ubuntu加入Windows的AD域

Integrate Ubuntu 16.04 to AD as a Domain Member with Samba and Winbind – Part 8

Step 1: Initial Configurations to Join Ubuntu to Samba4 AD

1.首先要修改好自己电脑的hostname,可以使用hostnamectl命令或者直接编辑/etc/hostname 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# hostnamectl set-hostname your_machine_short_name

$ cat /etc/hostname  
mamh-PC

$ hostnamectl                           
   Static hostname: mamh-PC
         Icon name: computer-desktop
           Chassis: desktop
        Machine ID: 4165ee77f3a840b880478065c5624a98
           Boot ID: 0b179497ee0a4ffdb5d5a1a288693fa9
  Operating System: Ubuntu 16.04.6 LTS
            Kernel: Linux 4.18.0-15-generic
      Architecture: x86-64


2.然后一个重要的步骤是设置好ip。尤其是DNS 。

1

3.最后是重启网络,或者重启电脑。

1
2
3
systemctl restart networking.service

ping -c2 your_domain_name

4.最后一个步骤是安装时间同步服务器ntpdate

1
2
3
$ sudo apt-get install ntpdate
$ sudo ntpdate -q your_domain_name
$ sudo ntpdate your_domain_name

5.安装所需要的软件包

1
$ sudo apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

安装Kerberos软件时候会提示让你输入default realm,这里输入company.com,全部大写。
6.测试 Kerberos authentication 

1
2
3
# kinit ad_admin_user
# klist

Step 2: Join Ubuntu to Samba4 AD DC

7.The first step in integrating the Ubuntu machine into the Samba4 Active Directory domain is to edit Samba configuration file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# mv /etc/samba/smb.conf /etc/samba/smb.conf.initial
# nano /etc/samba/smb.conf

[global]
        workgroup = TECMINT
        realm = TECMINT.LAN
        netbios name = ubuntu
        security = ADS
        dns forwarder = 192.168.1.1

idmap config * : backend = tdb        
idmap config *:range = 50000-1000000
	
   template homedir = /home/%D/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind nss info = rfc2307
   winbind enum users = yes
   winbind enum groups = yes

  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

Replace workgroup, realm, netbios name and dns forwarder variables with your own custom settings.
The winbind use default domain parameter causes winbind service to treat any unqualified AD usernames as users of the AD. You should omit this parameter if you have local system accounts names which overlap AD accounts.

8.Now you should restart all samba daemons and stop and remove unnecessary services and enable samba services system-wide by issuing the below commands.

1
2
3
$ sudo systemctl restart smbd nmbd winbind
$ sudo systemctl stop samba-ad-dc
$ sudo systemctl enable smbd nmbd winbind

9.Join Ubuntu machine to Samba4 AD DC by issuing the following command. Use the name of an AD DC account with administrator privileges in order for the binding to realm to work as expected.

1
2
$ sudo net ads join -U ad_admin_user

10.通过Windows 域控服务器上我们可以看到computer下面已经有mamh-pc这台电脑了

1

Step 3: Configure AD Accounts Authentication

11.为了能够使用域账号登录我们的电脑,你需要配置一些东西的
首先配置的是nss服务,也就是The Name Service Switch (NSS)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ sudo nano /etc/nsswitch.conf


$ cat /etc/nsswitch.conf                 
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind  	#这里需要修改,行尾多加了个 winbind 
group:          compat winbind		#这里需要修改,行尾多加了个 winbind
shadow:         compat winbind		#这里需要修改,行尾多加了个 winbind
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

12.测试是否加入域控成功,能否获取到用户和组

1
2
$ wbinfo -u
$ wbinfo -g

wbinfo - Query information from winbind daemon,这个命令是查询winbind中的信息的,
如果加入成功,会列出所有用户名和用户组。也就是域控里面的用户名和组。

13.同样的也需要测试 

1
2
$ sudo getent passwd| grep your_domain_user
$ sudo getent group|grep 'domain admins'

14.In order to authenticate on Ubuntu machine with domain accounts you need to run pam-auth-update command with root privileges and add all the entries required for winbind service and to automatically create home directories for each domain account at the first login.
配置一下登录时候自动创建home目录。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ sudo pam-auth-update

  |  Pluggable Authentication Modules (PAM) determine how authentication,         │  
  │ authorization, and password changing are handled on the system, as well as    │  
  │ allowing configuration of additional actions to take when starting user       │  
  │ sessions.                                                                     │  
  │                                                                               │  
  │ Some PAM module packages provide profiles that can be used to automatically   │  
  │ adjust the behavior of all PAM-using applications on the system.  Please      │  
  │ indicate which of these behaviors you wish to enable.                         │  
  │                                                                               │  
  │ PAM profiles to enable:                                                       │  
  │                                                                               │  
  │    [*] Unix authentication                                                    │  
  │    [*] Winbind NT/Active Directory authentication                             │  
  │    [*] Register user sessions in the systemd control group hierarchy          │  
  │    [*] Create home directory on login  把这个勾上,这里都勾选,然后按确定     │  
  │    [*] GNOME Keyring Daemon - Login keyring management                        │  
  │                                                                               │  
  │                                                                               │  
  │                     <确定>                       <取消>

15.在Ubuntu系统上你需要手动修改 /etc/pam.d/common-account 文件,添加如下一行,然后才能实现登录自动创建家目录
把use_authtok的那行注释,添加如下一行。

1
session    required    pam_mkhomedir.so    skel=/etc/skel/    umask=0022

16.为了能使用修改域用户密码需要修改 /etc/pam.d/common-password 文件

1
2
3
# password	[success=1 default=ignore]	pam_winbind.so use_authtok try_first_pass
password       [success=1 default=ignore]      pam_winbind.so try_first_pass

17.使用域账号登录Ubuntu,然后验证ID。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ su - your_ad_user

#使用我的域账号来登录ubuntu
$ su - mamh.ma
密码: 
mamh.ma@mamh-PC:~$ id
uid=50224(mamh.ma) 
gid=50004(domain users) 
组=50004(domain users),27(sudo),50000(BUILTIN\administrators),50001(BUILTIN\users),50005(denied rodc password replication group),50006(pptp client),50007(vpn-oa),50008(产品中心),50009(admin_scm),50010(vpn-all),50011(vpn-qbyy),50012(软件部),50013(数据中心),50014(domain admins),50015(pptp client长期),50016(server开发部),50017(company)

mamh.ma@mamh-PC:~$ pwd
/home/mamh.ma

# 使用另外一个同事账号登录
$ su - mage  
密码: 
正在创建文件夹 “/home/mage”。
mage@mamh-PC:~$ id
uid=50225(mage) gid=50004(domain users) 组=50004(domain users),50000(BUILTIN\administrators),50001(BUILTIN\users),50005(denied rodc password replication group),50006(pptp client),50007(vpn-oa),50008(产品中心),50009(admin_scm),50010(vpn-all),50011(vpn-qbyy),50012(软件部),50013(数据中心),50014(domain admins),50015(pptp client长期),50016(server开发部),50017(company)
mage@mamh-PC:~$ 
mage@mamh-PC:~$ pwd
/home/mage
mage@mamh-PC:~$ exit
注销

18.使域账号有root权限。

1
2
$ sudo usermod -aG sudo your_domain_user

19.使某个与群组有root权限。

1
2
3
4
5
6
7
%YOUR_DOMAIN\your_domain\  group       		 ALL=(ALL:ALL) ALL

%company\\domain\ admins ALL=(ALL:ALL) ALL

“domain admins"  这个是与群组中的组名,这里使用\反斜线来加到空格前面转义。


20.如果你是带图形界面,你需要配置LightDM /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf file, 加入下面2行,然后重启。

1
2
3
greeter-show-manual-login=true
greeter-hide-users=true

It should now be able to perform logins on Ubuntu Desktop with a domain account using either your_domain_username or your_domain_username@your_domain.tld or your_domain\your_domain_username format.