Debian Administration

Samba ADS integration without Kerberos

An article on Debian-Administration.org already covered ADS set up with Kerberos. But I was looking for the most lightweight and nimble ADS integration so I can achieve the less ambitious goal of single username and password.

Aim: Allow Debian Sarge box to join ADS domain without using Kerberos and create user accounts on the fly. The resulting Debian system should work for NT Domain users for most or all services being offered, with the same username and password without having to type the domain in each time.

Disclaimer/Caveats: I'm not a PAM expert, or a Samba expert, or a Debian expert. This configuration is something I worked out as a proof of concept since I wanted to integrate the Linux servers at work into the ADS, so users only have one password to remember/change. It is likely very wrong in places, hopefully public scrutiny will fix any major oversights. This was drawn from my notes, the actual procedure was far less linear, not least the installing the Etch version only happened after much head scratching.

This method of integrating ADS to Linux doesn't ensure that the UIDs and GIDs are consistent across multiple Linux servers (unlike say NIS/NIS+, or the RFC2307 type solutions). As such it is useful where you want to integrate a small number of Debian servers providing specific services into the ADS environment, and have no intention of networking those Linux boxes together using say NFS (except for purely administrative purposes).

Environment

 Windows 2000 servers, with 3 ADS server.
 The old fashioned NT Domain name is "NTDOMAIN"
 The ADS domain name is "ntdnsdomain.example.com"
 ADS servers are "server1.ntdnsdomain.example.com" (server2, server3).
 Hostname (and netbios name) of debian server "debtest"

Get Software Installed

Take Debian Sarge with winbind and samba

#apt-get install samba winbind

Fix the stable release as the default

/etc/apt/apt.conf -- added line

APT::Default-Release "stable";

Arrange to have testing as a less preferred release /etc/apt/apt.preferences -- created with

Package: *
Pin: release r=testing
Pin-Priority: 200

Arrange to have testing repository known to APT /etc/apt/sources.list -- added line

deb http://{your-nearest-debian-mirror}/ testing main

Learn what is in the new repository

#apt-get update

Get the testing version of this software

#apt-get -t testing winbind samba

Configure Software correctly.

Stop "winbind" and "samba"

#/etc/init.d/winbind stop
#/etc/init.d/samba stop

Ensure that the client machine is in the domain of the DNS servers

Either ensure that "/etc/resolv.conf" has

 search ntdnsdomain.example.com { optional other domains }

Or in our case we edited "/etc/dhclient.conf" to contain;

 supersede domain-name "ntdnsdomain.example.com"

Or update your DHCP server as appropriate.

Configure SAMBA by updating the /etc/samba/smb.conf file.

We updated/added the following entries, this isn't a complete file, just the lines that changed.

workgroup = NTDOMAIN
dns proxy = yes 
security = domain
password server = server1 server2 server3 # Actually only used server1 for testing, less event logs to check
netbiosname = debtest
winbind separator = . # This isn't used in the configuration anywhere

idmap uid = 15000-20000
idmap gid = 15000-20000

winbind enum users = yes
winbind enum groups = yes
template homedir = /home-ads/%U  # This template can include the domain name if required
template shell = /bin/bash
winbind use default domain = Yes # Allows login in as "username" instead of "NTDOMAIN.username" 

Start Samba

# /etc/init.d/samba start

Join the domain

Windows use of secure channels means all machines in a domain must be added by someone with appropriate authority. This will create an entry in the ADS "Users and Computers" admin tool for the computer "debtest".

#net rpc join -S server1 -U Administrator

Start winbind

# /etc/init.d/winbind start

Test membership of domain

#wbinfo -t

Configure Winbind to be used.

Modify /etc/nsswitch.conf

Lines;

passwd: compat
group: compat
shadow: compat
hosts: files dns

Replaced with;

passwd: files winbind
group: files winbind
shadow: files
hosts: files dns winbind

Modify PAM

We modify the "common" pam files so that NTDOMAIN usernames are usable everywhere.

/etc/pam.d/common-auth

Replace line;
 auth required	pam_unix.so nullok_secure
With;
 auth sufficient	pam_winbind.so
 auth required	pam_unix.so nullok_secure use_first_pass

The new line allows you to authenticate against winbind.

The "use_first_pass" reuses the password tried for winbind for the Unix login, allowing the pre-existing Unix users (like "root"!) to login, without having to enter a dummy password for the NTDOMAIN password prompt.

/etc/pam.d/common-account

Insert before line;
 auth required	pam_unix.so nullok_secure
Line reading;
 auth sufficient	pam_winbind.so

/etc/pam.d/common-session

Insert after line;
 session required	pam_unix.so
Line reading;
 session required	pam_mkhomedir.so skel=/etc/skel/ umask=0022

This line is to ensure that home directories for users who have never used the system before are added automatically. You can obviously choose your own umask and skel directory to suit.

Test

At this point you should be able to login as an NTDOMAIN user at a login prompt, or via ssh. A home directory should be created in /home-ads with the corresponding username.

Ctrl-Alt-F2
Login: Administrator
Password: asecret
administrator@debtest:~$ pwd
/home-ads/administrator

Dear Lazy-web, let me know what I got wrong by Monday, and I'll be happy

Sources

SAMBA HOWTO Chapter 23

Linux PAM HOW TO

ADS Integration Overview

Countless articles trying to understand all the weird errors, and debugging required to make this work

Add Comment Printable version

 

<<< Automating new Debian installations with preseeding Debian Sid gets Xen 3.0 >>>