EOF <?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <debug enable="0" /> <volume user="*" fstype="cifs" server="scribe" path="%(DOMAIN_USER)" mountpoint="/home/adhomes/%(DOMAIN_USER)" options="sec=krb5i,vers=3.0,cruid=%(USERUID)" /> <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" /> <mntoptions require="nosuid,nodev" /> <logout wait="0" hup="no" term="no" kill="no" /> <mkmountpoint enable="1" remove="true" /> </pam_mount> EOF pam-auth-update
Installer veyon¶
Download veyon: https://veyon.io/download/
Once installed, from Menu > Administration choose Veyon Configurator
Login with admin/eole and import configuration
Close Veyon Configurator
From Menu > Internet choose Veyon Master
Login as admin/eole
You should see others computers and you can interect with them