I am trying to do the same. And I'm running into different problems.
What I've got
Server: Windows 2000 with Active Directory
FQDN: server.domain.local
Workstation: Ubuntu 5.10 (Breezy)
I've added the workstation to the Active Directory by following these steps:
Adding a Linux workstation to the Active Directory
Step 1:
Install the packages
Execute the following commands in a terminal (as root)
Code:
apt-get install krb5-user
apt-get install winbind samba
When installing Kerberos you have to configure your server (In my case the FQDN of the Domain controller
Step 2:
Edit /etc/krb5.conf
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.LOCAL
default_tkt_enctypes = des3-hmac-sha1 dec-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 dec-cbc-crc
[realms]
DOMAIN.LOCAL = {
kdc = server.domain.local
admin_server = server.domain.local
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
Step 3:
Aanpassen van /etc/samba/smb.conf
Het volgende moet in je smb.conf staan
Code:
[global]
security = ads
netbios name = UBUNTU
realm = DOMAIN.LOCAL
password server = server.domain.local
workgroup = DOMAIN
idmap uid = 500 - 10000000
idmap uid = 500 - 10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
Test settings with testparm from terminal
Step 4:
Edit /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Step 5:
Modify PAM settings
/etc/pam.d/common-account
account sufficient pam_winbind.so
account required pam_unix.so
/etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-password
password required pam_unix.so nullok obscure min=4 max=50 md5
/etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Step 6:
Create a directory that will hold the home directory's of the Domain users
In a terminal type
mkdir /home/DOMAIN
Stap 7:
Initialise Kerberos
Request a ticket(in terminal)
Code:
kinit
administrator@DOMAIN.LOCAL
verify that you've recieved a ticket (in terminal)
klist
Step 8:
Add client to the Active Directory
net ads join -U
administrator@DOMAIN.LOCAL
Step 9:
Reboot the workstation
You can now login with the useraccount from the Active Directory.
Now for the problem causing part.
Using the samba share on the server as home for the user (\\server\username = ~)
I just made a share on the Server for one user. Purely for testing purposes. I'm planning to use --bind in the future. But for now I just want to see it working. In both the share and NTFS permissions everybody has Full Controll (just testing for now)
How I did it
\\server\username mount as home (~)
(I havent gotten this to work perfectly, though the mounting works flawlesly)
Step 1:
Install packages
In a terminal (as root)
apt-get install libpam-mount
apt-get install smbfs
Step 2:
Modify pam_mount.conf
/etc/security/pam_mount.conf
debug 0 #I've got is set to 1 for testing
mkmountpoint 1
luserconf .pam_mount.conf
options_allow nosuid,nodev
options_deny suid,dev
options_require nosuid,nodev
lsof /usr/bin/lsof %(MNTPT)
fsck /sbin/fsck -p %(FSCKLOOP)
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -S -o "user=%(USER)%(before=\",\" OPTIONS)"
smbmount /usr/bin/smbmount //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
smbumount /usr/bin/smbumount %(MNTPT)
umount /bin/umount %(MNTPT)
mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)
volume * smb server & /home/GRAND/& uid=&,gid=&,dmask=0750,workgroup=DOMAIN - -
Stap 3:
Modify PAM
/etc/pam.d/common-auth
auth required pam_mount.so
auth sufficient pam_winbind.so use_first_pass
auth required pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-password
password sufficient pam_unix.so nullok obscure min=4 max=50 md5
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
/etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional pam_mount.so
Now when you log in the share is automaticaly mounted as ~. When not using GDM you'll be able to log in and access you home. Now we want to login using GDM. Now you'll get some new problems
Because you set the permissions with pam-mount the login process cannot lock certain files. For .ICEauthority and .Xauthority I've done the following.
Edit / Create a file called .bash_profile in the users home and add te following to it:
XAUTHORITY=/tmp/.Xauthority
export XAUTHORITY
ICEAUTHORITY=/tmp/.ICEauthority
export ICEAUTHORITY
And edit /etc/X11/gdm/gdm.conf and change the UserAuthDir
line so that it reads "UserAuthDir=/tmp"
Now these files are stored in /tmp where they can be locked.
And here I'm running into difficulties. There is also a .serverauth.xxxx (xxxx different every session) that has to be locked. And I can't find a way to have it stored in /tmp.
To see where the procces strands just login without GDM (in login screen press ctrl + alt + F1) and login as the domain user. then you can see the share is succesfully mounted. But you are unable to startx.
I've also tried it with KDE, but with the same results. To login with a gui, the proccess has to lock some files. This can't be done because you set you're file permissions in pam_mount.conf. Once these permissions are in place they cannot be changed. So it is not possible to lock a file in the users home directory.
So if anybody knows how you can bypass the locking of files in a users home, I'd really apreciate it if you would share this information.
Wes