[Edit] I've since tested this the full release of Ubuntu 10.04 Server (21/May/2010).
I've configured my Ubuntu 10.04 Server LTS residing on a windows network to authenticate logins using active directory, then mount a windows share to serve as there home directory.
Here is what I did starting from the initial installation of Ubuntu.
Some would argue that you should "lock sshd down" by disabling root logins. I figure if your smart enough to hack an ssh session for a root password, you're probably not going to be thwarted by the addition of PermitRootLogin no in the /etc/ssh/sshd_config file. If your paranoid or not simply not convinced then edit the file or give the following a spin:
# (grep PermitRootLogin /etc/ssh/sshd_config && sudo sed -ri 's/PermitRootLogin ).+/\1no/' /etc/ssh/sshd_conifg) || echo "PermitRootLogin not found. Add it manually."
Do some basic networking housecleaning in preparation for the specific package configurations to come.
Determine your windows domain name, DNS server name, and IP address for the active directory server (for samba). For conveniance I set environment variables for the windows domain and DNS server. For me it was (my AD IP address was 192.168.20.11):
If you want to figure out what your domain and DNS server is (I was contractor and didn't know the network) check out this helpful reference.
We need to christen the Linux box on the new network, this is done by editing the host file (replace the DNS of with the FQDN of the windows DNS): # sudo sed -ri "s/^(127\.0\.[01]\.1[ \t]).*/\1$(hostname).$WINDOMAIN localhost $(hostname)/" /etc/hosts
We should also tell the forthcoming installed services where they can find there leader: some networks will have netbios name lookup services, but just in case, add an explicit entry in your /etc/hosts file, in my configuration I added the entry on the third (3) line: # sudo sed -ri "3 i $WINDNS_IP $WINDNS" /etc/hosts
The authentication and file sharing processes for the Windows and Linux boxes need to have their clocks agree. Do this with an NTP service, and on the server version of Ubuntu the NTP service comes installed and configured with one (1) NTP sever. Add yours before the Ubuntu one (or replace it entirely). The network I was joining had the DNS server serving up the NTP service too. # sudo sed -ri "s/^(server[ \t]+)(.+)/\1$WINDNS\n\1\2/" /etc/ntp.conf
Restart the NTP daemon: # sudo /etc/init.d/ntp restart
Kerberos configuration.
The instructions that follow here aren't to be taken literally: the values for MYDOMAIN.LOCAL and srv1.mydomain.local need to be replaced with what's appropriate for your network when you edit the files, but do note that where UPPERCASE is used UPPERCASE is needed.
If, during the apt-get install of Kerberos you had the insight to respond to the "default domain" question correctly, then, goody for you, otherwise you'll have to do the following.
Edit the (previously installed above) /etc/krb5.conf file.
Find the [libdefaults] section and change the key value pair:
[libdefaults] default_realm = MYDOMAIN.LOCAL
Add the following to the [realms] section of the file:
Add the following to the [domain_realm] section of the file: .mydomain.local = MYDOMAIN.LOCAL mydomain.local = MYDOMAIN.LOCAL
A nice test at this point is to see if your AD controller will issue you a kerberos ticket. This isn't necessary but it can make some of you giddy: # kinit <some_windows_domain_user>
Then to see the ticket: # klist
You'll see stuff about the ticket cache and expiries and renewals. Once the giddiness subsides, you may as well release/destroy the ticket: # kdestroy
Edit the /etc/nsswitch.conf. I was able to run the following command to get what I needed: # sed -ri 's/(compat)/\1 winbind/' /etc/nsswitch.conf
Here are the contents of my /etc/nsswitch.conf file: passwd: compat winbind group: compat winbind shadow: compat winbind hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files
Start and stop various services. # sudo /etc/init.d/winbind stop # sudo service smbd restart # sudo /etc/init.d/winbind start
Join the computer to the domain.
I'm not convinced this is necessary; particularly because of the security option in the smb.conf file (security = ads). Perhaps someone can weigh in on this ... # sudo net ads join -U any_domain_user_account
You might get an error DNS update failed!, but that you'll be joined to the domain.
If you get an error about not being able to find the server, your DNS records need to be modified. During th Ubuntu installation, the nameserver will often point to your gateway: most routers will do a DNS service. Best practices for windows server administration is the ADC should run DNS as well. In my case my /etc/resolve.conf looks like this: nameserver 192.168.20.11 nameserver 8.8.8.8
The 8.8.8.8 is a google DNS, a fairly reliable backup in case the windows one goes down.
At this point I could login (perhaps after a reboot), home directories didn't exist, but I could login.
CIFS Mounting on Login
This next step was the cherry for me; I didn't want the responsibility of backing up everyone's working directories, and the box Ubuntu was to be running was suspect in terms of reliability. By doing the following users could login and see their windows user directory automagically.
Download the pam_mount module: # sudo apt-get install libpam-mount
I wanted the mount point to point be in the traditional /home/<user> location: this part is configured by the /etc/samba/smb.conf file (template homedir = /home/%U). But I needed it to drill through the share and point to their own windows directory. This is accomplished by editting the /etc/security/pam_mount.conf.xml file (which despite it's intention, XML isn't human readable):
Add the following to /etc/security/pam_mount.conf.xml and alter to suit: <volume user="*" server="srv1.mydomain.local" path="UserShares" mountpoint="home" fstype="cifs" />
Because of my goofy mount point I had to add this line too:
<umount>umount %(MNTPT)/%(USER)</umount>
And so that the user directories (for the mount point) would be created automatically find the line and make it so:
<mkmountpoint enable="1" remove="false" />
The remove="false" bit is quite important: if it's set to true, pam_mount.so tries to delete the directory mount point which it can't do if a user has logged in multiple times. What you end up with in that case is lots of stray mounts on your system.
pam_mount.so still doesn't quite deliver as promised. In it's current form the mounts keep piling up and the home directories aren't being created. Somewhere between here and the previous Beta 2 release of 10.04 server, it was working. I can't recreate this though.
In the mean time for the directory creation I'm relying on pam_mkhomedir.so, and stuck a line immediately before the pam_mount.so line to accommodate.
I still haven't solved the multiple mounting issue. But until pam_mount.so is fixed, this is what I've got in my /etc/pam.d/common-session file:
Thats it. It worked for me, and I hope you find it useful.
Numerous resources were considered so I could figure this out. Here is a short list (a number of these links point to mine own questions on the topic):
[Edit] I've since tested this the full release of Ubuntu 10.04 Server (21/May/2010).
I've configured my Ubuntu 10.04 Server LTS residing on a windows network to authenticate logins using active directory, then mount a windows share to serve as there home directory.
Here is what I did starting from the initial installation of Ubuntu.
Get updates
# sudo apt-get update && sudo apt-get upgradeInstall an SSH server (
sshd)# sudo apt-get install openssh-serverSome would argue that you should "lock sshd down" by disabling root logins. I figure if your smart enough to hack an ssh session for a root password, you're probably not going to be thwarted by the addition of
PermitRootLogin noin the/etc/ssh/sshd_configfile. If your paranoid or not simply not convinced then edit the file or give the following a spin:# (grep PermitRootLogin /etc/ssh/sshd_config && sudo sed -ri 's/PermitRootLogin ).+/\1no/' /etc/ssh/sshd_conifg) || echo "PermitRootLogin not found. Add it manually."Install required packages
# sudo apt-get install winbind samba smbfs smbclient ntp krb5-userDo some basic networking housecleaning in preparation for the specific package configurations to come.
Determine your windows domain name, DNS server name, and IP address for the active directory server (for samba). For conveniance I set environment variables for the windows domain and DNS server. For me it was (my AD IP address was 192.168.20.11):
# WINDOMAIN=mydomain.local && WINDNS=srv1.$WINDOMAIN && WINDNS_IP=192.168.20.11If you want to figure out what your domain and DNS server is (I was contractor and didn't know the network) check out this helpful reference.
We need to christen the Linux box on the new network, this is done by editing the host file (replace the DNS of with the FQDN of the windows DNS):
# sudo sed -ri "s/^(127\.0\.[01]\.1[ \t]).*/\1$(hostname).$WINDOMAIN localhost $(hostname)/" /etc/hostsWe should also tell the forthcoming installed services where they can find there leader: some networks will have netbios name lookup services, but just in case, add an explicit entry in your
/etc/hostsfile, in my configuration I added the entry on the third (3) line:# sudo sed -ri "3 i $WINDNS_IP $WINDNS" /etc/hostsThe authentication and file sharing processes for the Windows and Linux boxes need to have their clocks agree. Do this with an NTP service, and on the server version of Ubuntu the NTP service comes installed and configured with one (1) NTP sever. Add yours before the Ubuntu one (or replace it entirely). The network I was joining had the DNS server serving up the NTP service too.
# sudo sed -ri "s/^(server[ \t]+)(.+)/\1$WINDNS\n\1\2/" /etc/ntp.confRestart the NTP daemon:
# sudo /etc/init.d/ntp restartKerberos configuration.
The instructions that follow here aren't to be taken literally: the values for
MYDOMAIN.LOCALandsrv1.mydomain.localneed to be replaced with what's appropriate for your network when you edit the files, but do note that where UPPERCASE is used UPPERCASE is needed.If, during the
apt-get installof Kerberos you had the insight to respond to the "default domain" question correctly, then, goody for you, otherwise you'll have to do the following.Edit the (previously installed above)
/etc/krb5.conffile.Find the
[libdefaults]section and change the key value pair:[libdefaults]default_realm = MYDOMAIN.LOCALAdd the following to the
[realms]section of the file:MYDOMAIN.LOCAL = {kdc = srv1.mydomain.localadmin_server = srv1.mydomain.localdefault_domain = MYDOMAIN.LOCAL}Add the following to the
[domain_realm]section of the file:.mydomain.local = MYDOMAIN.LOCALmydomain.local = MYDOMAIN.LOCALA nice test at this point is to see if your AD controller will issue you a kerberos ticket. This isn't necessary but it can make some of you giddy:
# kinit <some_windows_domain_user>Then to see the ticket:
# klistYou'll see stuff about the ticket cache and expiries and renewals. Once the giddiness subsides, you may as well release/destroy the ticket:
# kdestroyConfigure samba.
According to the following: There are times when CIFS can not be used or another network filesystem choice is better. If kerberos (krb5/SPNEGO) authentication support is needed for added security, then Samba's smbclient or smbfs must be used instead of cifs
Alas,
cifssupport in the kernel for ubuntu 10.04 (based on kernel version 2.6.32.9) is at version 1.61, and according to the kernel documentation, experimental kerberos implementation has been there since version 1.54.So there you are. I've no idea if
cifswould work so I give you the samba configuration:Replace
/etc/samba/smb.conf(remember I was working from a clean distro of Ubuntu, so I wasn't worried about breaking anything):[global]security = adsrealm = MYDOMAIN.LOCALpassword server = 192.168.20.11workgroup = MYDOMAINidmap uid = 10000-20000idmap gid = 10000-20000winbind enum users = yeswinbind enum groups = yestemplate homedir = /home/%Utemplate shell = /bin/bashclient use spnego = yesclient ntlmv2 auth = yesencrypt passwords = yeswinbind use default domain = yesrestrict anonymous = 2Start and stop various services.
# sudo /etc/init.d/winbind stop# sudo service smbd restart# sudo /etc/init.d/winbind startSetup the authentication.
Edit the
/etc/nsswitch.conf. I was able to run the following command to get what I needed:# sed -ri 's/(compat)/\1 winbind/' /etc/nsswitch.confHere are the contents of my
/etc/nsswitch.conffile:passwd: compat winbindgroup: compat winbindshadow: compat winbindhosts: files dnsnetworks: filesprotocols: db filesservices: db filesethers: db filesrpc: db filesStart and stop various services.
# sudo /etc/init.d/winbind stop# sudo service smbd restart# sudo /etc/init.d/winbind startJoin the computer to the domain. I'm not convinced this is necessary; particularly because of the security option in the
smb.conffile (security = ads). Perhaps someone can weigh in on this ...# sudo net ads join -U any_domain_user_accountYou might get an error
DNS update failed!, but that you'll be joined to the domain. If you get an error about not being able to find the server, your DNS records need to be modified. During th Ubuntu installation, the nameserver will often point to your gateway: most routers will do a DNS service. Best practices for windows server administration is the ADC should run DNS as well. In my case my/etc/resolve.conflooks like this:nameserver 192.168.20.11nameserver 8.8.8.8The
8.8.8.8is a google DNS, a fairly reliable backup in case the windows one goes down.At this point I could login (perhaps after a reboot), home directories didn't exist, but I could login.
CIFS Mounting on Login
This next step was the cherry for me; I didn't want the responsibility of backing up everyone's working directories, and the box Ubuntu was to be running was suspect in terms of reliability. By doing the following users could login and see their windows user directory automagically.
Download the
pam_mountmodule:# sudo apt-get install libpam-mountI wanted the mount point to point be in the traditional
/home/<user>location: this part is configured by the/etc/samba/smb.conffile (template homedir = /home/%U). But I needed it to drill through the share and point to their own windows directory. This is accomplished by editting the/etc/security/pam_mount.conf.xmlfile (which despite it's intention, XML isn't human readable):Add the following to
/etc/security/pam_mount.conf.xmland alter to suit:<volumeuser="*"server="srv1.mydomain.local"path="UserShares"mountpoint="home"fstype="cifs"/><cifsmount>mount -t cifs //%(SERVER)/%(VOLUME)/%(USER) %(MNTPT)/%(USER) -o "user=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)"</cifsmount>Because of my goofy mount point I had to add this line too:
<umount>umount %(MNTPT)/%(USER)</umount>And so that the user directories (for the mount point) would be created automatically find the line and make it so:
<mkmountpoint enable="1" remove="false" />The
remove="false"bit is quite important: if it's set to true,pam_mount.sotries to delete the directory mount point which it can't do if a user has logged in multiple times. What you end up with in that case is lots of stray mounts on your system.pam_mount.sostill doesn't quite deliver as promised. In it's current form the mounts keep piling up and the home directories aren't being created. Somewhere between here and the previous Beta 2 release of 10.04 server, it was working. I can't recreate this though.In the mean time for the directory creation I'm relying on
pam_mkhomedir.so, and stuck a line immediately before thepam_mount.soline to accommodate.I still haven't solved the multiple mounting issue. But until
pam_mount.sois fixed, this is what I've got in my/etc/pam.d/common-sessionfile:Thats it. It worked for me, and I hope you find it useful.
Numerous resources were considered so I could figure this out. Here is a short list (a number of these links point to mine own questions on the topic):