This article assumes that the Active Directory Domain is already fully functional. This is some background information for reference before we get started:
Domain Name: syraxius.ath.cx
Domain Controller Name: dc01.syraxius.ath.cx
Domain Controller IP: 192.168.1.2/24
We'll have to first synchronize our clocks with the Kerberos server. Like most authentication schemes, this is crucial. In this case, we'll make use of the already-installed NTP daemon which can function as both an NTP server and client. We'll modify the configuration file by typing:
nano /etc/ntp.confScroll down to any of the servers section, and add your DC into the list:
server 192.168.1.2Now, do a restart of the NTP server:
/etc/init.d/ntp restartYou should be able to see your DC listed when you type:
ntpq -pWe'll have to find some way to allow our Debian system to authenticate with an Active Directory server. This is accomplished through the Kerberos protocol. We'll install Kerberos through:
apt-get install krb5-config krb5-usersWhen prompted for the Kerberos server and the Administrative server for the realm, we'll use the FQDN of our Domain Controller, which is dc01.syraxius.ath.cx.
The settings are stored in the file called /etc/krb5 just in case things doesn't work out. The information you entered is under the "[realms]" section. The default realm can also be changed in the "[libdefaults]" section.
To test if our Kerberos implementation works, use the command:
kinit Administratorkinit is a binary found in krb5-user package. This requests a logon for the user "Administrator". If no error messages occur, use the following command to check for a ticket:
klistNow if everything's fine, you can move on. At this point we'll install Samba and Winbind:
apt-get install samba winbindwinbind is a component of samba which allows UNIX systems to be full members of an Active Directory domain. Winbind shares the configuration file of samba, which is /etc/samba/smb.conf.
After installing, we'll modify the /etc/samba/smb.conf file. The first thing we'll look out for is the workgroup. The workgroup is the Netbios name of the domain. So if I'm using syraxius.ath.cx for the domain, we'll type:
workgroup = SYRAXIUSAt this point we'll need to add a line to specify the realm. This is required when we attempt to join the domain. To do this, we'll simply type:
realm = SYRAXIUS.ATH.CXScroll down to the Authentication section and you'll find the line "# security = user". Add a new line to use ADS (Active Directory Service) like this:
security = adsDirectly below the domain master parameter is the UID mapping parameters. Simply uncomment them:
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bashWe'll also have to allow winbind to enumerate the users and groups. Uncomment the below lines:
winbind enum groups = yes
winbind enum users = yesYou can also allow usershares by uncommenting the usershare section below. Usershares allow non-root users to create share definitions. We'll ignore this one for now.
Save the file and attempt to join the domain using the command:
net ads join -U AdministratorRestart winbind and samba and you should be able to use winbind to list the users and groups using:
wbinfo -u
wbinfo -gYou are still not able to do anything other than list users. If you want to log into the system with the accounts, you'll need to modify the /etc/nsswitch.conf file to look outside of the local databases. To do this, modify the file as shown:
passwd: files winbind
group: files winbind
shadow: files winbindNext, we'll have to modify the AAA settings of the system to use winbind as well. The files to modify are:
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-session
For account, we'll add the line above the current rule:
account sufficient pam_winbind.soDo the same for auth and session, changing the "account" keyword to "auth" and "session" accordingly. At this point you should be able to log into the system by using the domain\username convention. For example, to log into the Administrator account, simply use syraxius\Administrator as the username.
Notice that you're dumped to the root folder of the system once you're logged on. We'll now work on creating the user home folders. First, we'll modify the /etc/samba/smb.conf and add the following line below "template shell":
template homedir = /home/%D/%U%D is substituted with the domain name (SYRAXIUS) and %U will become the user's name. However, the configuration isn't complete yet as you'll need the folder to exist first. This can be done automatically using pam_mkhomedir.so. We'll modify /etc/pam.d/common-session and add the following lines above all rules:
session required pam_mkhomedir.so skel=/etc/skel umask=022Now you're done! But if of course, there is still some stuff that we can do. If you do not want to use the domain\name notation when logging in, simply add this line in /etc/samba/smb.conf below the "winbind enum" parameters:
winbind use default domain = yesNow you have a domain-joined Linux computer!
No comments :
Post a Comment