Saturday, September 25, 2010

Debian 22

It's been a long time since I've written a Debian article. Well it's been a long time since I've written anything! Well, today I'm going to jump back onto the wagon with a quick tutorial to get your Linux system joined to an Active Directory Domain.
This article assumes that the Active Directory Domain is already fully functional. This is some background information for reference before we get started:
Domain Name: syraxius.ath.cx
Domain Controller Name: dc01.syraxius.ath.cx
Domain Controller IP:

We'll have to first synchronize our clocks with the Kerberos server. Like most authentication schemes, this is crucial. In this case, we'll make use of the already-installed NTP daemon which can function as both an NTP server and client. We'll modify the configuration file by typing:
nano /etc/ntp.conf

Scroll down to any of the servers section, and add your DC into the list:

Now, do a restart of the NTP server:
/etc/init.d/ntp restart

You should be able to see your DC listed when you type:
ntpq -p

We'll have to find some way to allow our Debian system to authenticate with an Active Directory server. This is accomplished through the Kerberos protocol. We'll install Kerberos through:
apt-get install krb5-config krb5-users

When prompted for the Kerberos server and the Administrative server for the realm, we'll use the FQDN of our Domain Controller, which is dc01.syraxius.ath.cx.

The settings are stored in the file called /etc/krb5 just in case things doesn't work out. The information you entered is under the "[realms]" section. The default realm can also be changed in the "[libdefaults]" section.

To test if our Kerberos implementation works, use the command:
kinit Administrator

kinit is a binary found in krb5-user package. This requests a logon for the user "Administrator". If no error messages occur, use the following command to check for a ticket:

Now if everything's fine, you can move on. At this point we'll install Samba and Winbind:
apt-get install samba winbind

winbind is a component of samba which allows UNIX systems to be full members of an Active Directory domain. Winbind shares the configuration file of samba, which is /etc/samba/smb.conf.

After installing, we'll modify the /etc/samba/smb.conf file. The first thing we'll look out for is the workgroup. The workgroup is the Netbios name of the domain. So if I'm using syraxius.ath.cx for the domain, we'll type:
workgroup = SYRAXIUS

At this point we'll need to add a line to specify the realm. This is required when we attempt to join the domain. To do this, we'll simply type:

Scroll down to the Authentication section and you'll find the line "# security = user". Add a new line to use ADS (Active Directory Service) like this:
security = ads

Directly below the domain master parameter is the UID mapping parameters. Simply uncomment them:
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash

We'll also have to allow winbind to enumerate the users and groups. Uncomment the below lines:
winbind enum groups = yes
winbind enum users = yes

You can also allow usershares by uncommenting the usershare section below. Usershares allow non-root users to create share definitions. We'll ignore this one for now.

Save the file and attempt to join the domain using the command:
net ads join -U Administrator

Restart winbind and samba and you should be able to use winbind to list the users and groups using:
wbinfo -u
wbinfo -g

You are still not able to do anything other than list users. If you want to log into the system with the accounts, you'll need to modify the /etc/nsswitch.conf file to look outside of the local databases. To do this, modify the file as shown:
passwd: files winbind
group: files winbind
shadow: files winbind

Next, we'll have to modify the AAA settings of the system to use winbind as well. The files to modify are:

For account, we'll add the line above the current rule:
account sufficient pam_winbind.so

Do the same for auth and session, changing the "account" keyword to "auth" and "session" accordingly. At this point you should be able to log into the system by using the domain\username convention. For example, to log into the Administrator account, simply use syraxius\Administrator as the username.

Notice that you're dumped to the root folder of the system once you're logged on. We'll now work on creating the user home folders. First, we'll modify the /etc/samba/smb.conf and add the following line below "template shell":
template homedir = /home/%D/%U

%D is substituted with the domain name (SYRAXIUS) and %U will become the user's name. However, the configuration isn't complete yet as you'll need the folder to exist first. This can be done automatically using pam_mkhomedir.so. We'll modify /etc/pam.d/common-session and add the following lines above all rules:
session required pam_mkhomedir.so skel=/etc/skel umask=022

Now you're done! But if of course, there is still some stuff that we can do. If you do not want to use the domain\name notation when logging in, simply add this line in /etc/samba/smb.conf below the "winbind enum" parameters:
winbind use default domain = yes

Now you have a domain-joined Linux computer!

No comments :

Post a Comment