no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | linux:ad_integration:winbind [2021/03/29 15:35] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Ubuntu 20.04 and Samba integration with Active Directory using Winbind ====== | ||
+ | ===== Install required programs ===== | ||
+ | <code bash> | ||
+ | {{ : | ||
+ | ===== Configure everything ===== | ||
+ | <code bash> | ||
+ | su@fs:~$ sudo vim / | ||
+ | | ||
+ | realm = EXAMPLE.COM | ||
+ | | ||
+ | idmap config * : backend = tdb | ||
+ | idmap config * : range = 3000-7999 | ||
+ | idmap config EXAMPLE : backend = rid | ||
+ | idmap config EXAMPLE : range = 10000-999999 | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | su@fs:~$ sudo vim / | ||
+ | passwd: | ||
+ | group: | ||
+ | |||
+ | su@fs:~$ sudo vim / | ||
+ | # add to the end if you need (auto create a home directory at initial login) | ||
+ | session optional | ||
+ | |||
+ | # change DNS setting to refer to AD | ||
+ | su@fs:~$ sudo vim / | ||
+ | network: | ||
+ | ethernets: | ||
+ | eth0: | ||
+ | addresses: | ||
+ | - 192.168.2.251/ | ||
+ | gateway4: 192.168.2.1 | ||
+ | nameservers: | ||
+ | addresses: | ||
+ | - 192.168.2.2 | ||
+ | search: | ||
+ | - example.com | ||
+ | version: 2 | ||
+ | |||
+ | # apply the configuration | ||
+ | su@fs:~$ sudo netplan apply | ||
+ | </ | ||
+ | ===== Join Ubuntu to Active Directory ===== | ||
+ | <code bash> | ||
+ | # join in domain ( net ads join -U [AD's Administrative user]) | ||
+ | su@fs:~$ sudo net ads join -U Administrator | ||
+ | Enter Administrators password: | ||
+ | Using short domain name -- EXAMPLE | ||
+ | Joined ' | ||
+ | su@fs:~$ sudo systemctl restart winbind | ||
+ | # show domain info | ||
+ | su@fs:~$ sudo net ads info | ||
+ | LDAP server: 192.168.2.2 | ||
+ | LDAP server name: dc.example.com | ||
+ | Realm: EXAMPLE.COM | ||
+ | Bind Path: dc=EXAMPLE, | ||
+ | LDAP port: 389 | ||
+ | Server time: Mon, 29 Mar 2021 13:30:41 UTC | ||
+ | KDC server: 192.168.2.2 | ||
+ | Server time offset: -116 | ||
+ | Last machine account password change: Mon, 29 Mar 2021 11:28:46 UTC | ||
+ | |||
+ | # show AD user list | ||
+ | su@fs:~$ sudo wbinfo -u | ||
+ | administrator | ||
+ | guest | ||
+ | krbtgt | ||
+ | user | ||
+ | mssql | ||
+ | ldapusers | ||
+ | |||
+ | # verify to login with an AD user | ||
+ | su@fs:~$ su -l user@example.com | ||
+ | Password: | ||
+ | Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-26-generic x86_64) | ||
+ | |||
+ | ..... | ||
+ | ..... | ||
+ | |||
+ | Creating directory '/ | ||
+ | user@fs:~$ id | ||
+ | uid=11295(user) gid=10513(domain users) groups=10513(domain users), | ||
+ | |||
+ | user@fs:~$ exit | ||
+ | |||
+ | # add users to sudo group | ||
+ | su@fs:~$ sudo usermod -aG sudo user@example.com | ||
+ | # or add a domain group to sudoers | ||
+ | su@fs:~$ visudo | ||
+ | # append the line (with the desired group name | ||
+ | %Domain\ admins | ||
+ | |||
+ | </ | ||
+ | ===== SAMBA integration ===== | ||
+ | <code bash> | ||
+ | su@fs:~$ sudo apt install samba | ||
+ | su@fs:~$ vim / | ||
+ | [global] | ||
+ | | ||
+ | realm = EXAMPLE.COM | ||
+ | security = ads | ||
+ | idmap config * : backend = tdb | ||
+ | idmap config * : range = 3000-7999 | ||
+ | idmap config EXAMPLE : backend = rid | ||
+ | idmap config EXAMPLE : range = 10000-999999 | ||
+ | template homedir = /home/%U | ||
+ | template shell = /bin/bash | ||
+ | winbind use default domain = true | ||
+ | winbind offline logon = false | ||
+ | winbind refresh tickets = yes | ||
+ | | ||
+ | log file = / | ||
+ | max log size = 1000 | ||
+ | | ||
+ | panic action = / | ||
+ | | ||
+ | # obey pam restrictions = yes | ||
+ | unix password sync = yes | ||
+ | | ||
+ | | ||
+ | pam password change = yes | ||
+ | map to guest = bad user | ||
+ | | ||
+ | [public] | ||
+ | comment = Public share | ||
+ | path = / | ||
+ | read only = no | ||
+ | guest ok = no | ||
+ | browsable = yes | ||
+ | writable = yes | ||
+ | #admin users = | ||
+ | valid users = @" | ||
+ | #invalid users = | ||
+ | #read list = | ||
+ | write list = @" | ||
+ | |||
+ | create mask = 0770 | ||
+ | force create mode = 0770 | ||
+ | |||
+ | security mask = 0770 | ||
+ | force security mask = 0770 | ||
+ | |||
+ | directory mask = 0770 | ||
+ | force directory mode = 0770 | ||
+ | |||
+ | directory security mask = 0770 | ||
+ | force directory security mode = 0770 | ||
+ | |||
+ | inherit acls = no | ||
+ | </ | ||
+ | Also, make sure to mount the volume holding the shares with **noacl** in fstab, and do not set **obey pam restrictions = yes**, else security, create and directory mode directives are ignored | ||