Showing posts with label active directory. Show all posts
Showing posts with label active directory. Show all posts

Monday, May 05, 2008

Integrating Ubuntu Hardy Heron 8.04 with Active Directory

I have three primary goals with integrating Ubuntu Server with Active Directory:
  • Join the server to the domain
  • Allow domain admins to be Ubuntu Server administrators
  • Allow Windows clients in domain groups access to Samba shares
Goal #1: Join the Server to the Domain

Thanks to this post for helping with this portion. The steps are:
  1. sudo apt-get update
  2. sudo apt-get install likewise-open
  3. sudo domainjoin-cli join fqdn.of.your.domain Administrator
  4. sudo update-rc.d likewise-open defaults
  5. sudo /etc/init.d/likewise-open start
Goal #2: Allow Active Directory Domain Administrators to Administer Ubuntu

Ubuntu Forums to the rescue... thanks, gotee12. This will allow members of the Domain Admins AD group to issue sudo commands. From a command prompt:
  1. visudo
  2. Add this line to the resulting file:
%YOURDOMAINNAME\\domain^admins ALL=(ALL) ALL
Note the carat symbol to substitute for spaces.

Goal #3: Allow Windows Clients in Domain Groups to Access Samba Shares

*** UPDATE *** My friend Chris got the plumbing to wire up Likewise Open with Samba figured out. Good grief, this was opaque:
http://chrplunk.blogspot.com/2008/06/allow-windows-clients-in-active.html

Now you have to set up your shares. The shares are defined as individual text files under /var/lib/samba/usershares. Create a file in this folder named with the name of the share (e.g. "test") and contents like the following, but be careful--match the spaces and casing with nothing extra, and **make sure the file name is in all lowercase regardless of the casing of the share name**:
#VERSION 2
path=/path/to/shared/folder
comment=
usershare_acl=<Group SID>:<access modifier>
guest_ok=y
For example:
#VERSION 2
path=/testShare
comment=
usershare_acl=S-1-1-0:F
guest_ok=y
To get the SID of the group that will have access to enter in the usershare_acl row, execute:
wbinfo -n "DOMAIN\group"
(S-1-1-0 is Everyone.)

The access modifiers after the group SID are as follows:
  • R - read-only
  • F - full access
  • D - deny access
The last thing you need do is to set the permissions on the shared folder itself. I found it easiest to give world-writable permissions to the folder, as it seemed not to dereference my group memberships at the folder permission level (unlike Samba at the share level). So:
chmod -R 0777 /path/to/shared/folder
If anyone knows how to get the group security to work at the folder level so it need not be world-writable, I'd appreciate a comment. I tried:
chgrp -R 'DOMAIN\group' /path/to/shared/folder
chmod -R 2770 /path/to/shared/folder
...but I kept getting access denied.

*** UPDATE 2 *** I had to grant read access to everyone for the usershares folder to avoid 'cannot stat' errors by ordinary users:
chmod o+r /var/lib/samba/usershares



Original post for this section follows:

Oooh, I haven't managed to get this one to work. I can issue successful commands like the following while logged on to the Ubuntu machine with my domain credentials:

smbclient -k -L //dmsc01
OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 R2 5.2]

   Sharename       Type      Comment
   ---------       ----      -------
   C$              Disk      Default share
   IPC$            IPC       Remote IPC
   ADMIN$          Disk      Remote Admin
OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 R2 5.2]

   Server               Comment
   ---------            -------

   Workgroup            Master
   ---------            -------

So SOMETHING's working, but I can't manage to get remote machines to connect to hosted shares. I've tried the following smb.conf (key lines included):

workgroup = mydomain
security = ads
realm = MYDOMAIN.LOCAL
encrypt passwords = yes
idmap uid = 10000-40000
idmap gid = 10000-40000
template homedir = /dev/null
template shell = /bin/false
winbind separator = \
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
winbind nested groups = yes

#=====================Shares====================
[tmp]
path = /tmp
browseable = yes
writeable = yes
guest ok = no


All I get when attempting to connect, however, is errors like the following in the client logs:

[2008/05/05 10:27:14, 1] libads/kerberos_verify.c:ads_secrets_verify_ticket(237)
ads_secrets_verify_ticket: failed to fetch machine password
[2008/05/05 10:27:14, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

And from the log.winbindd-idmap:

[2008/05/05 10:25:11, 1] nsswitch/idmap_tdb.c:idmap_tdb_alloc_init(397)
idmap uid range missing or invalid
idmap will be unable to map foreign SIDs
[2008/05/05 10:25:11, 0] nsswitch/idmap.c:idmap_alloc_init(750)
ERROR: Initialization failed for alloc backend, deferred!


Any ideas?
Posted by at 6 comments:
Labels: ,
Subscribe to: Posts (Atom)