Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Seems fixed:Join Active Directory domain using Samba/Winbind
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
keet
Guru
Guru


Joined: 09 Sep 2008
Posts: 529

PostPosted: Thu Oct 29, 2015 11:52 pm    Post subject: Seems fixed:Join Active Directory domain using Samba/Winbind Reply with quote

Does anyone here have experience joining Gentoo to a Windows Active Directory domain? I have a home server running Windows Server 2012, acting as the domain controller. Let's say that the domain is called GREYCAT.LOCAL. I am trying the Samba/Winbind method.

It seems to be partly working:

Code:

sudo net ads join -U myusername
Password:
Ignoring unknown parameter "winbind offline login"
Enter myusername's password:
Using short domain name -- GREYCAT
Joined 'LAPTOP' to dns domain 'greycat.local'
net_update_dns_internal: Failed to connect to our DC!
DNS update failed!


'wbinfo -u' shows a list of domain users.

However, no-one can log into my Linux laptop using domain credentials. It is working fine on the Windows computers (or the same laptop if I reboot into Windows)

Does anyone here know how to make it work properly?

/etc/krb5.conf

Code:

[libdefaults]
   default_realm = GREYCAT.LOCAL
   dns_lookup_realm = false
   dns_lookup_kdc = false
   forwardable = true

#   kdc_timesync = 1
#   ccache_type = 4
#   proxiable = true
#   fcc-mit-ticketflags = true
#   default_keytab_name = FILE:/etc/krb5.keytab
#   default_tkt_enctypes = aes256-cts-hmac-sha1-96

[realms]
  GREYCAT.LOCAL = {
  kdc = ipaddressofdomaincontroller
  admin_server = ipaddressofdomaincontroller
  default_domain = GREYCAT.LOCAL
}

[domain_realm]
        .greycat.local = GREYCAT.LOCAL
        greycat.local = GREYCAT.LOCAL

#[login]
#        krb4_convert = true
#        krb4_get_tickets = false

[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log



/etc/samba/smb.conf (and smb2.conf)

Code:

[global]
   workgroup = GREYCAT
   password server = ipaddressofdomaincontroller
   realm = GREYCAT.LOCAL
   security = ads
   idmap config * : range = 16777216-33554431
   template homedir=/home/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline login = true

   kerberos method = secrets and keytab
   winbind refresh tickets = true

   server string = dd Samba Server Version %v
   netbios name = LAPTOP
   log file = /var/log/samba/log.%m
   max log size = 50
   passdb backend = tdbsam
   encrypt passwords = yes

#   winbind enum groups = yes
#   winbind enum users = yes

[homes]
   comment = Home Directories
   browseable = no
   writeable = yes


/etc/security/pam_winbind.conf

Code:

(censored)
krb5_auth = yes
krb5_ccache_type = FILE
(censored)


/etc/pam.d/system-auth

Code:

#%PAM-1.0
# $Id$

auth        required      pam_env.so
auth        sufficient    pam_winbind.so
auth        sufficient    pam_unix.so likeauth nullok use_first_pass
auth        required      pam_deny.so

account     sufficient    pam_winbind.so
account     required      pam_unix.so

password    required      pam_cracklib.so retry=3
password    sufficient    pam_unix.so nullok use_authtok md5 shadow
password    required      pam_deny.so

session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     required      pam_limits.so
session     required      pam_unix.so


/etc/pam.d/samba

Code:

#%PAM-1.0
# * pam_smbpass.so authenticates against the smbpasswd file
# * changed Redhat's 'pam_stack' with 'include' for *BSD compatibility
#    (Diego "Flameeyes" Petteno'): enable with pam>=0.78 only
auth       required     pam_smbpass.so nodelay
account    include      system-auth
session    include      system-auth
password   required     pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf


Edit: I might have fixed it. I set this laptop to use the same hostname in Windows and in Linux. I had also not configured /etc/hosts properly, I think; I had '127.0.0.1 localhost...', so I changed my hostname to 'laptop_gentoo' and in /etc/hosts '127.0.0.1 laptop_gentoo.greycat laptop_gentoo'. Now, it seems to be working properly; I can log into my Linux laptop using accounts that I made on my Windows domain controller.
Back to top
View user's profile Send private message
keet
Guru
Guru


Joined: 09 Sep 2008
Posts: 529

PostPosted: Fri Oct 30, 2015 8:54 pm    Post subject: Reply with quote

It is working more or less well. When users log in, their home directories are readable by all and owned by 'users:domain users' by default. I needed to add 'auth sufficient pam_winbind.so' to /etc/pam.d/lightdm for lightdm to work with domain credentials.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum