User Tools

Site Tools


ubuntu:desktop_ad_intergration

This is an old revision of the document!


Desktop Ubuntu Integration with Active Directory

Scope: Setup a ubuntu 12.04 client to authenticate to Active Directory and access mapped drives

Install Packages

Install Samba, cifs-utils, and pam-mount

apt-get install cifs-utils samba winbind ntp krb5-kdc krb5-admin-server rng-tools libpam-mount

Install nemo file manager

sudo add-apt-repository ppa:webupd8team/nemo
sudo apt-get update
sudo apt-get install nemo nemo-fileroller

Active Directory Authentication

We will be using Samba or more specifically winbind to authenticate/lookup user via pam First we need to make a /etc/samba/smb/conf. This is a example smb.conf be sure to change workgroup and realm

smb.conf
[global]                                                                                        
	workgroup = DOMAIN
        realm = DOMAIN.NET
        preferred master = no
        server string =
        security = ADS
        encrypt passwords = true
        log level = 3
        log file = /var/log/samba/smb.log
        max log size = 50
        printcap name = cups
        printing = cups
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nested groups = Yes
        winbind separator = +
        template homedir = /vol1/homes/%U
        idmap uid = 2000-20000
        idmap gid = 2000-20000
        ;template primary group = "Domain Users"
        template shell = /bin/bash
        obey pam restrictions = yes

Now we need to tell nsswitch to look to winbind for user data

/etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
 
 
passwd:         winbind compat
group:          winbind compat
shadow:         winbind compat
 
hosts:          files dns
networks:       files
 
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
 
netgroup:       nis

Finally we need to join to the Active Directory Domain

net ads -U administrator join
/etc/init.d/winbind restart

Now if you enter wbinfo -u you should get a complete list of AD users.

Setup share mounting (Pam Mount)

Here is a complete pam_mount config the most important statements are these four lines that mount the various shares for each user

<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/public" path="public" server="cfs.sebekaschools.net" fstype="cifs" />
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/wpkg" path="wpkg" server="cfs.sebekaschools.net" fstype="cifs" />
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/%(USER)-ffs" path="User Data/%(USER)" server="ffs.sebekaschools.net" fstype="cifs" />
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/%(USER)-sfs" path="User Data/%(USER)" server="sfs.sebekaschools.net" fstype="cifs" />
/etc/security/pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
	See pam_mount.conf(5) for a description.
-->
 
<pam_mount>
 
		<!-- debug should come before everything else,
		since this file is still processed in a single pass
		from top-to-bottom -->
 
<debug enable="1" />
 
		<!-- Volume definitions -->
 
 
		<!-- pam_mount parameters: General tunables -->
 
<!--<luserconf name=".pam_mount.conf.xml" /> -->
 
<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,uid,gid,*" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="" />
 
<logout wait="0" hup="0" term="0" kill="0" />
 
 
		<!-- pam_mount parameters: Volume-related -->
 
<mkmountpoint enable="1" remove="true" />
 
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/public" path="public" server="cfs.sebekaschools.net" fstype="cifs" />
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/wpkg" path="wpkg" server="cfs.sebekaschools.net" fstype="cifs" />
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/%(USER)-ffs" path="User Data/%(USER)" server="ffs.sebekaschools.net" fstype="cifs" />
<volume options="uid=%(USER),gid=100" user="*" mountpoint="~/.mnt/%(USER)-sfs" path="User Data/%(USER)" server="sfs.sebekaschools.net" fstype="cifs" />
 
</pam_mount>

This is a script that links a users network home directory to a bookmark and nautilus or nemo. It is designed to be run at login. Save script to /scripts and chmod 755 /scripts/link_h.sh

/scripts/link_h.sh
#!/bin/sh
 
#####################################################################
#This is the script that updates file manager bookmarks for Unity
#place in /scripts
#####################################################################
 
linkstaff()
{	cd $HOME/.mnt
	rm H\ Drive
	ln -s ${LOGNAME}-ffs H\ Drive
}
 
linkstudent()
{	cd $HOME/.mnt
	rm H\ Drive
	ln -s ${LOGNAME}-sfs H\ Drive
}
 
addBookmark()
{	cd $HOME
	if [ "`cat ${HOME}/.gtk-bookmarks  | grep H%20Drive`" = "" ]
	then
		echo "file://${HOME}/.mnt/H%20Drive" >> ${HOME}/.gtk-bookmarks
		echo "Added bookmark H Drive"
	else
		echo "bookmark already H Drive exists"
	fi
 
	if [ "`cat ${HOME}/.gtk-bookmarks  | grep Documents`" = "" ]
        then
                echo "file://${HOME}/Documents" >> ${HOME}/.gtk-bookmarks
                echo "Added bookmark documents"
        else
                echo "bookmark already exists documents"
        fi
 
	if [ "`cat ${HOME}/.gtk-bookmarks  | grep Downloads`" = "" ]
        then
                echo "file://${HOME}/Downloads" >> ${HOME}/.gtk-bookmarks
                echo "Added bookmark Downloads"
        else
                echo "bookmark Downloads already exists"
        fi
}
 
 
 
if [ "`id | grep student`" = "" ]
then
	echo "staff"
	linkstaff
else
	echo "student"
	linkstudent
fi
addBookmark

Automatic Home Directory creation and skeleton Directory setup

This is a full common-session pam file the only change is this line

session required			pam_mkhomedir.so	skel=/etc/skel/ umask=0077

Notice that we are using /etc/skel for a skeleton dir.

/etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
 
# here are the per-package modules (the "Primary" block)
session	[default=1]			pam_permit.so
# here's the fallback if no module succeeds
session	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session	required			pam_permit.so
session required			pam_mkhomedir.so	skel=/etc/skel/ umask=0077
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional			pam_umask.so
# and here are more per-package modules (the "Additional" block)
session	required	pam_unix.so 
session	optional			pam_winbind.so 
session	optional	pam_mount.so 
session	optional			pam_ck_connector.so nox11
# end of pam-auth-update config

Dowload skel.tar and extract it to /etc/skel e.g.

wget http://wiki.sebeka.k12.mn.us/_media/ubuntu:skel.tar 
tar xvf skel.tar -C /etc/skel

Configure Lightdm for Network logins

This is a full lightdm.conf. I made two changes.

  1. I changed user-session to ubuntu-2d because it's a lot nicer on older hardware.
  2. I added greeter-show-manual-login=true to allow login of network users.
/etc/lightdm/lightdm.conf
[SeatDefaults]
greeter-session=unity-greeter
user-session=ubuntu-2d
greeter-show-manual-login=true
greeter-hide-users=true
ubuntu/desktop_ad_intergration.1386792908.txt.gz · Last modified: 2013/12/11 14:15 by tschulz