Install the required package
aptitude install krb5-user
aptitude install winbind samba
Edit /etc/krb5.conf
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
EXAMPLE.COM = {
kdc = domainserver.example.com
admin_server = domainserver.example.com
default_domain = EXAMPLE.COM
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Edit /etc/samba/smb.conf
[global]
security = ads
netbios name = MAIL
realm = EXAMPLE.COM
password server = domainserver.example.com
workgroup = EXAMPLE
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
Edit /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
Modify PAM settings
1) /etc/pam.d/common-account should contain only the following lines
account sufficient pam_winbind.so
account required pam_unix.so
2) /etc/pam.d/common-auth should contain only the following lines
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
3) Modify the /etc/pam.d/common-password file
password required pam_unix.so nullok obscure min=4 max=50 md5
4) Make sure the /etc/pam.d/common-session file contains the following line
session [success=1 default=ignore] pam_unix.so
session required pam_permit.so
Initialize Kerberos
kinit domain_admin_account
Next check to be sure you got a ticket from the domain controller
klist
Join the system to the Active Directory
net ads join -U domainadminuser
Restart Samba-related Services (Order is important)
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
To get the userlist from the active directory
wbinfo -u
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment