Integrating Ubuntu workstation with a Windows Active Directory

December 8, 2015 | Comments(3) |

In my previous blog, I have mentioned the process of promoting a windows server as the Domain Controller and the steps to connect a windows workstation under the domain. This blog will explain the similar process of joining an Ubuntu machine in the Windows Active Directory Domain. (Note: This Process is applicable only to AWS if you want to perform the same outside AWS use PUBLIC IPs instead of PRIVATE IPs)

Assuming the provision of a Ubuntu 14.04 client workstation and a Microsoft Windows 2012 R2 base as the domain controller.

Terms Used:

ubuntu client name: ubuntu

client IP address: 172.0.0.10

domain name: rootdomai.com

DC IP address: 172.0.0.5

For any machine to be added under the domain, initial step will be to configure the machine to use the domain as the DNS server.

This is performed by the following steps:

Step 1: Setting up Host Name

Set the hostname for the client workstation for the easy identification by setting the hostname through the command line. Consider the name of the server is “ubuntu” and the domain name is “rootdomai.com”.

$ hostname ubuntu.rootdomai.com

Step 2: Get Private IP address

To identify the private IP address of the client machine, perform the following command:

$ echo $( ifconfig eth0|grep inet\ addr|awk ‘{print $2}’|sed -e ‘s/addr://g’ )

Step 3: Edit NameServers

Configure ubuntu machine to utilize the DNS of the domain. Edit the hosts entry of the client. Provide IP address of the domain controller & the client machine in the hosts file.

$ vi /etc/hosts

172.0.0.5 rootdomai.com

172.0.0.10 ubuntu.rootdomai.com ubuntu

Step 4: Modify Network Configuration

Modify the network interface of the client to identify the dns-domain as the domain of the domain controller. P.S: Change the below code with respective IP address as in your setup.

$ vi /etc/network/interfaces.d/eth0.cfg

auto eth0

iface eth0 inet dhcp

address 172.0.0.10

netmask 255.255.255.0

network 172.0.0.0

broadcast 172.0.255.255

gateway 172.0.0.1

dns-nameservers 172.0.0.5

dns-domain rootdomai.com

Step 5: Override DNS configuration

To modify and override the DNS nameserver to refer the domain of the domain controller, modify the nameserver in the /etc/resolv.conf.The search option is to determine the local domain name. Modify the search domain name to the desired domain search path.

$ vi /etc/resolv.conf

nameserver 172.0.0.5

search rootdomai.com

Step 6: Verify the Client-Server Connection

To verify if the ubuntu client is referring to the domain of the domain controller, perform the below command in the cli. This results in the response from the domain controller as follows:

$ host -t srv _kerberos._tcp.rootdomai.com

_kerberos._tcp.rootdomai.com has SRV record 0 100 88 dc01.rootdomai.com

Step 7: Verify hostname of Client
Verify the hostname of the ubuntu client before proceeding with the configuration. The following command will display the hostname of the client.

$ hostname -f

ubuntu.rootdomai.com

The real game starts with the installation of Samba in the ubuntu machine. Samba installation provisions the capability to connect the Ubuntu servers with the Windows machine.

The core functionality of Samba is to enable client-server networking for file sharing. This also provides the ability for sharing a printer and associated operations. In addition to this, Samba allows the interaction of Linux clients with Windows, to allow authentication by using Active Directory.

Kerberos is a network authentication protocol. It is designed with the need to provide strong authentication for client/server applications by using secret-key cryptography.

Winbind is a component of the Samba suite of programs that solves the unified logon problem. Winbind uses a UNIX implementation of Microsoft RPC calls, Pluggable Authentication Modules (PAMs), and the name service switch (NSS) to allow Windows NT domain users to appear and operate as UNIX users on a UNIX machine.

With the PAM configuration you can access the ubuntu client with local accounts or with domain accounts. On the first login of a domain user a home directory will be created.

Step 8: Install requisites to use Domain Credentials

Install samba, winbind, pam and kerberos in the ubuntu client with the following command:

$ apt-get install winbind samba libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user

Accept all the dependencies that are required with the above packages.

Step 9: Setup Kerberos

The Kerberos authentication has to be configured to use Active Directory as KDC. The Kerberos Key Distribution Center (KDC) is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The KDC runs on each domain controller as part of Active Directory Domain Services (AD DS).

Replace the krb5.conf file with appropriate domain specifications.

The default domain in the [libdefaults] section of the /etc/krb5.conf file should denote the Active Directory realm, and then as a KDC in the [realms] section. The [domain_realm] section should define the Active Directory domain.

$ vi /etc/krb5.conf

[libdefaults]

       default_realm = ROOTDOMAI.COM

# The following krb5.conf variables are only for MIT Kerberos.

       krb4_config = /etc/krb.conf

       krb4_realms = /etc/krb.realms

       kdc_timesync = 1

       ccache_type = 4

       forwardable = true

       proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.

       v4_instance_resolve = false

       v4_name_convert = {

               host = {

                       rcmd = host

                       ftp = ftp

               }

               plain = {

                       something = something-else

               }

       }

       fcc-mit-ticketflags = true

 

[realms]

       ROOTDOMAI.COM = {

               kdc = ROOTDOMAI.COM:88

               default_domain = ROOTDOMAI.COM

       }

 

[domain_realm]

       .ROOTDOMAI.COM= ROOTDOMAI.COM

       ROOTDOMAI.COM = ROOTDOMAI.COM

 

[appdefaults]

pam = {

 debug = false

 ticket_lifetime = 36000

 renew_lifetime = 36000

 forwardable = true

 krb4_convert = false

}

 

[login]

       krb4_convert = false

       krb4_get_tickets = false

 

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

The domain names are case-sensitive and hence the realms are advised to be mentioned in capital letters. Save and exit the krb5.conf file.

Step 10: Verify the setup

To verify the setup, perform the test with an user (eg: cloudthat) in the Kerbs realm of ROOTDOMAI.COM controlled by the server at rootdoami.com. The following command must prompt for the password of that user.

$ kinit cloudthat@ROOTDOMAI.COM

Password for cloudthat@ROOTDOMAI.COM:

If this step throws an error message of any kind, be sure your DC is online and reachable at the specified address and port is opened to the ubuntu client and also assure that the username exists in the directory.

Step 11: Configure Samba

The important step is to configure the Samba server to join with the Active Directory domain. Modify the [global] section in the configuration file at /etc/samba/smb.conf with the domain details as given below:

$ vi /etc/samba/smb.conf

  [global]

  netbios name = ubuntu

  workgroup = ROOTDOMAI

  security = ADS

  realm = ROOTDOMAI.COM

  encrypt passwords = yes

 

  idmap config *:backend = rid

  idmap config *:range = 5000-100000

 

  winbind allow trusted domains = no

  winbind trusted domains only = no

  winbind use default domain = yes

  winbind enum users  = yes

  winbind enum groups = yes

  winbind refresh tickets = yes

  template shell = /bin/bash

 

ads configures the local Samba server(ubuntu client) as a domain member within an Active Directory domain. It also enables support for the internal usage of LDAP queries and Kerberos authentication.

netbios name is the name of the ubuntu client

workgroup is the Samba workgroup.

realm is the name of the Active Directory Kerberos realm.

Step 12: Configure NSS

Configure nss to make domain accounts locally available. NSS settings are configured in the /etc/nsswitch.conf file. Just add winbind in the passwd and group section as follows:

$ vi /etc/nsswitch.conf

passwd:         compat winbind

group:            compat winbind

shadow:         compat

 

hosts:            files dns

networks:       files

 

protocols:      db files

services:        db files

ethers:           db files

rpc:               db files

netgroup:      nis

 

Step 13: Enable Password Based Authentication

Another important task is to enable password authentication to the ubuntu client. This can be obtained by enabling password authentication as yes in the sshd_config file.

$ vi /etc/ssh/sshd_config

password authentication yes

Restart the sshd service by the command,

$ service ssh restart

Step 14: Finalising Ubuntu – Domain Connection

Now to join the ubuntu client with the Windows domain controller, perform the follwing step:

$ net ads join -k

This step might provide a DNS error along with a successful domain joining message. This denotes that the ubuntu client is now a part of the domain.

Step 15: Prepare to Login Using Domain Creds

When the client is added under the domain, restart the following services in the ubuntu client to enable the smooth flow of all the services. Follow the below commands to restart the services:

$ service winbind restart

$ service nmbd restart

$ service smbd restart

Step 16: Verify Client

Verify the winbind setup and if the ubuntu client is a part of the domain, perform the below commands to get a list of the domain users and groups from the domain controller.

$ wbinfo -u

This command provides the list of users in the domain.

$ wbinfo -g

This command displays the list of groups in the domain to which the users are included.

$ getent passwd

This command gets the entries from the passwd file to display the details of the users in the domain.

$ getent group

This command gets the entries from the group file to display the details of the groups in the domain.

To identify the details of the existing individual user in a domain, perform the below command:

$ wbinfo -i cloudthat

Step 17: Update PAM

This configuration allows to access the ubuntu client with the local and domain credentials. Run the following command to configure the PAM(what is PAM?) in the ubuntu client.

$ sudo pam-auth-update

Ensure the configuration is set up with the Winbind NT/Active Directory enabled.

Step 18:  Configure PAM

PAM by default does not create new home directories, so to append to your PAM configuration, use the following command:

$ echo ‘session required pam_mkhomedir.so skel=/etc/skel umask=0022′ >> /etc/pam.d/common-account

Step 19: Verify Domain Creds

Verification of the access to the ubuntu client with domain credentials.

$ login

$ ubuntu login: cloudthat

$ Password:

Enter the credentials for the domain users to authenticate and perform the login process of ubuntu client with the Windows domain users.

cloudthat@UBUNTU:~$ pwd

/home/UBUNTU/cloudthat
cloudthat@Ubuntu:~$

The separate home directory will be created and we are successful in logging into the ubuntu client with the domain credentials.

The ubuntu machine is successfully connected under the domain and it is accessible with the domain credentials. The local credentials also works fine to access the server. Have a great control over the Ubuntu machine with a Windows Active Directory.

This is the method we used for integrating ubuntu workstations under a Windows Active Directory for few of our clients. Kindly visit our consulting site here, to gather more information & guidance for the consulting projects.

Thank you for reading, I hope the blog helped you, for any queries please feel free to comment below. You can also post your questions on forum.cloudthat.com.


3 Responses to “Integrating Ubuntu workstation with a Windows Active Directory”

Leave a Reply