Note: this article provides configuration help for a version of Ubuntu that will soon be deprecated. To configure the latest version of Ubuntu, please read Ubuntu 11.10 - Logging into Active Directory
The first thing we need to do is install the Kerberos and LDAP modules that we'll need. To do this, open a terminal window and gain root permissions. To do this, type sudo bash
apt-get install krb5-user
apt-get install libpam-krb5
apt-get install libnss-ldap
After installing the modules, we can begin configuring Kerberos and LDAP. Let's start with Kerberos. With our terminal window still open with root access, edit the Kerberos configuration file by typing: vi /etc/krb5.conf and configure the file as shown below:
Edit the LDAP configuration file by typing vi /etc/ldap.conf and configure the file as shown below:
You will need to change the following to suit your environment:
- base: this is the distinguished name of your domain
- uri: these should be valid DNS names of your domain controllers
- binddn: this should be the distinguished name of a user account in your AD that you will use to connect to AD. The user requires no special priviledges.
- bindpw: this is the password of the user used for binddn.
- pam_groupdn: this is the distinguished name of the AD group that the users must be a member of in order to log onto this Ubuntu machine. If you want all users to be able to logon, you can comment out this line by placing a # at the beginning of the line.
- nss_initgroups_ignoreusers: add any local Ubuntu accounts to this list to avoid doing LDAP lookups when these users logon.
To tell Ubuntu to use LDAP to find user accounts, we need to edit the configuration of NSS, the name service switch module, to use both LDAP and the local user database. Type vi /etc/nsswitch.conf and configure the file as shown:
As you can see, we've added ldap to the passwd, group, shadow, and netgroup entries. Now we can test our LDAP configuration, but first, we need to discuss the Active Directory user accounts that we'll use to logon to Ubuntu.
Active Directory User Configuration
In order to use AD users to logon to Ubuntu, the users must have uidNumber, gidNumber, loginShell, and unixHomeDirectory attributes defined in AD. NSS will then be able to retrieve these attributes when the user logs onto Ubuntu. I'll post tools to set these attributes in AD, but in the mean time you can use ADSIEDIT to set these attributes.
Testing your LDAP and NSS Configuration
Once you have AD users with the required attributes, and you've performed the configurations above, you can test if you can see AD users in the user list. To do this, type getent passwd . You should see both local Ubuntu users as well as any AD users that have the necessary attributes. If you don't see AD users, you've made a mistake in the files.
Adding Kerberos and LDAP to PAM
PAM (the pluggable authentication module) controls what authentication methods are used when a user attempts to logon to Ubuntu. We need to add Kerberos and LDAP to the list of methods PAM will use. In Ubuntu, this is pretty easy. Type pam-auth-update and make sure Kerberos and LDAP are selected as well as everything else in the list, then select OK.
This will mostly configure PAM correctly, however we need to add one line to the configuration. Type vi /etc/pam.d/common-session and add the following line to the configuration:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
This will tell PAM to automatically create the user's home directory when they first logon.
Now you should be able to log onto Ubuntu using an Active Directory user, assuming that the user has the required attributes set, and is a member of the group specified in pam_groupdn in ldap.conf if one is specified. After logon, open a terminal window and type klist to verify that you automatically got a Kerberos ticket from Active Directory. This will allow you to connect to Windows file shares without being prompted for credentials.
Configuring Ubuntu as a Windows File Server
Often the point of configuring Active Directory authentication for Ubuntu is to use Ubuntu as a file server for Windows users. To do this we'll install Samba, the SMB file sharing module. To install Samba, type apt-get install samba then edit the configuration by typing vi /etc/samba/smb.conf . Configure the file as shown below:
Now, we need to join the Ubuntu machine to Active Directory. To do this, type net ads join -U myuser@myrealm . Enter your password when prompted. The user must have the right to join computers to Active Directory. A bug may indicate that the join failed, but this error may be false and the join was successful. To verify that the join was successful, look in the Computers container in Active Directory and find a computer account with the name of the Ubuntu host. If it exists, then the join was successful.
Now you can create a file share. Let's create a /temp directory and share it to Windows users. Create the directory by typing mkdir /temp and then let's set the permissions so everyone has access, by typing chmod 777 /temp . Next, let's edit the Samba configuration to add the directory as a file share by typing vi /etc/samba/smb.conf and add the following lines to the end of the file:
After editing the file, restart Samba by typing /etc/init.d/samba restart
Now, from a Windows machine, logged on with an AD user with the correct attributes and group membership, click on the start button, click run, type \\ubuntuhostname\temp and click OK. A window should open to the share, and you should be automatically authenticated via Kerberos. Any files or folders you create in the share will be set with the correct permissions, using your UID and GID from Active Directory.
If during this process you run into trouble, try getting your Ubuntu machine up to date by typing apt-get upgrade which will get your machine up to date for your current Ubuntui kernel, and or type apt-get dist-upgrade which will get you up to the latest kernel. Good luck!
- Gnome 3 and the Future of the Linux Desktop
- Linux Mint 12 vs Ubuntu 11.10
- Rolling Commentary on Popular Linux Distributions
- Learning Man's Linux - Arch Linux
- Another Alternative - Linux Mint Debian Edition (LMDE)
- A Look at Popular Linux Distributions
- Setting Up Gnome Classic on Fedora 16
- Tweaking Gnome Classic on Ubuntu and Mint
- Linksys Wireless Card on Ubuntu and Mint
- Installing VMware Tools on Fedora Linux