linux:ad_integration:winbind

no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


linux:ad_integration:winbind [2021/03/29 15:35] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== Ubuntu 20.04 and Samba integration with Active Directory using Winbind ======
 +===== Install required programs =====
 +<code bash>su@fs:~$ sudo apt -y install winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules</code>
 +{{ :linux:ad_integration:krb5.png?nolink |}}
 +===== Configure everything =====
 +<code bash>
 +su@fs:~$ sudo vim /etc/samba/smb.conf
 +   workgroup = EXAMPLE
 +   realm = EXAMPLE.COM
 +   security = ads
 +   idmap config * : backend = tdb
 +   idmap config * : range = 3000-7999
 +   idmap config EXAMPLE : backend = rid
 +   idmap config EXAMPLE : range = 10000-999999
 +   template homedir = /home/%U
 +   template shell = /bin/bash
 +   winbind use default domain = true
 +   winbind offline logon = false
 +
 +su@fs:~$ sudo vim /etc/nsswitch.conf
 +passwd:         files systemd winbind
 +group:          files systemd winbind
 +
 +su@fs:~$ sudo vim /etc/pam.d/common-session
 +# add to the end if you need (auto create a home directory at initial login)
 +session optional        pam_mkhomedir.so skel=/etc/skel umask=077
 +
 +# change DNS setting to refer to AD
 +su@fs:~$ sudo vim /etc/netplan/00-installer-config.yaml
 +network:
 +  ethernets:
 +    eth0:
 +      addresses:
 +      - 192.168.2.251/24
 +      gateway4: 192.168.2.1
 +      nameservers:
 +        addresses:
 +        - 192.168.2.2
 +        search:
 +        - example.com
 +  version: 2
 + 
 +# apply the configuration
 +su@fs:~$ sudo netplan apply
 +</code>
 +===== Join Ubuntu to Active Directory =====
 +<code bash>
 +# join in domain ( net ads join -U [AD's Administrative user])
 +su@fs:~$ sudo net ads join -U Administrator
 +Enter Administrators password:
 +Using short domain name -- EXAMPLE
 +Joined 'SMB' to dns domain 'example.com'
 +su@fs:~$ sudo systemctl restart winbind
 +# show domain info
 +su@fs:~$ sudo net ads info
 +LDAP server: 192.168.2.2
 +LDAP server name: dc.example.com
 +Realm: EXAMPLE.COM
 +Bind Path: dc=EXAMPLE,dc=COM
 +LDAP port: 389
 +Server time: Mon, 29 Mar 2021 13:30:41 UTC
 +KDC server: 192.168.2.2
 +Server time offset: -116
 +Last machine account password change: Mon, 29 Mar 2021 11:28:46 UTC
 +
 +# show AD user list
 +su@fs:~$ sudo wbinfo -u
 +administrator
 +guest
 +krbtgt
 +user
 +mssql
 +ldapusers
 +
 +# verify to login with an AD user
 +su@fs:~$ su -l user@example.com
 +Password:
 +Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-26-generic x86_64)
 +
 +.....
 +.....
 +
 +Creating directory '/home/user'.
 +user@fs:~$ id
 +uid=11295(user) gid=10513(domain users) groups=10513(domain users),3000(BUILTIN\administrators),3001(BUILTIN\users),10512(domain admins),10518(schema admins),10519(enterprise admins),10572(denied rodc password replication group),11028(dhcp administrators),11130(dnsadmins),11295(user)
 +
 +user@fs:~$ exit
 +
 +# add users to sudo group
 +su@fs:~$ sudo usermod -aG sudo user@example.com
 +# or add a domain group to sudoers
 +su@fs:~$ visudo
 +# append the line (with the desired group name
 +%Domain\ admins  ALL=(ALL:ALL) ALL
 +
 +</code>
 +===== SAMBA integration =====
 +<code bash>
 +su@fs:~$ sudo apt install samba
 +su@fs:~$ vim /etc/samba/smb.conf
 +[global]
 +   workgroup = EXAMPLE
 +        realm = EXAMPLE.COM
 +        security = ads
 +        idmap config * : backend = tdb
 +        idmap config * : range = 3000-7999
 +        idmap config EXAMPLE : backend = rid
 +        idmap config EXAMPLE : range = 10000-999999
 +        template homedir = /home/%U
 +        template shell = /bin/bash
 +        winbind use default domain = true
 +        winbind offline logon = false
 +        winbind refresh tickets = yes
 +   server string = %h server (Samba, Ubuntu)
 +   log file = /var/log/samba/log.%m
 +   max log size = 1000
 +   logging = file
 +   panic action = /usr/share/samba/panic-action %d
 +   server role = standalone server
 +#   obey pam restrictions = yes
 +   unix password sync = yes
 +   passwd program = /usr/bin/passwd %u
 +   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
 +   pam password change = yes
 +   map to guest = bad user
 +   usershare allow guests = yes
 +[public]
 +        comment = Public share
 +        path = /shared/public
 +        read only = no
 +        guest ok = no
 +        browsable = yes
 +        writable = yes
 +        #admin users =
 +        valid users = @"EXAMPLE\Domain users"
 +        #invalid users =
 +        #read list =
 +        write list = @"EXAMPLE\Domain users"
 +
 +        create mask = 0770
 +        force create mode = 0770
 +
 +        security mask = 0770
 +        force security mask = 0770
 +
 +        directory mask = 0770
 +        force directory mode = 0770
 +
 +        directory security mask = 0770
 +        force directory security mode = 0770
 +
 +        inherit acls = no        
 +</code>
 +Also, make sure to mount the volume holding the shares with **noacl** in fstab, and do not set **obey pam restrictions = yes**, else security, create and directory mode directives are ignored
  
  • linux/ad_integration/winbind.txt
  • Last modified: 2021/03/29 15:35
  • by 127.0.0.1