This is the third part of a series of howtos showing how to setup and use Samba4 as a drop in for MS Active Directory Server. The first part Samba4 AD DC on Ubuntu 14.04 is here. The second part in this series take a look at Administering AD DC via Windows.
In this part we will connect an Ubuntu 14.04 machine to the domain and then login with users configured with Active Directory.
Active Domain details
- AD DC host: lab-addc1.dragon.lab
- ip address: 10.1.200.3
- Domain: BLACK
- Realm: BLACK.DRAGON.LAB
- netbios name:LAB-ADDC1
Therefore domain users will always have the same UID and GIDs regardless of the machine they log into. You will need to have created some users, as we did in part 2.
Domain Users
- Real name: Fred Blogs
- User name: fred
- Member Of: Domain Users, Domain Admins
- Real name: Mary Money
- User name: mary
- Member Of: Domain Users, finance
- Real name: Bert Worker
- User name: bert
- Member Of: Domain Users
I was using likewise-open but after being taken over by Power Broker they have messed it up and introduced a number of rather annoying bugs. The open version is also functionally crippled in-order to get you to pay for the enterprise version. 🙁
The PBIS settings have to be changed using a clunky config tool, as they are now stored in a binary blob and not flat files. So all the downsides of a Windows registry, bloated, awkward to access and prone to corruption. 🙁
I no longer use PBIS! Rant over. 🙂
I used my normal install method, starting with a minimal server and then adding MATE.
After the install I change its name in /etc/hosts, lab-desktop1.dragon.lab, and /etc/hostname, lab-desktop1. Also, check that /etc/network/interface is setup to use DHCP for eth0.
We will need to install some packages on your Linux desktop. so let’s get that out of the way.
sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install samba winbind samba libnss-winbind libpam-winbind \
krb5-config krb5-locales krb5-user gvfs-backends
During the install you will be asked for the default realm to use for Kerberos, enter BLACK.DRAGON.LAB.
Update the kerberos config file.
sudo nano /etc/krb5.conf
# Be careful with CAPS they are significant! [libdefaults] default_realm = BLACK.DRAGON.LAB ticket_lifetime = 24000 default_tgs_entypes = rc4-hmac des-cbc-md5 default_tkt__enctypes = rc4-hmac des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-md5 dns_lookup_realm = true dns_lookup_kdc = true dns_fallback = yes [realms] BLACK.DRAGON.LAB = { kdc = black.dragon.lab:88 default_domain = black.dragon.lab } [domain_realm] # So are leading fullstops .black.dragon.lab = BLACK.DRAGON.LAB black.dragon.lab = BLACK.DRAGON.LAB [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
You should now be able to authenticate against Kerberos for the users in our domain. Try this with Fred, Mary and Bert.
kinit bert@BLACK.DRAGON.LAB
Password for bert@BLACK.DRAGON.LAB:
The prompt should request the password for the user you used in the kinit command. It should not ask for the Administrator password. When you enter the correct password for the user you will get a ticket.
klist
Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: bert@BLACK.DRAGON.LAB Valid starting Expires Service principal 10/05/15 13:40:53 10/05/15 20:20:47 krbtgt/BLACK.DRAGON.LAB@BLACK.DRAGON.LAB
Now update the Samba configuration to include the following settings. I usually remove everything from the file and just use the following basic values.
sudo nano /etc/samba/smb.conf
[global] realm = BLACK.DRAGON.LAB workgroup = BLACK security = ADS dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 5000-9999 idmap config BLACK:backend = ad idmap config BLACK:range = 10000-29999 idmap config BLACK:schema_mode = rfc2307 winbind nss info = rfc2307 winbind use default domain = Yes winbind enum users = Yes winbind enum groups = Yes winbind refresh tickets = Yes winbind normalize names = Yes store dos attributes = Yes vfs objects = acl_xattr map acl inherit = Yes
NOTE: The values for the two ranges '*:range' and 'BLACK:range' must be the same on all other AD members and the Controller. Also they must not overlap.
Check that /etc/nsswitch.conf has winbind appended to the passwd and group, amend the lines if they are not.
sudo nano /etc/nsswitch.conf
passwd: compat winbind group: compat winbind shadow: compat
If you installed libpam-winbind above, this step is all you need to do to configure pam.
sudo pam-auth-update
When you run pam-auth-update, all the options should already be selected, just press return to continue.
Add the following line at the end of the file, before the last comment. It will allow for the automatic creation of home directories on the local file system.
sudo nano /etc/pam.d/common-account
session optional pam_mkhomedir.so skel=/etc/skel umask=0022
I reboot at this point, it saves me reloading or restarting the services one at a time and I can also grab a quick coffee.
Joining the Domain
Once the desktop comes back up, we can join the domain.
sudo net ads join -U administrator
Enter administrator's password: Using short domain name -- BLACK Joined 'LAB-DESKTOP1' to dns domain 'black.dragon.lab'
I saw an error for ERROR_DNS_GSS_ERROR, but it appears it does not matter. The message that matters is the Joined ‘LAB-DESKTOP1’ part. If you did not see that, you should recheck everything as there is something wrong.
As this is a Windows domain we need to reboot or just restart the services. The coffee you started above should be ready by now.
sudo service winbind restart
sudo service nmbd restart
sudo service smbd restart
or as you will be running these three commands a lot while playing around and testing, why not setup a quick bash function.
smbrestart() { sudo service winbind restart; sudo service nmbd restart; sudo service smbd restart; }
Just call it on the command line with smbrestart
Testing Those Settings
To check that user and group data are available from the AD we can use the wbinfo and getent commands.
wbinfo -u # Should list all the domain users.
wbinfo -g # Should list all the domain groups.
wbinfo -i fred # Displays data for the user Fred.
wbinfo -r fred # Displays the groups Fred is in.
getent group domain_admins # Displays users that are members of the group domain_admins.
getent group "domain admins" # Save as above
getent group # Supposed to display all groups local and domain
I have yet to get the last getent group command to work. But see below to check that domain groups are available from the command line.
If the first of these commands worked then you are probably all connected to the domain.
The final test, can you log in? I usually do an initial test using ‘su’ before logging out and back in with another user.
su - fred
If you can log in then its working. Do a long listing with ls -la and you should see something like this below, note you see the owner as fred and the group as domain users and not the UID/GID which you would if you used the crippled PBIS open.
-rw------- 1 fred domain_users 59 Aug 25 14:26 .bash_history -rw------- 1 fred domain_users 220 Aug 25 13:06 .bash_logout -rw------- 1 fred domain_users 3637 Aug 25 13:06 .bashrc
Now to test using those pesky domain groups. You should see the group name changing with each of these commands.
touch fred_was_here
ll fred_was_here
-rw-r--r-- 1 fred domain_users 0 May 12 19:14 fred_was_here
chgrp domain_admins fred_was_here
ll fred_was_here
-rw-r--r-- 1 fred domain_admins 0 May 12 19:14 fred_was_here
chgrp 'Domain Users' fred_was_here
ll fred_was_here
-rw-r--r-- 1 fred domain_users 0 May 12 19:14 fred_was_here
This is testing you can use the domain groups on the command line. Within bash expansion works with the tab key as well. Also as this is pretending to be Windows, the AD DC part, the group name is not case sensitive. ‘Domain Users’ = ‘domain users’ = ‘DoMaIn UsErS’ = domain_users = DomaiN_Users.
Giving ‘sudo’ Permissions
With Ubuntu you can add a user to the sudo group which will allow access to the sudo command.
sudo usermod -a -G sudo fred
Testing Those Permissions
Assuming you have already created the test users Fred, Bert and Mary along with the shared folders finance and shared. Now log in to the domain with each of the three users. Fred and Mary should be able to access both folders and also create and modify files in the share. While Bert ‘the drudge’ Worker will only be able to do stuff in shared.
To use caja (File Manager) to access the shares type smb://lab-addc1 into the location input and press return. Then proceed as normal once the shares are displayed.
If that is not the case go back and check the permissions on the users and shares.
Hi,
Many thanks for this great working tutorial !!
After hours of tries with PBIS you saved me.
Had to watch uppercase/lowercase for inputs of realm and username of the domain strictly.
This tutorial works with a .local Domain too.
thanks again
gnaggi
I am glad it was of use to you. The upper/lower case can be a nightmare especially as Windows is only sometimes case sensitive 🙂
When Power Broker took over the likewise open project it went down hill fast.
Currently Power Broker (PBIS) doesn’t work with Samba 4. If you install Ubuntu 14.04, you’ll get Samba 4 as part of the install. It becomes a nightmare trying to downgrade Samba from 4 to 3, just to get PBIS to work (if you don’t need Samba, PBIS will work with Ubuntu 14.04). I’ve been talking to PBIS and they hope to have their software working with Samba 4 by the end of 2015. I’ve been using PBIS/Likewise since 2012, but now I’m looking at alternative solutions.
When it was likewise open it worked rather well. Then it was taken over by PBIS and they crippled it. Why would it take almost 2 years, from the time Ubuntu 14.04 came out to getting it updated. Seems they only want to sell their own version now.
After configuring this in ubuntu 14.04 and adding a windows security group to the sudoers file my domain user can’t open gnome-terminal and can’t login with ssh. They all show as admin. The weird thing is passwd file has no /bin/bash record for the domain users. Is there a step missed above?
You need to use the tool on Windows to set the login shell and path to the HOME directory.
I have used the below smb.conf for my winbind hosts for years with no problems. RIDs are always mapped predictably and there is absolutely no need to set any custom attributes in AD.
[global]
workgroup =
password server = *
realm =
security = ads
idmap config * : range = 100000-999999
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets and keytab
winbind use default domain = true
winbind offline logon = false
allow trusted domains = No
client NTLMv2 auth = Yes
name resolve order = wins bcast host
idmap backend = rid
create krb5 conf = No
For protected hosts I only allow select groups to login through /etc/security/pam_winbind.conf:
[global]
krb5_auth = yes
krb5_ccache_type = FILE
require_membership_of = ,
I add those group names to sudoers:
%Group\ Name ALL=(ALL) ALL
%Group\ Name ALL=(ALL) ALL
Add pam_winbind module in system-auth appropriately:
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
password sufficient pam_winbind.so use_authtok
session optional pam_winbind.so
Kerberos is only setup for single sign on, but not necessary for basic system access and all Kerberos system principals are managed through AD and the computer object. You can add principals to AD and your local keytab through the samba ‘net’ command.
Very helpful. Wasted a lot of time trying to use sssd with ubuntu 16.04 in multi-domain environment. This works perfectly