Integrate Linux & Active Directory using Kerberos, WinBind, Samba
Integrate Linux & Active Directory using Kerberos, WinBind, Samba
We can integrate Linux & Active Directory using Kerberos, Winbind, Samba. Prerequisites to join an Ubuntu Server to Windows Active Directory,
- Your Ubuntu server should be able to reach AD server.
- Active Directory Domain administrator account or an account in Active Directory’s ‘Domain Admins’ group or an account, that has sufficient privilege to join your Ubuntu server to Active Directory domain.
Configure Hosts
The first step of Active Directory join is to edit the /etc/hosts file. Set your machine’s IP address and hostname in /etc/hosts file.
vi /etc/hosts
In the hosts file, please enter the below values,
xx.xx.xx.xx mymachine.domain.com
Example :-
vi /etc/hosts
In the hosts file, please enter the below values,
10.0.0.50 mymachine.domain.com
Configure Local Resolver
Next you need to setup the /etc/resolv.conf with your name server entries and search domain entry. Usually, the AD server IP itself will be the name server IPs, since DNS role may be installed in the same server.
vi /etc/resolv.conf
In the resolv.conf file, please enter the below values
nameserver xx.xx.xx.xx nameserver xx.xx.xx.xx search domain.com
Example :-
vi /etc/resolv.conf
Edit the resolv.conf file and please enter the below values
nameserver 10.0.0.2 nameserver 10.0.0.3 search domain.com
Install the Utilities
Install the required packages,
apt-get -y install winbind sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ntp
During the Kerberos installation, you will see a pink screen. Just enter your full domain name in CAPITAL LETTERS,
Eg : DOMAIN.COM
select OK by pressing TAB
You may keep it as BLANK and press OK, if you wish to configure Kerberos later.
Configure NTP Settings
The date and time of your Ubuntu server\host must synchronize with Active Directory server. Add your active directory’s ntp hostname in the /etc/ntp.conf file,
vi /etc/ntp.conf
server ntphost1.domain.com server ntphost2.domain.com
You can also keep it as Ubuntu’s NTP servers, provided your active directory server’s time and Ubuntu NTP server time are in sync.
vi /etc/ntp.conf
In that case, add the below values, instead of above values,
server 0.ubuntu.pool.ntp.org server 1.ubuntu.pool.ntp.org server 2.ubuntu.pool.ntp.org server 3.ubuntu.pool.ntp.org
Now sync the Ubuntu host machine’s date and time with NTP server and then start the NTP service,
If you are using your Active Directory’s NTP service, then execute the below commands,
ntpdate ntphost1.domain.com ntpdate ntphost2.domain.com systemctl enable ntp systemctl start ntp
or
/etc/init.d/ntp restart
or
/etc/rc.d/init.d/ntp restart
Configure Kerberos Settings
Create a file named krb5.conf,
vi /etc/krb5.conf
Enter the below values in the kerberos config file,
[libdefaults] ticket_lifetime = 600 default_realm = DOMAIN default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] DOMAIN = { kdc = ip of you ads server default_domain = DOMAIN } [domain_realm] .domain = DOMAIN domain = DOMAIN [kdc] profile = /etc/krb5kdc/kdc.conf [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.logog
Now, try to get a valid Kerberos ticket for your active directory administrator account,
kinit administrator@DOMAIN.COM Password for administrator@DOMAIN.COM: <enter password> klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@DOMAIN.COM Valid starting Expires Service principal 02/11/2017 21:22:27 03/11/2017 07:22:27 krbtgt/DOMAIN.COM@DOMAIN.COM renew until 02/11/2017 21:22:27
Configure NSSwitch
To configure the NSSwitch configuration, please edit the file /etc/nsswitch.conf
vi /etc/nsswitch.conf
Now enter the below values into your configuration file.
passwd: compat winbind shadow: compat group: compat winbind
Configure SAMBA Service
To configure the SAMBA service in your Ubuntu box, edit the samba configuration file /etc/samba/smb.conf
To edit the file, execute the command,
vi /etc/samba/smb.conf
Replace the DOMAIN with your domain name(without .com) and DOMAIN.COM with your complete domain name.
[global] workgroup = DOMAIN password server = hostname of your domain controller server wins server = IP of wins server realm = DOMAIN security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind use default domain = false winbind offline logon = false winbind separator = + <<very important, as the default \ character does strange things in unix/linux. allow trusted domains = Yes <<if you have them
Restart the Samba & Winbind
To restart the Samba and Winbind service, you may execute the below commands,
service smb restart service winbind restart
or
/etc/init.d/smb restart /etc/init.d/winbind restart
or
/etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart
Verify krb5.keytab
To list the content of /etc/krb5.keytab file, please execute the below command,
klist -kt
To show the available kerberos tickets, please execute the command,
klist -c /var/lib/sss/db/ccache_DOMAIN.COM
SUDOER Configuration
To enable a particular AD group to have admin privilege in the Ubuntu box, you need to edit the sudoer configuration. The sudo file is located at /etc/sudoers. The members of AD groups added in sudoers can perform sudo.
To edit the sudoers, please execute,
vi /etc/sudoers
# Members of the admin group may gain root privileges #%admin ALL=(ALL) ALL %admin ALL=(ALL) NOPASSWD:ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) NOPASSWD:ALL ## AD Domain Groups and Users #Adding Domain Admins and it_support as admins %domain\ admins ALL=(ALL) NOPASSWD:ALL %it_support ALL=(ALL) NOPASSWD:ALL #Adding user george as admin george ALL=(ALL) NOPASSWD:ALL
Configure LightDM
To configure the lightDM, create the lightDM configuration file “/etc/lightdm/lightdm.conf“.
vi /etc/lightdm/lightdm.conf
[SeatDefaults] allow-guest=false greeter-hide-users=true greeter-show-manual-login=true
Once the file is saved, restart the lightDM service by executing the below command,
service lightdm restart
Join the Ubuntu Host to Active Directory Domain
To join the Linux Host to Active Directory Domain, please execute the below command,
net ads join -U DOMAIN+username%password
Verify the AD connectivity
To verify the active directory connectivity, please execute the below commands.
To test the AD join, please execute the below command,
net ads testjoin
If the result is ‘Join is OK‘ , then test the winbind. To test the winbind service, please execute the below commands.
To list the AD users
wbinfo -u <ad user name>
To List the AD groups,
wbinfo -g <ad group name>
If it is displaying your AD group and Username details, then it means,your linux box is successfully integrated into the AD domain.
getent passwd getent group id <ad user="" name="">
Now try a server reboot. Also try to access using the server via SSH from an another host and perform sudo.