UPDATE: I discovered a ubuntu package called “likewise-open” that handles the AD integration very easily.

At work, we run a mostly Windows network — most people spend their day logged into a workstation on our Windows domain.

We have some random unix servers around, and people with accounts on said servers have to maintain credentials in as many places as they have unix accounts. Being on the network team, I have access to many unix machines, such as firewalls, dev boxes, production servers, etc. A couple years ago, I wrote a script to help me change my password, so that when I changed my password, I’d be able to change it everywhere. Currently, there are 12 machines that the script logs into for me. One advantage of this system is that I get a lot of practice typing new passwords, and haven’t ever forgotten the new password. Among the obvious disadvantages of this arrangement is that it’s easy for a change to go unnoticed, which leaves stale passwords in new machines and makes me have to wait for network timeouts when old machines get turned off.

So, enter a new virtual unix machine I’m setting up. I’d really like to integrate it with ActiveDirectory. It’s really time for SSO. It’s way past time, in fact.

My distro of choice is ubuntu. The latest release available is 8.10 (beta). In the rest of this post, I’ll cover getting Ubuntu installed in a virtual machine in Microsoft’s Virtual PC, and how to get said virtual machine onto the domain.

Step 1 is installing Ubuntu into a VM. This is already documented by corey-m in a post titled “Installing Ubuntu Server 8.04 Hardy in Microsoft Virtual PC 2007.” The only thing I did differently was, towards the end, to edit the grub configuration while I was in the recovery console. This removed the need to change boot params during boot.

NOTE: If you install on Hyper-V, you don’t need “noreplace-paravirt”, and, in fact, that option seems to slow the VM down quite a bit.

Step 2 is hooking into AD. For this, I started with a HOWTO on using Winbind to authenticate to Active Directory, from ubuntu’s community wiki. I deviated a bit from the steps listed, so I’ll include the full details here. I am definitely not an expert on the intricacies of samba or AD, so some of this may be cargo cult cruft; apologies if I make you do a bunch of pointless stuff.

The basic steps will be:

  • Install and configure KRB5.
  • Install and configure Samba.
  • Configure PAM.
  • Configure sudo.

Install KRB5

Ensure that /etc/hostname and /etc/hosts (and DNS, if applicable) agree on what your hostname is. hostname –fqd should show the same thing.

sudo apt-get install krb5-user libpam-krb5 krb5-config libkadm55

You’ll be prompted for the kerberos server names. Use your domain controllers’ names.

After installing, I edited /etc/krb5.conf and removed all the extra domains and added DNS mappings in the [domain_realm] section for my domain.

To test, do kinit <username>. You’ll be prompted for your password. Assuming it succeeds, klist will show a ticket. If it fails and says “Client not found in Kerberos database while getting initial credentials”, then kerberos couldn’t find your username. If it says, “Preauthentication failed while getting initial credentials”, then your password is wrong.

Install and configure Samba

sudo apt-get install winbind samba

Replace /etc/samba/smb.conf with this, customized for your network:

[global]
  workgroup = MYDOMAIN
  netbios name = MYMACHINE

  winbind refresh tickets = yes
  idmap domains = MYDOMAIN
  idmap config MYDOMAIN:backend = rid
  idmap config MYDOMAIN:range   = 10000-99999

  winbind enum users = yes
  winbind enum groups = yes

  template homedir = /home/%D/%U
  template shell = /bin/bash

  security = ads
  encrypt passwords = yes
  realm = MY.KERBEROS.COM

Note the lack of spaces around the idmap range. The version of samba in 8.10beta fails to parse the range if there are spaces (e.g. “1000 – 2000”).

One of the things that is different from the HOWTO is the idmap configuration. The default idmap implementation does a simple mapping of SIDs to unix IDs… the first user that logs in will be 10000, the second 10001, etc. If the users log into another server in a different order, they’ll get different user ids. The rid backend provides a deterministic mapping, so it’s only important that the ranges are the same on each unix server. There is an ad backend that uses IDs stored in ActiveDirectory by SFU, if you’ve got that installed.

After modifying smb.conf, restart samba and winbind.

sudo /etc/init.d/winbind stop
sudo /etc/init.d/samba restart
sudo /etc/init.d/winbind start

Join the domain.

sudo net ads join -U <AD account>

Restart samba again. Run wbinfo -u, and you should see a list of users from Active Directory. If not, something is broken.

Configure PAM

Edit /etc/nsswitch.conf and change the lines that look like this

passwd: compat
group: compat

to look like this

passwd: compat winbind
group: compat winbind

Now run sudo getent passwd and you should see the normal /etc/passwd entries, followed by passwd entries for the domain users.

On Ubuntu 8.10, there’s a new auto-configuration tool for PAM, pam-auth-update. If you don’t have pam-auth-update, you should probably just modify your pam configuration as per the HOWTO, rather than using the following configuration for PAM.

If you’re using the new PAM, create the file /usr/share/pam-configs/winbind with the following contents:

Name: Active Directory via Winbind
Default: yes
Priority: 500
Auth-Type: Primary
Auth:
        [success=end default=ignore]    pam_winbind.so krb5_auth krb5_ccache_type=FILE try_first_pass
Auth-Initial:
        [success=end default=ignore]    pam_winbind.so krb5_auth krb5_ccache_type=FILE
Account-Type: Primary
Account:
        [success=end default=ignore]    pam_winbind.so
Session-Type: Additional
Session:
        required        pam_mkhomedir.so umask=0022 skel=/etc/skel

The krb5_auth options aren’t required, so leave them off if you have no use for kerberos.

Now run sudo pam-auth-update to push the configuration to /etc/pam.d. Test that you can log in as a domain user (e.g. ssh -l DOMAIN\\user localhost). Test that you can log in as a regular user.

Configure sudo

Presumably, you’ll be basically ignoring your local passwd file from now on, so you’ll want the AD-backed users to be able to use sudo to do admin-ish things.

sudo vi sudoers

Edit appropriately. For example, I added the following line.

%DOMAIN\\Domain\ Admins ALL=(ALL) ALL

Now you’re set up with AD accounts on Ubuntu 8.10. In the future, I’m planning to add a rails application with a SQL Server database behind it, so there may be more in the future for this post.