Posted by simonw on Fri 5 May 2006 at 17:12
An article on Debian-Administration.org already covered ADS set up with Kerberos. But I was looking for the most lightweight and nimble ADS integration so I can achieve the less ambitious goal of single username and password.
Aim: Allow Debian Sarge box to join ADS domain without using Kerberos and create user accounts on the fly. The resulting Debian system should work for NT Domain users for most or all services being offered, with the same username and password without having to type the domain in each time.
Disclaimer/Caveats: I'm not a PAM expert, or a Samba expert, or a Debian expert. This configuration is something I worked out as a proof of concept since I wanted to integrate the Linux servers at work into the ADS, so users only have one password to remember/change. It is likely very wrong in places, hopefully public scrutiny will fix any major oversights. This was drawn from my notes, the actual procedure was far less linear, not least the installing the Etch version only happened after much head scratching.
This method of integrating ADS to Linux doesn't ensure that the UIDs and GIDs are consistent across multiple Linux servers (unlike say NIS/NIS+, or the RFC2307 type solutions). As such it is useful where you want to integrate a small number of Debian servers providing specific services into the ADS environment, and have no intention of networking those Linux boxes together using say NFS (except for purely administrative purposes).
Environment
Windows 2000 servers, with 3 ADS server. The old fashioned NT Domain name is "NTDOMAIN" The ADS domain name is "ntdnsdomain.example.com" ADS servers are "server1.ntdnsdomain.example.com" (server2, server3). Hostname (and netbios name) of debian server "debtest"
Get Software Installed
Take Debian Sarge with winbind and samba
#apt-get install samba winbind
Fix the stable release as the default
/etc/apt/apt.conf -- added line
APT::Default-Release "stable";
Arrange to have testing as a less preferred release /etc/apt/apt.preferences -- created with
Package: * Pin: release r=testing Pin-Priority: 200
Arrange to have testing repository known to APT /etc/apt/sources.list -- added line
deb http://{your-nearest-debian-mirror}/ testing main
Learn what is in the new repository
#apt-get update
Get the testing version of this software
#apt-get -t testing winbind samba
Configure Software correctly.
Stop "winbind" and "samba"
#/etc/init.d/winbind stop #/etc/init.d/samba stop
Ensure that the client machine is in the domain of the DNS servers
Either ensure that "/etc/resolv.conf" has
search ntdnsdomain.example.com { optional other domains }
Or in our case we edited "/etc/dhclient.conf" to contain;
supersede domain-name "ntdnsdomain.example.com"
Or update your DHCP server as appropriate.
Configure SAMBA by updating the /etc/samba/smb.conf file.
We updated/added the following entries, this isn't a complete file, just the lines that changed.
workgroup = NTDOMAIN dns proxy = yes security = domain password server = server1 server2 server3 # Actually only used server1 for testing, less event logs to check netbiosname = debtest winbind separator = . # This isn't used in the configuration anywhere idmap uid = 15000-20000 idmap gid = 15000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home-ads/%U # This template can include the domain name if required template shell = /bin/bash winbind use default domain = Yes # Allows login in as "username" instead of "NTDOMAIN.username"
Start Samba
# /etc/init.d/samba start
Join the domain
Windows use of secure channels means all machines in a domain must be added by someone with appropriate authority. This will create an entry in the ADS "Users and Computers" admin tool for the computer "debtest".
#net rpc join -S server1 -U Administrator
Start winbind
# /etc/init.d/winbind start
Test membership of domain
#wbinfo -t
Configure Winbind to be used.
Modify /etc/nsswitch.conf
Lines; passwd: compat group: compat shadow: compat hosts: files dns Replaced with; passwd: files winbind group: files winbind shadow: files hosts: files dns winbind
Modify PAM
We modify the "common" pam files so that NTDOMAIN usernames are usable everywhere.
/etc/pam.d/common-auth
Replace line; auth required pam_unix.so nullok_secure With; auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass
The new line allows you to authenticate against winbind.
The "use_first_pass" reuses the password tried for winbind for the Unix login, allowing the pre-existing Unix users (like "root"!) to login, without having to enter a dummy password for the NTDOMAIN password prompt.
/etc/pam.d/common-account
Insert before line; auth required pam_unix.so nullok_secure Line reading; auth sufficient pam_winbind.so
/etc/pam.d/common-session
Insert after line; session required pam_unix.so Line reading; session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
This line is to ensure that home directories for users who have never used the system before are added automatically. You can obviously choose your own umask and skel directory to suit.
Test
At this point you should be able to login as an NTDOMAIN user at a login prompt, or via ssh. A home directory should be created in /home-ads with the corresponding username.
Ctrl-Alt-F2 Login: Administrator Password: asecret administrator@debtest:~$ pwd /home-ads/administrator
Dear Lazy-web, let me know what I got wrong by Monday, and I'll be happy
Sources
Countless articles trying to understand all the weird errors, and debugging required to make this work
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
[ Parent ]
I'm using this server as a squid proxy with integrated NTLM athentication. I tried various other seperators, but couldn't get (eg) DOMAIN+uname, DOMAIN%uname etc. recognised by squidGuard.
[ Parent ]