Discussion of this wiki can be found here

What this procedure will do

If all runs well you will have a Linux machine completely integrated with your Active Directory server. The shared folders permissions will be managed from your samba server and it will use groups and users taken directly from your AD Domain Controller. Just follow this guide and use the attached script!

Preface

Get The Script

from here

Requirements

For testing I really recommend to use a Linux virtual machine for the first time if it is possible.

sudo nano /etc/hostname

user-laptop

sudo nano /etc/hosts

127.0.0.1 localhost

127.0.1.1 user-laptop

Kerberos is time-dependent, so you may have to make sure that the machine time is correct using a protocol like NTP. So synchronize your Linux machine time and date with the same NTP server of your domain with:

sudo ntpdate your.domain.ntp.server

You can also make this command run regularly with crontab:

sudo crontab -e

# m h dom mon dow command

00 12 * * * ntpdate your.domain.ntp.server

In this way the command will run at 12:00 o'clock every day with root privilege (visit this link for more information about crontab).

sudo nano /etc/resolv.conf

domain yourdomain.local

search yourdomain.local

nameserver 10.0.0.5

nameserver 10.0.0.1

Note that if you using a network manager program it's probable that your /etc/resolv.conf configuration will be ignored and replaced by an auto-generated one.

nslookup 10.0.0.5

Name: WServer2k3

Address: 10.0.0.5

nslookup WServer2k3

Name: WServer2k3

Address: 10.0.0.5

If you changed the name maybe it's better to reboot the machine.

Running

nano AD_join.sh

and modify only the variables in the first part of the script editing only between “quotation_marks”:

SUPER_USER="myusername"

DOMAIN="MYDOMAIN"

FQDN_CAPITAL="MYDOMAIN.LOCAL"

FQDN="mydomain.local"

DOMAIN_CONTROLLER="mydomaincontroller.domain.local "

Do not modify under the WARNING line unless you know what you're doing.

Be sure that AD_join.sh has the execution bit set. Open a terminal, change location in the containing directory, and run the script with root privilege:

cd /path/of/script/directory/AD_join
sudo chmod +x AD_join.sh

Now you can run the script

sudo ./AD_join.sh

The script will install samba, winbind and kerberos in your machine and will change the original configurations files name in *.bkp in order to preserve them (also the entire /etc/pam.d/ directory will be copied to /etc/pam.d.bkp). Then it puts the new files (smb.conf, krb5.conf, nsswitch.conf, system-auth) in proper directories and restart the necessary services. Remember that when kerberos visual configuration appear you have to say just <OK> leaving blank the text field.

Testing and Joining

testparm

If all runs well you will see your samba's configuration. If not, the program will say in which line of smb.conf file there is problem. In this case you can try to correct it or you can comment it out with "#" or ";". Note that probably Samba will warn you about "winbind separator = +" line, but that should be okay.

sudo net ads join -U your_domain_admin

Change "administrator" with proper domain's administrator name.

sudo net ads join -S your_server_IP_or_name -U your_domain_admin

If all is right you will see a "SUCCESS" message in your terminal.

wbinfo -u

this gives the domain's users list

wbinfo -g

this gives the domain's groups list

sudo  wbinfo -a your_domain_user

this checks if your_domain_user using password connects to the domain

getent passwd
getent group

Note that even if the procedure is a success, not sure that "getent" command gives the expected results.

kinit your_domain_user@YOUR_DOMAIN.LOCAL

Replace "your_domain_user" with an existing user name and replace "YOUR_DOMAIN.LOCAL" with your domain name. If all is set correctly your_domain_user's password is requested. If not a kinit error will be prompted in terminal; in this case you might check your Kerberos configuration. Remember it's important CASE SENSITIVENESS.

That's it!

Try to log in trough ssh

ssh your_domain_user@linux_machine

at “password:” enter your domain user password

sudo chgrp “domain admins” /home/MY_DOMAIN/*
sudo chmod 700 /home/MY_DOMAIN/*

So your user's homes will be private but accessible from “Domain Admins” members. You may wish to automate this by scheduling these commands using cron or crontab, because when a new user logs in the home directory just created has 755 permissions and “Domain Users” as group, so all users can browse each other homes. (and that's not such a big deal. In italian “Bella merda!”)

sudo service smbd restart

Manage folder's accesses editing the "valid users" field with the proper users and or groups.

valid users =@YOUR_DOMAIN+your_group YOUR_DOMAIN+your_user

Note: no spaces between = and @

valid users =@"YOUR_DOMAIN+Group Name with Spaces"

Pay attention to the case sensitiveness of the domain names.

Troubleshooting

If you get this error msg:

"Failed to join domain: failed to connect to AD: Strong(er) authentication required"

you must add the following line to your smb.conf (GLOBAL Settings):

 client ldap sasl wrapping = sign 

this is because of an microsoft update that enables the ldap signing requirement to your AD.

Originally posted The Ubuntu Forums (ubuntuforums.org)

SambaActiveDirectoryDomainIntegrationScript (last edited 2012-07-18 10:59:40 by host86-130-25-119)