Before starting, ensure you have:
- Ubuntu 10.04 Server installed
- Active Directory domain administrator credentials
- Windows file share accessible from Linux
- Basic Linux command line knowledge
First, install the required packages:
sudo apt-get update
sudo apt-get install winbind krb5-user libpam-krb5 libnss-winbind
Configure Kerberos by editing /etc/krb5.conf:
[libdefaults]
default_realm = YOURDOMAIN.COM
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
YOURDOMAIN.COM = {
kdc = dc.yourdomain.com
admin_server = dc.yourdomain.com
}
[domain_realm]
.yourdomain.com = YOURDOMAIN.COM
yourdomain.com = YOURDOMAIN.COM
Edit /etc/samba/smb.conf:
[global]
workgroup = YOURDOMAIN
security = ads
realm = YOURDOMAIN.COM
password server = dc.yourdomain.com
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
Join the domain (replace with your admin credentials):
sudo net ads join -U Administrator
Edit /etc/nsswitch.conf:
passwd: compat winbind
group: compat winbind
shadow: compat
Configure PAM authentication by editing /etc/pam.d/common-auth:
auth sufficient pam_winbind.so
auth required pam_deny.so
Install cifs-utils:
sudo apt-get install cifs-utils
Create a credentials file (/etc/credentials):
username=DOMAIN_USERNAME
password=PASSWORD
domain=YOURDOMAIN
Add to /etc/fstab:
//server/share /mnt/share cifs credentials=/etc/credentials,uid=1000,gid=1000,file_mode=0775,dir_mode=0775,noperm 0 0
Create a PAM script (/usr/local/bin/mount_shares.sh):
#!/bin/bash
mount -a
Make it executable and add to PAM:
sudo chmod +x /usr/local/bin/mount_shares.sh
echo "session optional pam_exec.so debug log=/var/log/mount_shares.log /usr/local/bin/mount_shares.sh" | sudo tee -a /etc/pam.d/sshd
Verify domain join:
wbinfo -u
wbinfo -g
Test authentication:
su DOMAIN_USER
Check mounted shares:
mount | grep cifs
- Check
/var/log/samba/log.winbinddfor winbind errors - Verify time synchronization between Linux and AD server
- Test basic Kerberos functionality with
kinit - Check PAM debug logs in
/var/log/auth.log
Before starting, ensure you have:
- Ubuntu 10.04 server with network access to Active Directory
- Administrative credentials for both Ubuntu and AD
- Windows share details (server name, share path)
First, install required packages:
sudo apt-get update
sudo apt-get install winbind krb5-user libpam-winbind libnss-winbindConfigure Kerberos by editing /etc/krb5.conf:
[libdefaults]
default_realm = YOURDOMAIN.COM
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
YOURDOMAIN.COM = {
kdc = ad.yourdomain.com
admin_server = ad.yourdomain.com
}Edit /etc/samba/smb.conf:
[global]
workgroup = YOURDOMAIN
security = ads
realm = YOURDOMAIN.COM
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
winbind use default domain = yes
restrict anonymous = 2Join the domain:
sudo net ads join -U administratorModify /etc/nsswitch.conf to include winbind:
passwd: compat winbind
group: compat winbind
shadow: compatEdit /etc/pam.d/common-auth:
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_passEdit /etc/pam.d/common-session:
session required pam_mkhomedir.so skel=/etc/skel umask=0022First install cifs-utils:
sudo apt-get install cifs-utilsCreate mount point and credentials file:
sudo mkdir -p /shares/user_homes
sudo touch /etc/cifspasswd
sudo chmod 600 /etc/cifspasswdEdit /etc/fstab:
//fileserver/user_shares/%U /shares/user_homes/%U cifs credentials=/etc/cifspasswd,uid=%U,gid=domain^users,file_mode=0600,dir_mode=0700 0 0Create a login script in /etc/profile.d/mount_shares.sh:
#!/bin/bash
# Check if user is AD user
if id -u $USER >/dev/null 2>&1; then
# Create user's mount directory if it doesn't exist
if [ ! -d "/shares/user_homes/$USER" ]; then
mkdir -p "/shares/user_homes/$USER"
chown $USER:domain^users "/shares/user_homes/$USER"
fi
# Mount the share if not already mounted
if ! mountpoint -q "/shares/user_homes/$USER"; then
mount "/shares/user_homes/$USER"
fi
fi- Verify connectivity:
ping ad.yourdomain.com - Test Kerberos:
kinit administrator@YOURDOMAIN.COM - Check domain join status:
net ads testjoin - Verify user enumeration:
wbinfo -u