How to authenticate Linux accounts against an Active Directory and mount a Windows share on login?
I'm using Ubuntu 10.04 Server.
Solution 1:
[Edit] I've since tested this the full release of Ubuntu 10.04 Server (21/May/2010).
I've configured my Ubuntu 10.04 Server LTS residing on a windows network to authenticate logins using active directory, then mount a windows share to serve as there home directory.
Here is what I did starting from the initial installation of Ubuntu.
- Download and install Ubuntu Server 10.04 LTS
-
Get updates
# sudo apt-get update && sudo apt-get upgrade
-
Install an SSH server (
sshd
)# sudo apt-get install openssh-server
Some would argue that you should "lock sshd down" by disabling root logins. I figure if your smart enough to hack an ssh session for a root password, you're probably not going to be thwarted by the addition of
PermitRootLogin no
in the/etc/ssh/sshd_config
file. If your paranoid or not simply not convinced then edit the file or give the following a spin:# (grep PermitRootLogin /etc/ssh/sshd_config && sudo sed -ri 's/PermitRootLogin ).+/\1no/' /etc/ssh/sshd_conifg) || echo "PermitRootLogin not found. Add it manually."
-
Install required packages
# sudo apt-get install winbind samba smbfs smbclient ntp krb5-user
-
Do some basic networking housecleaning in preparation for the specific package configurations to come.
-
Determine your windows domain name, DNS server name, and IP address for the active directory server (for samba). For conveniance I set environment variables for the windows domain and DNS server. For me it was (my AD IP address was 192.168.20.11):
# WINDOMAIN=mydomain.local && WINDNS=srv1.$WINDOMAIN && WINDNS_IP=192.168.20.11
If you want to figure out what your domain and DNS server is (I was contractor and didn't know the network) check out this helpful reference.
We need to christen the Linux box on the new network, this is done by editing the host file (replace the DNS of with the FQDN of the windows DNS):
# sudo sed -ri "s/^(127\.0\.[01]\.1[ \t]).*/\1$(hostname).$WINDOMAIN localhost $(hostname)/" /etc/hosts
We should also tell the forthcoming installed services where they can find there leader: some networks will have netbios name lookup services, but just in case, add an explicit entry in your
/etc/hosts
file, in my configuration I added the entry on the third (3) line:# sudo sed -ri "3 i $WINDNS_IP $WINDNS" /etc/hosts
The authentication and file sharing processes for the Windows and Linux boxes need to have their clocks agree. Do this with an NTP service, and on the server version of Ubuntu the NTP service comes installed and configured with one (1) NTP sever. Add yours before the Ubuntu one (or replace it entirely). The network I was joining had the DNS server serving up the NTP service too.
# sudo sed -ri "s/^(server[ \t]+)(.+)/\1$WINDNS\n\1\2/" /etc/ntp.conf
Restart the NTP daemon:# sudo /etc/init.d/ntp restart
-
-
Kerberos configuration.
The instructions that follow here aren't to be taken literally: the values forMYDOMAIN.LOCAL
andsrv1.mydomain.local
need to be replaced with what's appropriate for your network when you edit the files, but do note that where UPPERCASE is used UPPERCASE is needed.
If, during theapt-get install
of Kerberos you had the insight to respond to the "default domain" question correctly, then, goody for you, otherwise you'll have to do the following.-
Edit the (previously installed above)
/etc/krb5.conf
file.-
Find the
[libdefaults]
section and change the key value pair:[libdefaults]
default_realm = MYDOMAIN.LOCAL
-
Add the following to the
[realms]
section of the file:MYDOMAIN.LOCAL = {
kdc = srv1.mydomain.local
admin_server = srv1.mydomain.local
default_domain = MYDOMAIN.LOCAL
}
Add the following to the
[domain_realm]
section of the file:.mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL
A nice test at this point is to see if your AD controller will issue you a kerberos ticket. This isn't necessary but it can make some of you giddy:
# kinit <some_windows_domain_user>
Then to see the ticket:# klist
You'll see stuff about the ticket cache and expiries and renewals. Once the giddiness subsides, you may as well release/destroy the ticket:# kdestroy
-
-
-
Configure samba.
According to the following: There are times when CIFS can not be used or another network filesystem choice is better. If kerberos (krb5/SPNEGO) authentication support is needed for added security, then Samba's smbclient or smbfs must be used instead of cifs
Alas,cifs
support in the kernel for ubuntu 10.04 (based on kernel version 2.6.32.9) is at version 1.61, and according to the kernel documentation, experimental kerberos implementation has been there since version 1.54.
So there you are. I've no idea ifcifs
would work so I give you the samba configuration:Replace
/etc/samba/smb.conf
(remember I was working from a clean distro of Ubuntu, so I wasn't worried about breaking anything):[global]
security = ads
realm = MYDOMAIN.LOCAL
password server = 192.168.20.11
workgroup = MYDOMAIN
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
-
Start and stop various services.
# sudo /etc/init.d/winbind stop
# sudo service smbd restart
# sudo /etc/init.d/winbind start
-
Setup the authentication.
Edit the
/etc/nsswitch.conf
. I was able to run the following command to get what I needed:# sed -ri 's/(compat)/\1 winbind/' /etc/nsswitch.conf
Here are the contents of my/etc/nsswitch.conf
file:passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
Start and stop various services.
# sudo /etc/init.d/winbind stop
# sudo service smbd restart
# sudo /etc/init.d/winbind start
Join the computer to the domain. I'm not convinced this is necessary; particularly because of the security option in the
smb.conf
file (security = ads
). Perhaps someone can weigh in on this ...# sudo net ads join -U any_domain_user_account
You might get an errorDNS update failed!
, but that you'll be joined to the domain. If you get an error about not being able to find the server, your DNS records need to be modified. During th Ubuntu installation, the nameserver will often point to your gateway: most routers will do a DNS service. Best practices for windows server administration is the ADC should run DNS as well. In my case my/etc/resolve.conf
looks like this:nameserver 192.168.20.11
nameserver 8.8.8.8
The8.8.8.8
is a google DNS, a fairly reliable backup in case the windows one goes down.
At this point I could login (perhaps after a reboot), home directories didn't exist, but I could login.
-
CIFS Mounting on Login
This next step was the cherry for me; I didn't want the responsibility of backing up everyone's working directories, and the box Ubuntu was to be running was suspect in terms of reliability. By doing the following users could login and see their windows user directory automagically.Download the
pam_mount
module:# sudo apt-get install libpam-mount
I wanted the mount point to point be in the traditional/home/<user>
location: this part is configured by the/etc/samba/smb.conf
file (template homedir = /home/%U
). But I needed it to drill through the share and point to their own windows directory. This is accomplished by editting the/etc/security/pam_mount.conf.xml
file (which despite it's intention, XML isn't human readable):-
Add the following to
/etc/security/pam_mount.conf.xml
and alter to suit:<volume
user="*"
server="srv1.mydomain.local"
path="UserShares"
mountpoint="home"
fstype="cifs"
/>
<cifsmount>mount -t cifs //%(SERVER)/%(VOLUME)/%(USER) %(MNTPT)/%(USER) -o "user=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)"</cifsmount>
Because of my goofy mount point I had to add this line too:
<umount>umount %(MNTPT)/%(USER)</umount>
And so that the user directories (for the mount point) would be created automatically find the line and make it so:
<mkmountpoint enable="1" remove="false" />
The
remove="false"
bit is quite important: if it's set to true,pam_mount.so
tries to delete the directory mount point which it can't do if a user has logged in multiple times. What you end up with in that case is lots of stray mounts on your system.pam_mount.so
still doesn't quite deliver as promised. In it's current form the mounts keep piling up and the home directories aren't being created. Somewhere between here and the previous Beta 2 release of 10.04 server, it was working. I can't recreate this though.
In the mean time for the directory creation I'm relying onpam_mkhomedir.so
, and stuck a line immediately before thepam_mount.so
line to accommodate.
I still haven't solved the multiple mounting issue. But untilpam_mount.so
is fixed, this is what I've got in my/etc/pam.d/common-session
file:session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session optional pam_winbind.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_mount.so
Thats it. It worked for me, and I hope you find it useful.
Numerous resources were considered so I could figure this out. Here is a short list (a number of these links point to mine own questions on the topic):
- Samba Kerberos
- Active Directory WinBind
- Mounting Linux user home directories on CIFS server
- Authenticating OpenBSD against Active Directory
- How to use Active Directory to authenticate linux users
- Mounting windows shares with Active Directory permissions
- Using Active Directory authentication with Samba on Ubuntu 9.10 server 64bit
- How practical is to authenticate a Linux server against AD?
- Auto-mounting a windows share on Linux AD login