Linux Winbind Setup: Difference between revisions

Content deleted Content added

Inline

Latest revision as of 21:26, 5 September 2015

Hostname

Put the machines hostname in /etc/hostname

   thing2

And set the fqdn in /etc/hosts

   127.0.0.1       thing2.ad.pumpingstationone.org localhost thing2

Installation

Arch Linux

   sudo pacman -S krb5 samba

Debian

   sudo apt-get install krb5-user libnss-winbind libpam-winbind ntp samba winbind

Ubuntu

   sudo apt-get install krb5-user ntp samba winbind

Default Kerberos version 5 realm: AD.PUMPINGSTATIONONE.ORG

/etc/nsswitch.conf

Add winbind to the passwd and group lines like so:

   passwd: files winbind
   group: files winbind
   shadow: files

/etc/krb5.conf

Set the default realm to AD.PUMPINGSTATIONONE.ORG (caps matter)

   [libdefaults]
           default_realm = AD.PUMPINGSTATIONONE.ORG
           dns_lookup_realm = true
           dns_lookup_kdc = true
           ticket_lifetime = 24h
           forwardable = yes

/etc/samba/smb.conf

If there is an existing smb.conf file, move it:

   sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.default

   [global]
   	workgroup = PS1
   	realm = AD.PUMPINGSTATIONONE.ORG
   	security = ADS
   	encrypt passwords = Yes
   	winbind enum users = Yes
   	winbind enum groups = Yes
   	winbind use default domain = Yes
   	winbind trusted domains only = No
   	winbind nss info = rfc2307
   	idmap config shortdomainname:range = 500-40000
   	idmap config shortdomainname:schema_mode = rfc2307
   	idmap config shortdomainname:backend = ad
   	idmap config *:range = 70001-80000
   	idmap config *:backend = tdb
   	template shell = /bin/bash

Join the domain

Use your account, you must be in the Domain Admins group. If you are adding a machine and are not in the Domain Admins group, Join the Systems Group and ask.

   sudo net ads join -U administrator@AD.PUMPINGSTATIONONE.ORG

/etc/pam.d/system-auth

Ubuntu

Ubuntu sets up pam_winbind.so automatically.

Arch

In Arch, make the following changes to system-auth

   %PAM-1.0
   
   auth      required  pam_env.so
   auth      sufficient  pam_unix.so     try_first_pass nullok
   auth      required  pam_winbind.so use_first_pass use_authtok
   auth      optional  pam_permit.so
   
   account   sufficient  pam_unix.so
   account   sufficient  pam_winbind.so use_first_pass use_authtok
   account   optional  pam_permit.so
   account   required  pam_time.so
   
   password  sufficient  pam_unix.so     try_first_pass nullok sha512 shadow
   password  sufficient  pam_winbind.so use_first_pass use_authtok
   password  optional  pam_permit.so
   
   session   required  pam_mkhomedir.so skel=/etc/skel/ umask=0022
   session   required  pam_limits.so
   session   required  pam_env.so
   session   sufficient  pam_unix.so
   session   sufficient  pam_winbind.so use_first_pass use_authtok
   session   optional  pam_permit.so

/etc/sudoers.d/domain_admins

   %domain\ admins ALL=(ALL:ALL) ALL
   %PS1\\domain\ admins ALL=(ALL:ALL) ALL

Then make sure the file has proper permissions:

   sudo chmod 0440 /etc/sudoers.d/domain_admins

pam_mkhomdir.so

pam_mkhomdir is responsible for creating the home directory of users that don't have one. Without it you get the following message.

   Could not chdir to home directory /home/PS1/username: No such file or directory

ubuntu

Create a file called /usr/share/pam-configs/my_mkhomedir:

   Name: activate mkhomedir
   Default: yes
   Priority: 900
   Session-Type: Additional
   Session:
           required                        pam_mkhomedir.so umask=0022 skel=/etc/skel

and then run:

   sudo pam-auth-update

/etc/lightdm/lightdm.conf

Ubuntu Only, enable showing the other user login.

   [SeatDefaults]
   user-session=ubuntu
   greeter-session=unity-greeter
   autologin-user=ps1member
   greeter-show-manual-login=true

Linux Winbind Setup: Difference between revisions

Latest revision as of 21:26, 5 September 2015

Contents

Hostname

Installation

Arch Linux

Debian

Ubuntu

/etc/nsswitch.conf

/etc/krb5.conf

/etc/samba/smb.conf

Join the domain

/etc/pam.d/system-auth

Ubuntu

Arch

/etc/sudoers.d/domain_admins

pam_mkhomdir.so

ubuntu

/etc/lightdm/lightdm.conf

Navigation menu

Page actions

Page actions

Personal tools

Navigation

Search

Tools

@@ Line 1: / Line 1: @@
+== Hostname ==
+Put the machines hostname in /etc/hostname
+    '''thing2'''
+And set the fqdn in /etc/hosts
+.0.0.1       '''thing2'''.ad.pumpingstationone.org localhost '''thing2'''
 == Installation ==
+=== Arch Linux ===
     sudo pacman -S krb5 samba
+=== Debian ===
+    sudo apt-get install krb5-user libnss-winbind libpam-winbind ntp samba winbind
+=== Ubuntu ===
+    sudo apt-get install krb5-user ntp samba winbind
+* Default Kerberos version 5 realm: AD.PUMPINGSTATIONONE.ORG
 == /etc/nsswitch.conf ==
@@ Line 24: / Line 47: @@
 == /etc/samba/smb.conf ==
+If there is an existing smb.conf file, move it:
+    sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.default
     [global]
     	workgroup = PS1
@@ Line 40: / Line 68: @@
     	idmap config *:backend = tdb
     	template shell = /bin/bash
+== Join the domain ==
+Use your account, you must be in the Domain Admins group. If you are adding a machine and are not in the Domain Admins group, Join the [[Systems Group]] and ask.
+    sudo net ads join -U '''administrator'''@AD.PUMPINGSTATIONONE.ORG
 == /etc/pam.d/system-auth ==
+=== Ubuntu ===
+Ubuntu sets up pam_winbind.so automatically.
+=== Arch ===
 In Arch, make the following changes to system-auth
-    #%PAM-1.0
+    %PAM-1.0
     auth      required  pam_env.so
-    '''auth      sufficient pam_winbind.so'''
+    auth      sufficient  pam_unix.so     try_first_pass nullok
-    auth      required  pam_unix.so     try_first_pass nullok
+    auth      required  pam_winbind.so use_first_pass use_authtok
     auth      optional  pam_permit.so
-    '''account   sufficient pam_winbind.so'''
+    account   sufficient  pam_unix.so
-    account   required  pam_unix.so
+    account   sufficient  pam_winbind.so use_first_pass use_authtok
     account   optional  pam_permit.so
     account   required  pam_time.so
-    password  required  pam_unix.so     try_first_pass nullok sha512 shadow
+    password  sufficient  pam_unix.so     try_first_pass nullok sha512 shadow
+    password  sufficient  pam_winbind.so use_first_pass use_authtok
     password  optional  pam_permit.so
-    '''session   required pam_mkhomdir.so'''
+    session   required  pam_mkhomedir.so skel=/etc/skel/ umask=0022
-    '''session   required pam_winbind.so'''
     session   required  pam_limits.so
     session   required  pam_env.so
-    session   required  pam_unix.so
+    session   sufficient  pam_unix.so
+    session   sufficient  pam_winbind.so use_first_pass use_authtok
     session   optional  pam_permit.so
+== /etc/sudoers.d/domain_admins ==
+    %domain\ admins ALL=(ALL:ALL) ALL
+    %PS1\\domain\ admins ALL=(ALL:ALL) ALL
+Then make sure the file has proper permissions:
+    sudo chmod 0440 /etc/sudoers.d/domain_admins
+== pam_mkhomdir.so ==
+pam_mkhomdir is responsible for creating the home directory of users that don't have one. Without it you get the following message.
+    Could not chdir to home directory /home/PS1/username: No such file or directory
+=== ubuntu ===
+Create a file called /usr/share/pam-configs/my_mkhomedir:
+    Name: activate mkhomedir
+    Default: yes
+    Priority: 900
+    Session-Type: Additional
+    Session:
+            required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
+and then run:
+    sudo pam-auth-update
+== /etc/lightdm/lightdm.conf ==
+Ubuntu Only, enable showing the other ''user'' login.
+    [SeatDefaults]
+    user-session=ubuntu
+    greeter-session=unity-greeter
+    autologin-user=ps1member
+    '''greeter-show-manual-login=true'''