{"id":3968,"date":"2015-12-08T12:00:35","date_gmt":"2015-12-08T12:00:35","guid":{"rendered":"http:\/\/blog.cloudthat.com\/?p=3968"},"modified":"2024-06-25T11:13:08","modified_gmt":"2024-06-25T11:13:08","slug":"integrating-ubuntu-workstation-with-a-windows-active-directory","status":"publish","type":"blog","link":"https:\/\/www.cloudthat.com\/resources\/blog\/integrating-ubuntu-workstation-with-a-windows-active-directory","title":{"rendered":"Integrating Ubuntu workstation with a Windows Active Directory"},"content":{"rendered":"

In my previous blog<\/a>, I have mentioned the process of promoting a windows server as the Domain Controller and the steps to connect a windows workstation under the domain. This blog will explain the similar process of joining an Ubuntu machine in the Windows Active Directory Domain. (Note:<\/b> This Process is applicable only to AWS if you want to perform the same outside AWS use PUBLIC IPs instead of PRIVATE IPs)<\/p>\n

Assuming the provision of a Ubuntu 14.04 client workstation and a Microsoft Windows 2012 R2 base as the domain controller.<\/p>\n

Terms Used:<\/p>\n

ubuntu client name<\/b>: ubuntu<\/p>\n

client IP address<\/b>: 172.0.0.10<\/p>\n

domain name<\/b>: rootdomai.com<\/p>\n

DC IP address<\/b>: 172.0.0.5<\/p>\n

For any machine to be added under the domain, initial step will be to configure the machine to use the domain as the DNS server.<\/p>\n

This is performed by the following steps:<\/p>\n

Step 1: Setting up Host Name <\/b><\/p>\n

Set the hostname for the client workstation for the easy identification by setting the hostname through the command line. Consider the name of the server is \u201cubuntu\u201d and the domain name is \u201crootdomai.com\u201d.<\/p>\n

$ hostname ubuntu.rootdomai.com<\/b><\/p>\n

Step 2: Get Private IP address<\/b><\/p>\n

To identify the private IP address of the client machine, perform the following command:<\/p>\n

$ echo $( ifconfig eth0|grep inet\\ addr|awk ‘{print $2}’|sed -e ‘s\/addr:\/\/g’ )<\/b><\/p>\n

Step 3:\u00a0<\/b>Edit NameServers<\/b><\/p>\n

Configure ubuntu machine to utilize the DNS of the domain. Edit the hosts entry of the client. Provide IP address of the domain controller & the client machine in the hosts file.<\/p>\n

$ vi \/etc\/hosts <\/b><\/p>\n

172.0.0.5\u00a0rootdomai.com<\/b><\/p>\n

172.0.0.10 ubuntu.rootdomai.com ubuntu<\/b><\/p>\n

Step 4: Modify Network Configuration<\/b><\/p>\n

Modify the network interface of the client to identify the dns-domain as the domain of the domain controller. P.S:<\/b> Change the below code with respective IP address as in your setup.<\/p>\n

$ vi \/etc\/network\/interfaces.d\/eth0.cfg <\/b><\/p>\n

auto eth0<\/b><\/p>\n

iface eth0 inet dhcp<\/b><\/p>\n

address 172.0.0.10<\/b><\/p>\n

netmask 255.255.255.0<\/b><\/p>\n

network 172.0.0.0<\/b><\/p>\n

broadcast 172.0.255.255<\/b><\/p>\n

gateway 172.0.0.1<\/b><\/p>\n

dns-nameservers\u00a0172.0.0.5<\/b><\/p>\n

dns-domain rootdomai.com<\/b><\/p>\n

Step 5: Override DNS configuration<\/b><\/p>\n

To modify and override the DNS nameserver to refer the domain of the domain controller, modify the nameserver in the \/etc\/resolv.conf.The search option is to determine the local domain name. Modify the search domain name to the desired domain search path.<\/p>\n

$ vi \/etc\/resolv.conf<\/b><\/p>\n

nameserver\u00a0172.0.0.5<\/b><\/p>\n

search rootdomai.com<\/b><\/p>\n

Step 6: Verify the Client-Server Connection<\/b><\/p>\n

To verify if the ubuntu client is referring to the domain of the domain controller, perform the below command in the cli. This results in the response from the domain controller as follows:<\/p>\n

$ host -t srv _kerberos._tcp.rootdomai.com<\/b><\/p>\n

_kerberos._tcp.rootdomai.com has SRV record 0 100 88 dc01.rootdomai.com<\/p>\n

Step 7: Verify hostname of Client<\/b>
\n<\/b>Verify the hostname of the ubuntu client before proceeding with the configuration. The following command will display the hostname of the client.<\/p>\n

$ hostname -f<\/b><\/p>\n

ubuntu.rootdomai.com<\/p>\n

The real game starts with the installation of Samba in the ubuntu machine. Samba installation provisions the capability to connect the Ubuntu servers with the Windows machine.<\/p>\n

The core functionality of Samba is to enable client-server networking for file sharing. This also provides the ability for sharing a printer and associated operations. In addition to this, Samba allows the interaction of Linux clients with Windows, to allow authentication by using Active Directory.<\/p>\n

Kerberos is a network authentication protocol. It is designed with the need to provide strong authentication for client\/server applications by using secret-key cryptography.<\/p>\n

Winbind is a component of the Samba suite of programs that solves the unified logon problem. Winbind uses a UNIX implementation of Microsoft RPC calls, Pluggable Authentication Modules (PAMs), and the name service switch (NSS) to allow Windows NT domain users to appear and operate as UNIX users on a UNIX machine.<\/p>\n

With the PAM configuration you can access the ubuntu client with local accounts or with domain accounts. On the first login of a domain user a home directory will be created.<\/p>\n

Step 8: Install requisites to use Domain Credentials<\/b><\/p>\n

Install samba, winbind, pam and kerberos in the ubuntu client with the following command:<\/p>\n

$ apt-get install winbind samba libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user<\/b><\/p>\n

Accept all the dependencies that are required with the above packages.<\/p>\n

Step 9: Setup Kerberos <\/b><\/p>\n

The Kerberos authentication has to be configured to use Active Directory as KDC. The Kerberos Key Distribution Center (KDC) is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The KDC runs on each domain controller as part of Active Directory Domain Services (AD DS).<\/p>\n

Replace the krb5.conf file with appropriate domain specifications.<\/p>\n

The default domain in the [libdefaults] section of the \/etc\/krb5.conf file should denote the Active Directory realm, and then as a KDC in the [realms] section. The [domain_realm] section should define the Active Directory domain.<\/p>\n

$ vi \/etc\/krb5.conf<\/b><\/p>\n

[libdefaults]<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0default_realm = ROOTDOMAI.COM<\/b><\/p>\n

# The following krb5.conf variables are only for MIT Kerberos.<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0krb4_config = \/etc\/krb.conf<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0krb4_realms = \/etc\/krb.realms<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0kdc_timesync = 1<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ccache_type = 4<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0forwardable = true<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0proxiable = true<\/b><\/p>\n

# The following libdefaults parameters are only for Heimdal Kerberos.<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0v4_instance_resolve = false<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0v4_name_convert = {<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0host = {<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0rcmd = host<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ftp = ftp<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0plain = {<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0something = something-else<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0fcc-mit-ticketflags = true<\/b><\/p>\n

 <\/p>\n

[realms]<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ROOTDOMAI.COM = {<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0kdc = ROOTDOMAI.COM:88<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0default_domain = ROOTDOMAI.COM<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}<\/b><\/p>\n

 <\/p>\n

[domain_realm]<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0.ROOTDOMAI.COM= ROOTDOMAI.COM<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ROOTDOMAI.COM = ROOTDOMAI.COM<\/b><\/p>\n

 <\/p>\n

[appdefaults]<\/b><\/p>\n

pam = {<\/b><\/p>\n

\u00a0debug = false<\/b><\/p>\n

\u00a0ticket_lifetime = 36000<\/b><\/p>\n

\u00a0renew_lifetime = 36000<\/b><\/p>\n

\u00a0forwardable = true<\/b><\/p>\n

\u00a0krb4_convert = false<\/b><\/p>\n

}<\/b><\/p>\n

 <\/p>\n

[login]<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0krb4_convert = false<\/b><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0krb4_get_tickets = false<\/b><\/p>\n

 <\/p>\n

[logging]<\/b><\/p>\n

default = FILE:\/var\/log\/krb5libs.log<\/b><\/p>\n

kdc = FILE:\/var\/log\/krb5kdc.log<\/b><\/p>\n

admin_server = FILE:\/var\/log\/kadmind.log<\/b><\/p>\n

The domain names are case-sensitive and hence the realms are advised to be mentioned in capital letters. Save and exit the krb5.conf file.<\/p>\n

Step 10:\u00a0<\/b>Verify the setup<\/b><\/p>\n

To verify the setup, perform the test with an user (eg: cloudthat) in the Kerbs realm of ROOTDOMAI.COM controlled by the server at rootdoami.com. The following command must prompt for the password of that user.<\/p>\n

$ kinit cloudthat@ROOTDOMAI.COM<\/b><\/p>\n

Password for cloudthat@ROOTDOMAI.COM<\/b><\/a>:<\/b><\/p>\n

If this step throws an error message of any kind, be sure your DC is online and reachable at the specified address and port is opened to the ubuntu client and also assure that the username exists in the directory.<\/p>\n

Step 11: Configure Samba<\/b><\/p>\n

The important step is to configure the Samba server to join with the Active Directory domain. Modify the [global] section in the configuration file at \/etc\/samba\/smb.conf with the domain details as given below:<\/p>\n

$ vi \/etc\/samba\/smb.conf<\/b><\/p>\n

\u00a0\u00a0[global]<\/b><\/p>\n

\u00a0\u00a0netbios name = ubuntu<\/b><\/p>\n

\u00a0\u00a0workgroup = ROOTDOMAI<\/b><\/p>\n

\u00a0\u00a0security = ADS<\/b><\/p>\n

\u00a0\u00a0realm = ROOTDOMAI.COM<\/b><\/p>\n

\u00a0\u00a0encrypt passwords = yes<\/b><\/p>\n

 <\/p>\n

\u00a0\u00a0idmap config *:backend = rid<\/b><\/p>\n

\u00a0\u00a0idmap config *:range = 5000-100000<\/b><\/p>\n

 <\/p>\n

\u00a0\u00a0winbind allow trusted domains = no<\/b><\/p>\n

\u00a0\u00a0winbind trusted domains only = no<\/b><\/p>\n

\u00a0\u00a0winbind use default domain = yes<\/b><\/p>\n

\u00a0\u00a0winbind enum users \u00a0= yes<\/b><\/p>\n

\u00a0\u00a0winbind enum groups = yes<\/b><\/p>\n

\u00a0\u00a0winbind refresh tickets = yes<\/b><\/p>\n

\u00a0\u00a0template shell = \/bin\/bash<\/b><\/p>\n

 <\/p>\n

ads<\/b> configures the local Samba server(ubuntu client) as a domain member within an Active Directory domain. It also enables support for the internal usage of LDAP queries and Kerberos authentication.<\/p>\n

netbios name <\/b>is the name of the ubuntu client<\/p>\n

workgroup <\/b>is the Samba workgroup.<\/p>\n

realm <\/b>is the name of the Active Directory Kerberos realm.<\/p>\n

Step 12: Configure NSS<\/b><\/p>\n

Configure nss to make domain accounts locally available. NSS settings are configured in the \/etc\/nsswitch.conf file. Just add winbind in the passwd and group section as follows:<\/p>\n

$ vi \/etc\/nsswitch.conf<\/b><\/p>\n

passwd: \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0compat winbind<\/b><\/p>\n

group: \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0compat winbind<\/b><\/p>\n

shadow: \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0compat<\/b><\/p>\n

 <\/p>\n

hosts: \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0files dns<\/b><\/p>\n

networks: \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0files<\/b><\/p>\n

 <\/p>\n

protocols: \u00a0\u00a0\u00a0\u00a0\u00a0db files<\/b><\/p>\n

services: \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0db files<\/b><\/p>\n

ethers: \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0db files<\/b><\/p>\n

rpc: \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0db files<\/b><\/p>\n

netgroup: \u00a0\u00a0\u00a0\u00a0\u00a0nis<\/b><\/p>\n

 <\/p>\n

Step 13: Enable Password Based Authentication<\/b><\/p>\n

Another important task is to enable password authentication to the ubuntu client. This can be obtained by enabling password authentication <\/b>as yes <\/b>in the sshd_config file.<\/p>\n

$ vi \/etc\/ssh\/sshd_config <\/b><\/p>\n

password authentication yes<\/b><\/p>\n

Restart the sshd service by the command,<\/p>\n

$ service ssh restart<\/b><\/p>\n

Step 14: Finalising Ubuntu – Domain Connection<\/b><\/p>\n

Now to join the ubuntu client with the Windows domain controller, perform the follwing step:<\/p>\n

$ net ads join -k<\/b><\/p>\n

This step might provide a DNS error along with a successful domain joining message. This denotes that the ubuntu client is now a part of the domain.<\/p>\n

Step 15: Prepare to Login Using Domain Creds<\/b><\/p>\n

When the client is added under the domain, restart the following services in the ubuntu client to enable the smooth flow of all the services. Follow the below commands to restart the services:<\/p>\n

$ service winbind restart<\/b><\/p>\n

$ service nmbd restart<\/b><\/p>\n

$ service smbd restart<\/b><\/p>\n

Step 16: Verify Client<\/b><\/p>\n

Verify the winbind setup and if the ubuntu client is a part of the domain, perform the below commands to get a list of the domain users and groups from the domain controller.<\/p>\n

$ wbinfo -u<\/b><\/p>\n

This command provides the list of users in the domain.<\/p>\n

$ wbinfo -g<\/b><\/p>\n

This command displays the list of groups in the domain to which the users are included.<\/p>\n

$ getent passwd<\/b><\/p>\n

This command gets the entries from the passwd file to display the details of the users in the domain.<\/p>\n

$ getent group<\/b><\/p>\n

This command gets the entries from the group file to display the details of the groups in the domain.<\/p>\n

To identify the details of the existing individual user in a domain, perform the below command:<\/p>\n

$ wbinfo -i cloudthat<\/b><\/p>\n

Step 17: Update PAM<\/b><\/p>\n

This configuration allows to access the ubuntu client with the local and domain credentials. Run the following command to configure the PAM(what is PAM?<\/i>) in the ubuntu client.<\/p>\n

$ sudo pam-auth-update<\/b><\/p>\n

Ensure the configuration is set up with the Winbind NT\/Active Directory enabled.<\/p>\n

Step 18: <\/b>\u00a0Configure PAM<\/b><\/p>\n

PAM by default does not create new home directories, so to append to your PAM configuration, use the following command:<\/p>\n

$ echo ‘session required pam_mkhomedir.so skel=\/etc\/skel umask=0022’ >> \/etc\/pam.d\/common-account<\/b><\/p>\n

Step 19: Verify Domain Creds<\/b><\/p>\n

Verification of the access to the ubuntu client with domain credentials.<\/p>\n

$ login<\/b><\/p>\n

$ ubuntu login: cloudthat<\/b><\/p>\n

$ Password:<\/b><\/p>\n

Enter the credentials for the domain users to authenticate and perform the login process of ubuntu client with the Windows domain users.<\/p>\n

cloudthat@UBUNTU:~$ pwd<\/b><\/p>\n

\/home\/UBUNTU\/cloudthat<\/b>
\n<\/b>cloudthat@Ubuntu:~$<\/b><\/p>\n

The separate home directory will be created and we are successful in logging into the ubuntu client with the domain credentials.<\/p>\n

The ubuntu machine is successfully connected under the domain and it is accessible with the domain credentials. The local credentials also works fine to access the server. Have a great control over the Ubuntu machine with a Windows Active Directory.<\/p>\n

This is the method we used for integrating ubuntu workstations under a Windows Active Directory for few of our clients. Kindly visit our consulting site\u00a0here<\/a>, to gather more information & guidance for the consulting projects.<\/p>\n

Thank you for reading, I hope the blog helped you, for any queries please feel free to comment below. You can also post your questions on <\/b>forum.cloudthat.com<\/b><\/a>.<\/b><\/p>\n","protected":false},"author":219,"featured_media":0,"parent":0,"comment_status":"open","ping_status":"open","template":"","blog_category":[3607],"user_email":"prarthitm@cloudthat.com","published_by":"324","primary-authors":"","secondary-authors":"","acf":[],"_links":{"self":[{"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog\/3968"}],"collection":[{"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/users\/219"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/comments?post=3968"}],"version-history":[{"count":1,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog\/3968\/revisions"}],"predecessor-version":[{"id":45630,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog\/3968\/revisions\/45630"}],"wp:attachment":[{"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/media?parent=3968"}],"wp:term":[{"taxonomy":"blog_category","embeddable":true,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog_category?post=3968"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}