Shulou(Shulou.com)06/01 Report--

This article is about how to use Samba and Winbind to add Ubuntu 16.04 to the AD domain. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Request:

Use Samba4 software on Ubuntu systems to create an active directory schema

* * step: basic configuration of Ubuntu system before joining Samba4 AD

1. Before adding Ubuntu hosts to AD DC, you have to make sure that some services in the Ubuntu system are configured properly.

The hostname is an important logo of your machine. Therefore, before joining the domain, use the hostnamectl command or manually edit the / etc/hostname file to set an appropriate hostname for the Ubuntu host.

# hostnamectl set-hostname your_machine_short_name # cat / etc/hostname # hostnamectl

Set the system hostname

2. In this step, open and edit the network card configuration file to set an appropriate IP address for your host. Note that the DNS address is set to the address of your domain controller.

Edit the / etc/network/interfaces file, add the dns-nameservers parameter, and set it to the IP address of the AD server; add the dns-search parameter, whose value is the hostname of the domain controller, as shown in the following figure.

Also, add the DNS IP address and domain name set above to the / etc/resolv.conf configuration file, as shown in the following figure:

Configure network settings for AD

In the screenshot above, 192.168.1.254 and 192.168.1.253 are the IP addresses of the Samba4 AD DC server, and Tecmint.lan is the AD domain name, which can be queried by all machines joined to this domain.

3. Restart the network card service or restart the computer to make the network card configuration effective. Use the ping command plus the domain name to check whether the DNS resolution is normal.

AD DC should return FQDN. If your network is configured with a DHCP server to automatically assign IP addresses to computers on your LAN, make sure that you have added the IP address of the AD DC server to the DNS configuration of the DHCP server.

# systemctl restart networking.service # ping-c2 your_domain_name

4. * * one step is to configure server time synchronization. Install the ntpdate package and use the following command to query and synchronize the time of the AD DC server.

$sudo apt-get install ntpdate $sudo ntpdate-Q your_domain_name $sudo ntpdate your_domain_name

AD server time synchronization

Next, execute the following command on the Ubuntu machine to install the software necessary to join the domain environment.

$sudo apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

Install Samba4 software on a Ubuntu machine

During the installation of the Kerberos package, you will be asked to enter the default domain name. Enter the uppercase domain name and press Enter to continue the installation.

Add an AD domain name

6. When all packages are installed, use the domain administrator account to test Kerberos authentication, and then execute the following command to list the ticket information.

# kinit ad_admin_user # klist

Use AD to check whether Kerberos authentication is normal

Step 2: add Ubuntu hosts to Samba4 AD DC

7. The * * step to add a Ubuntu host to the Samba4 active Directory domain environment is to edit the Samba configuration file.

Back up the default configuration file for Samba, which is automatically generated during installation of the Samba software. Use the following command to reinitialize the configuration file.

# mv / etc/samba/smb.conf / etc/samba/smb.conf.initial # nano / etc/samba/smb.conf

Add the following to the new Samba configuration file:

[global] workgroup = TECMINT realm = TECMINT.LAN netbios name = ubuntu security = ADS dns forwarder = 192.168.1.1 idmap config *: backend = tdb idmap config *: range = 50000-1000000 template homedir = / home/%D/%U template shell = / bin/bash winbind use default domain = true winbind offline logon = false winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes

AD environment configuration for Samba services

Replace the parameter values of workgroup, realm, netbios name and dns forwarder according to your local situation.

Because the parameter winbind use default domain causes the winbind service to treat any account logged into the system as an AD account. Therefore, do not set this parameter if the local account name has the same name as the domain account.

8. Now, you should restart the Samba background service, stop and uninstall some unnecessary services, and then enable the system-wide function of the samba service, using the following command.

$sudo systemctl restart smbd nmbd winbind $sudo systemctl stop samba-ad-dc $sudo systemctl enable smbd nmbd winbind

9. Use the domain administrator account to join the Ubuntu host to the Samba4 AD DC with the following command.

$sudo net ads join-U ad_admin_user

Add the Ubuntu host to the Samba4 AD DC

10. Open AD UC on the Windows machine where RSAT tools are installed, and expand to the included computer. You can see the Ubuntu computers that have joined the domain.

Confirm that the Ubuntu computer has joined the Windows AD DC

Step 3: configure AD account authentication

In order to complete the AD account authentication locally, you need to modify some services and configuration files on the local machine.

First, open and edit the name service switching (NSS) configuration file.

$sudo nano / etc/nsswitch.conf

Then add the winbind value in the passwd and group lines, as shown in the following figure:

Passwd: compat winbind group: compat winbind

Configure AD account authentication

12. To test whether the Ubuntu machine is joined to the domain, you can use the wbinfo command to list domain accounts and groups.

$wbinfo-u $wbinfo-g

List domain accounts and groups

At the same time, use the getent command plus pipe characters and grep parameters to filter the specified domain users or groups to test whether the Winbind nsswitch module is running properly.

$sudo getent passwd | grep your_domain_user $sudo getent group | grep 'domain admins'

Check AD domain users and groups

14. In order to allow the domain account to complete authentication and login on the Ubuntu machine, you need to run the pam-auth-update command using the root account, and then check the options required by the winbind service to allow each domain account * to automatically create a home directory when logging in.

To view all the options, press the'[spaces] 'key to select, and click OK to apply the changes.

$sudo pam-auth-update

Log in to the Ubuntu host using the domain account

15. On the Debian system, if you want the system to automatically create a home directory for the logged-in domain account, you need to manually edit the / etc/pam.d/common-account configuration file and add the following.

Session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

Log in to the Debian system using the domain account

16. To enable AD users to change their passwords under the command line of Linux, you need to open the / etc/pam.d/common-password configuration file and delete the use_authtok parameter on the password line, as shown in the following figure:

Password [success=1 default=ignore] pam_winbind.so try_first_pass

Allow the domain account to change the password under the Linux command line

17. To log in to the Ubuntu host using the Samba4 AD account, add the domain user name after su -. You can also view other information about your AD account by running the id command.

$su-your_ad_user

View AD user information

Use the pwd command to view the current directory of the domain account. If you want to change the password of the domain account, you can use the passwd command to do so.

18. If you want the domain account to have root permission on the ubuntu machine, you can use the following command to add the AD account to the sudo system group:

$sudo usermod-aG sudo your_domain_user

Log in to the domain account and log in to the Ubuntu host, and then run the apt-get-update command to update the system to verify that the domain account has root permissions.

Add root permissions to the domain account

19. To add root permissions to the entire domain user group, use the vi command to open and edit the / etc/sudoers configuration file, as shown in the following figure, add the following:

% YOUR_DOMAIN\\ your_domain\ group ALL= (ALL:ALL) ALL

Add root permissions to the domain account group

Use backslashes to escape spaces contained in the names of domain user groups, or to escape * backslashes. In the above example, the domain user group for the TECMINT domain is named "domain admins".

The preceding% indicates that we specified the user group instead of the user name.

20. If you are using a graphical Ubuntu system and you want to log in to the system using a domain account, you need to modify the LightDM display Manager, edit the / usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf configuration file, add the following, and then restart the system to take effect.

Greeter-show-manual-login=true greeter-hide-users=true

Now you can log in to the Ubuntu desktop with a domain account. Use domain user name or domain user name @ domain name .tld or domain name\ domain user name to log in to the system.

Thank you for reading! This is the end of this article on "how to use Samba and Winbind to add Ubuntu 16.04 to AD domain". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.