User Tools

Site Tools


ubuntu:desktop_ad_intergration

This is an old revision of the document!


Desktop Ubuntu Integration with Active Directory

Scope: Setup a ubuntu 12.04 client to authenticate to Active Directory and access mapped drives

Install Packages

Install Samba, cifs-utils, and pam-mount

apt-get install cifs-utils samba winbind ntp krb5-kdc krb5-admin-server rng-tools libpam-mount

Install nemo file manager

sudo add-apt-repository ppa:webupd8team/nemo
sudo apt-get update
sudo apt-get install nemo nemo-fileroller

Active Directory Authentication

We will be using Samba or more specifically winbind to authenticate/lookup user via pam First we need to make a /etc/samba/smb/conf

smb.conf
[global]                                                                                        
	workgroup = DOMAIN
        realm = DOMAIN.NET
        preferred master = no
        server string =
        security = ADS
        encrypt passwords = true
        log level = 3
        log file = /var/log/samba/smb.log
        max log size = 50
        printcap name = cups
        printing = cups
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nested groups = Yes
        winbind separator = +
        template homedir = /vol1/homes/%U
        idmap uid = 2000-20000
        idmap gid = 2000-20000
        ;template primary group = "Domain Users"
        template shell = /bin/bash
        obey pam restrictions = yes

Now we need to tell nsswitch to look to winbind for user data

/etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
 
 
passwd:         winbind compat
group:          winbind compat
shadow:         winbind compat
 
hosts:          files dns
networks:       files
 
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
 
netgroup:       nis

Finally we need to join to the Active Directory Domain

net ads -U administrator join
/etc/init.d/winbind restart

Now if you enter wbinfo -u you should get a complete list of AD users.

Setup share mounting (Pam Mount)

Here is a complete pam_mount config the most important statements are the four volume line that mount the various shares for each user

/etc/security/pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
	See pam_mount.conf(5) for a description.
-->
 
<pam_mount>
 
		<!-- debug should come before everything else,
		since this file is still processed in a single pass
		from top-to-bottom -->
 
<debug enable="1" />
 
		<!-- Volume definitions -->
 
 
		<!-- pam_mount parameters: General tunables -->
 
<!--<luserconf name=".pam_mount.conf.xml" /> -->
 
<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,uid,gid,*" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="" />
 
<logout wait="0" hup="0" term="0" kill="0" />
 
 
		<!-- pam_mount parameters: Volume-related -->
 
<mkmountpoint enable="1" remove="true" />
 
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/public" path="public" server="cfs.sebekaschools.net" fstype="cifs" />
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/wpkg" path="wpkg" server="cfs.sebekaschools.net" fstype="cifs" />
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/%(USER)-ffs" path="User Data/%(USER)" server="ffs.sebekaschools.net" fstype="cifs" />
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/%(USER)-sfs" path="User Data/%(USER)" server="sfs.sebekaschools.net" fstype="cifs" />
 
</pam_mount>

This is a script that links a users network home directory to a bookmark and nautilus or nemo. It is designed to be run at login

/scripts/link_h.sh
#!/bin/sh
 
#####################################################################
#This is the script that updates file manager bookmarks for Unity
#place in /scripts
#####################################################################
 
linkstaff()
{	cd $HOME/.mnt
	rm H\ Drive
	ln -s ${LOGNAME}-ffs H\ Drive
}
 
linkstudent()
{	cd $HOME/.mnt
	rm H\ Drive
	ln -s ${LOGNAME}-sfs H\ Drive
}
 
addBookmark()
{	cd $HOME
	if [ "`cat ${HOME}/.gtk-bookmarks  | grep H%20Drive`" = "" ]
	then
		echo "file://${HOME}/.mnt/H%20Drive" >> ${HOME}/.gtk-bookmarks
		echo "Added bookmark H Drive"
	else
		echo "bookmark already H Drive exists"
	fi
 
	if [ "`cat ${HOME}/.gtk-bookmarks  | grep Documents`" = "" ]
        then
                echo "file://${HOME}/Documents" >> ${HOME}/.gtk-bookmarks
                echo "Added bookmark documents"
        else
                echo "bookmark already exists documents"
        fi
 
	if [ "`cat ${HOME}/.gtk-bookmarks  | grep Downloads`" = "" ]
        then
                echo "file://${HOME}/Downloads" >> ${HOME}/.gtk-bookmarks
                echo "Added bookmark Downloads"
        else
                echo "bookmark Downloads already exists"
        fi
}
 
 
 
if [ "`id | grep student`" = "" ]
then
	echo "staff"
	linkstaff
else
	echo "student"
	linkstudent
fi
addBookmark

Automatic Home Directory creation and skeleton Directory setup

Configure Lightdm for Network logins

ubuntu/desktop_ad_intergration.1386787071.txt.gz · Last modified: 2013/12/11 12:37 by tschulz