====== Samba Active Directory Integration on Ubuntu ======
===== Install =====
apt-get install samba winbind ntp krb5-kdc krb5-admin-server rng-tools libnss-winbind libpam-winbind
===== /etc/krb5.conf =====
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = WINDOM.NET(full domain name uppercase)
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
WINDOM.NET(full domain name uppercase) = {
kdc = win-60ntfg4u8in.windom.net (dc fqdn)
admin_server = win-60ntfg4u8in.windom.net (dc fqdn)
default_domain = windom.net (full domain name)
}
[domain_realm]
.kerberos.server = WIN-60NTFG4U8IN.WINDOM.NET(dc fqdn uppercase)
.windows.jara23.co.uk = WIN-60NTFG4U8IN.WINDOM.NET(dc fqdn uppercase)
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
===== NEW krb5.conf =====
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
===== /etc/network/interfaces =====
iface eth0 inet static
address 10.1.0.6
netmask 255.255.254.0
network 10.1.0.0
broadcast 10.1.1.255
gateway 10.1.0.1
dns-nameservers 10.1.0.91 (domain dns server)
dns-search windom.net (domain name)
===== /etc/nsswitch.conf =====
passwd: winbind compat
group: winbind compat
shadow: winbind compat
===== smb.conf =====
[global]
workgroup = WINDOM (NETBIOS domain name)
realm = WINDOM.NET (full domain name)
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
template homedir = /home/%U
idmap uid = 600-20000
idmap gid = 600-20000
;template primary group = "Domain Users"
template shell = /bin/bash
===== Join domain =====
kdb5_util create
kdb5_util stash
net ads -U administrator join
===== (Dynamic Home Directory Creation) pam_mkhomedir =====
install libpam-mkhomedir
apt-get install libpam-mkhomedir
add **session required pam_mkhomedir.so skel=/etc/skel/ umask=0077** to common-session*
...
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
...
...
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
...