Scribd
Upload
139 views3 pages

Ubuntu and Active Directory

This document provides instructions for adding an Ubuntu system to an Active Directory domain and authenticating users via Kerberos and Samba. It describes generating a Kerberos principal and keytab for the Samba server, configuring Samba to use Kerberos authentication by editing the smb.conf file, and testing authentication by obtaining a ticket with kinit and listing shares with smbclient. User accounts also need to exist locally on the Ubuntu system to map to AD users authenticated via Kerberos.

Uploaded by

Baba Hans
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
139 views3 pages

Ubuntu and Active Directory

This document provides instructions for adding an Ubuntu system to an Active Directory domain and authenticating users via Kerberos and Samba. It describes generating a Kerberos principal and keytab for the Samba server, configuring Samba to use Kerberos authentication by editing the smb.conf file, and testing authentication by obtaining a ticket with kinit and listing shares with smbclient. User accounts also need to exist locally on the Ubuntu system to map to AD users authenticated via Kerberos.

Uploaded by

Baba Hans
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Introduction

This Howto describes how to add an Ubuntu box in an Active Directory domain and to
authenticate the users with AD.

Used terms
term definition
AD Active Directory
DC Domain Controller
lab.example.com AD domain
win2k3.lab.example.com DC FQDN
10.0.0.1 DC IP
LAB.EXAMPLE.COM Kerberos Realm
linuxwork computername of the Ubuntu workstation
linuxwork.lab.example.com FQDN of the Ubuntu workstation
ntp.example.com timeserver (NTP)

Kerberos
The first step in joining an Active Directory domain is to install and configure Kerberos. See
Samba/Kerberos below.

Kerberos Introduction
Kerberos is an authentication protocol using secret-key cryptography. There are several
implementations of the Kerberos protocol used in both commercial and open-source software.
This guide covers configuring the Samba server and clients to utilize Kerberos authentication
services.

Active Directory
Detailed instructions for integrating Samba with Active Directory are available on the Samba
wiki.

The linked page gives the location of the PAM configuration files for Red Hat: in Ubuntu, the
PAM configuration files are located in /etc/pam.d/ directory. The auth, account, and
passwd stanzas are split into three files in Ubuntu: /etc/pam.d/common-auth for auth
stanzas, /etc-pam.d/common-account for account stanzas, and /etc/pam.d/common-
passwd for passwd stanzas.

Ubuntu release 9.04 (Jaunty Jackalope) and newer automatically updates the PAM
configuration files using the pam-auth-update utility. In previous versions, the configuration
files must be edited manually.
MIT Kerberos
Instructions for installing and configuring MIT Kerberos are available on its wiki page.
Samba is just another service to Kerberos, so to allow Samba to authenticate users via
Kerberos, simply generate a principal for the Samba server, place the service key in a keytab,
and configure Samba to use it.

The name of this principal must take the form cifs/[email protected],


and the encryption type must be rc4-hmac:normal.

Here is a step-by-step guide:

1. Launch the kadmin utility as the realm administrator or as a user authorized to add
principals:

$ kadmin -p admin/admin

2. In the kadmin interface, issue the following command:

kadmin: addprinc -randkey cifs/server.example.com

A message indicating the principal cifs/[email protected] should be


displayed.

3. Generate a keytab for the new principal:

kadmin: ktadd -k /path/to/keytab -e rc4-hmac:normal cifs/server.example.com

Make sure to include the encryption type. The default encryption type is not compatible
with the Samba client utilities.

4. Securely copy the keytab to /etc/krb5.keytab on the server that will be running Samba.

5. Make sure only the root user can access the keytab:

$ chown root:root /etc/krb5.keytab


$ chmod 0600 /etc/krb5.keytab

6. Edit the smb.conf file (located in /etc/samba/ by default) as indicated below:

...
security = ADS
realm = KERBEROS_REALM
encrypt passwords = yes
use kerberos keytab = yes
#optional
password server = kdc.fdqn
...

The password server option is only required if you intend to use a password server other than
the one configured in /etc/krb5.conf.
7. Restart Samba:

$ sudo /etc/init.d/samba restart

User Administration
Add users to the Kerberos database using the kadmin interface:

kadmin: addprinc <username>[@REALM.NAME]

The realm name is optional in properly configured Kerberos environments.

You will be prompted to enter a password for the user. Once a user is added you should be
able to acquire Ticket-Granting Tickets with kinit from any system that is configured to
authenticate using your Kerberos domain. See the Kerberos page for more details.

Note that Samba maps authenticated users to a system users. This means that if you add a
user to the Kerberos database that does not exist as a system user, you will not be able to
authenticate using your Kerberos credentials until a user of the same name is added as a
system user. See AddUsersHowto for details on adding users. Other options such as pulling
user information from LDAP are possible, but outside the scope of this guide.

The existence of a user can be checked with this command:

$ id <username>

Testing
$ kinit <Kerberos username>
$ smbclient -k -L //server/

If all is well, a listing of active shares will be displayed.

You might also like