1. On grub-boot prompt. press e to enter the edit mode.
2. Press down arrow to reach the line that starts with kernel and press e again.
3. At the end of this line type in init=/bin/sh.
4. Then press enter to save that change and press b to boot, in a few seconds you will be on your # prompt
5. Remount the root file system in read-write mode.
mount -o remount rw /
6. Finally type passwd command to change the password.
7. Reboot and login with the new password.
Monday, August 31, 2009
Authenticate with active directory using kerberos pam samba and winbind
Install the required package
aptitude install krb5-user
aptitude install winbind samba
Edit /etc/krb5.conf
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
EXAMPLE.COM = {
kdc = domainserver.example.com
admin_server = domainserver.example.com
default_domain = EXAMPLE.COM
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Edit /etc/samba/smb.conf
[global]
security = ads
netbios name = MAIL
realm = EXAMPLE.COM
password server = domainserver.example.com
workgroup = EXAMPLE
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
Edit /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
Modify PAM settings
1) /etc/pam.d/common-account should contain only the following lines
account sufficient pam_winbind.so
account required pam_unix.so
2) /etc/pam.d/common-auth should contain only the following lines
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
3) Modify the /etc/pam.d/common-password file
password required pam_unix.so nullok obscure min=4 max=50 md5
4) Make sure the /etc/pam.d/common-session file contains the following line
session [success=1 default=ignore] pam_unix.so
session required pam_permit.so
Initialize Kerberos
kinit domain_admin_account
Next check to be sure you got a ticket from the domain controller
klist
Join the system to the Active Directory
net ads join -U domainadminuser
Restart Samba-related Services (Order is important)
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
To get the userlist from the active directory
wbinfo -u
aptitude install krb5-user
aptitude install winbind samba
Edit /etc/krb5.conf
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
EXAMPLE.COM = {
kdc = domainserver.example.com
admin_server = domainserver.example.com
default_domain = EXAMPLE.COM
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Edit /etc/samba/smb.conf
[global]
security = ads
netbios name = MAIL
realm = EXAMPLE.COM
password server = domainserver.example.com
workgroup = EXAMPLE
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
Edit /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
Modify PAM settings
1) /etc/pam.d/common-account should contain only the following lines
account sufficient pam_winbind.so
account required pam_unix.so
2) /etc/pam.d/common-auth should contain only the following lines
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
3) Modify the /etc/pam.d/common-password file
password required pam_unix.so nullok obscure min=4 max=50 md5
4) Make sure the /etc/pam.d/common-session file contains the following line
session [success=1 default=ignore] pam_unix.so
session required pam_permit.so
Initialize Kerberos
kinit domain_admin_account
Next check to be sure you got a ticket from the domain controller
klist
Join the system to the Active Directory
net ads join -U domainadminuser
Restart Samba-related Services (Order is important)
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
To get the userlist from the active directory
wbinfo -u
Subscribe to:
Posts (Atom)
