Authenticating Ubuntu via Active Directory with Samba/Winbind

Make sure your IP address is static on Ubuntu and not set for DHCP. If the address changes or you have a short lease, the IP address will change and so will /etc/resolv.conf which will render this procedure useless even during the setup.

● Open a root shell
 sudo -s
● Install the following packages:
 apt-get install openssh-server apt-get install samba samba-common samba-doc apt-get install winbind krb5-user
(May ask you for Kerberos server for your realm. Enter the IP of the Windows 2k8 server) 

● Stop samba services:
/etc/init.d/samba stop /etc/init.d/winbind stop
● Create new /etc/samba/smb.conf (make sure this reflects your domain and IP data – you can throw out any other data in this file):
[global] security = ads realm = SMKMUHI.NET password server = 192.168.1.129 workgroup = CISS150 winbind separator = + idmap uid = 10000¬20000 idmap gid = 10000¬20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 [netlogon] path = /netlogon
● Check Samba configuration:
testparm -v
(look for warnings or errors)

● Create a new /etc/krb5.conf to configure the default realm and the Key Distribution Center server (make sure this reflects your domain and IP data):
[libdefaults] default_realm=SMKMUHI.NET [realms] CISS150.NET = { kdc = 192.168.1.131 }

● Go to System/Preferences/Network Connections, select Wired/Auto eth0 and double check the Ipv4 settings that it shows the W2k8 server ip address and the correct domain name for DNS Servers and Search domains. (You may need to stop and start the network to make the changes permanent.)

● Add to /etc/hosts (make sure this reflects your domain data):
192.168.1.131 w2k8svr.SMKMUHI.net w2k8svr 192.168.1.129 ubuntu.smkmuhi.net ubuntu

● Make sure the Windows 2008 server and Ubuntu times are in sync (make sure this reflects your Windows 2008 server name):
ntpdate w2k8svr
(If you receive an error message, STOP! You need correct time to continue)

● Get a Kerberos ticket:
kinit administrator Enter password of w2k8 server.

● Attempt to join Samba to Active Directory:
net ads join -U administrator

(If JOIN fails, STOP! Any error message means you cannot proceed.)

● Edit /etc/pam.d/common-session (add after pam_unix line):
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

● Edit /etc/nsswitch.conf:
Add a space and winbind to the end of the password and group lines.

● Start Samba services:
service nmbd start service smbd start service winbind start

● Check users and groups are retrieved by winbind:
wbinfo -u wbinfo -g

(If you don't see any output, that is very bad!)

● Check users and groups appear to system:
getent passwd getent group

(If you can't see the Active Directory users and groups, that, too, is very bad!)

● Test ssh to local system (substitute a real AD user for username):
ssh username@localhost

(Enter password of user from Active Directory. This can also be the administrator account and password) 

● Look for the home directory to be created (substitute a real AD user for username):
pwd

(Should show something like /home/SMKMUHI/username)
 ls -al /home/SMKMUHI/username

If you can login to Ubuntu via ssh with an Active Directory user, this portion is complete. 

Otherwise, stop. Nothing is going right and you need to fix what is broken.


Configuring Active Directory Users to Retrieve Roaming Profile from Samba

 
On the Windows 2008 server, start Server Manager.

Illustration 1: Server Manager window.

Illustration 2: Selecting a user from the Users folder.

Select the Users folder, then right click on a user and select Properties.

Illustration 3: Setting up the profile path and home folder.

Enter the Profile path as \\ubuntuserver\username\profile where ubuntuserver is the name of the Samba server and username is the name of the Windows user.

Select Connect and a drive letter (H:) and enter the To value as \\ubuntuserver\username

You will likely get a message about access to the server. You can simply select OK.

 Select OK.







● On Ubuntu, Edit /etc/samba/smb.conf and add the following new section:
[homes] comment = Home Directories read only = no path = %H

● You will need to join Windows 7 to the domain controller like you did with Samba, but the procedure is slightly different.

1. Go to Start/Control Panel/Systems and Security/System and select Change Settings. 
2. From the Computer Name tab select Change. 
3. Select the Domain radio button and enter ciss150.net for the domain. 
4. Enter the administrator username and password when prompted. (If you are not prompted, then your network settings are incorrect. Namely, the DNS server is likely not pointing to the Windows 2008 server.) 
5. If successful, you will receive, Welcome to the ciss150.net domain. 
6. Reboot. 

● Log on to Windows 7 with a user in the Active Directory domain. If successful, that is, no errors, then logout. (You may have to do this twice.)

 ● On Ubuntu determine if the profile roamed by looking in the directory:
 ls -al  /home/CISS150/username/profile

Hope you can help. Thanks

Pakirwan
Menerima Jasa Setting Mikrotik, Proxy, Networking, Hotspot Pembuatan dan Desain Website, PHP, CMS,CI dan HTML Murni, Visual Programming