====== Desktop Ubuntu Integration with Active Directory ======
Scope: Setup a ubuntu 12.04 client to authenticate to Active Directory and access mapped drives
===== Install Packages =====
==== Install Samba, cifs-utils, and pam-mount ====
apt-get install cifs-utils samba winbind ntp krb5-kdc krb5-admin-server rng-tools libpam-mount
==== Install nemo file manager ====
sudo add-apt-repository ppa:webupd8team/nemo
sudo apt-get update
sudo apt-get install nemo nemo-fileroller
===== Active Directory Authentication =====
We will be using Samba or more specifically winbind to authenticate/lookup user via pam
First we need to make a /etc/samba/smb/conf. This is a example smb.conf be sure to change **workgroup** and **realm**
[global]
workgroup = DOMAIN
realm = DOMAIN.NET
preferred master = no
server string =
security = ADS
encrypt passwords = true
log level = 3
log file = /var/log/samba/smb.log
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
template homedir = /vol1/homes/%U
idmap uid = 2000-20000
idmap gid = 2000-20000
;template primary group = "Domain Users"
template shell = /bin/bash
obey pam restrictions = yes
Now we need to tell nsswitch to look to winbind for user data
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: winbind compat
group: winbind compat
shadow: winbind compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Finally we need to join to the Active Directory Domain
net ads -U administrator join
/etc/init.d/winbind restart
Now if you enter **wbinfo -u** you should get a complete list of AD users.
===== Setup share mounting (Pam Mount) =====
Here is a complete pam_mount config the most important statements are these four lines that mount the various shares for each user
==== Link Home Dir Script ====
This is a script that links a users network home directory to a bookmark and nautilus or nemo. It is designed to be run at login.
* Save script to **/scripts** and **chmod 755 /scripts/link_h.sh**
#!/bin/sh
#####################################################################
#This is the script that updates file manager bookmarks for Unity
#place in /scripts
#####################################################################
linkstaff()
{ cd $HOME/.mnt
rm H\ Drive
ln -s ${LOGNAME}-ffs H\ Drive
}
linkstudent()
{ cd $HOME/.mnt
rm H\ Drive
ln -s ${LOGNAME}-sfs H\ Drive
}
addBookmark()
{ cd $HOME
if [ "`cat ${HOME}/.gtk-bookmarks | grep H%20Drive`" = "" ]
then
echo "file://${HOME}/.mnt/H%20Drive" >> ${HOME}/.gtk-bookmarks
echo "Added bookmark H Drive"
else
echo "bookmark already H Drive exists"
fi
if [ "`cat ${HOME}/.gtk-bookmarks | grep Documents`" = "" ]
then
echo "file://${HOME}/Documents" >> ${HOME}/.gtk-bookmarks
echo "Added bookmark documents"
else
echo "bookmark already exists documents"
fi
if [ "`cat ${HOME}/.gtk-bookmarks | grep Downloads`" = "" ]
then
echo "file://${HOME}/Downloads" >> ${HOME}/.gtk-bookmarks
echo "Added bookmark Downloads"
else
echo "bookmark Downloads already exists"
fi
}
if [ "`id | grep student`" = "" ]
then
echo "staff"
linkstaff
else
echo "student"
linkstudent
fi
addBookmark
===== Automatic Home Directory creation and skeleton Directory setup =====
This is a full common-session pam file the only change is this line
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
Notice that we are using /etc/skel for a skeleton dir.
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_winbind.so
session optional pam_mount.so
session optional pam_ck_connector.so nox11
# end of pam-auth-update config
Dowload {{:ubuntu:skel.tar|}} and extract it to /etc/skel e.g.
wget http://wiki.sebeka.k12.mn.us/_media/ubuntu:skel.tar
tar xvf skel.tar -C /etc/skel
===== Configure Lightdm for Network logins =====
This is a full lightdm.conf. I made two changes.
- I changed **user-session to ubuntu-2d** because it's a lot nicer on older hardware.
- I added **greeter-show-manual-login=true** to allow login of network users.
[SeatDefaults]
greeter-session=unity-greeter
user-session=ubuntu-2d
greeter-show-manual-login=true
greeter-hide-users=true