jueves, 4 de abril de 2013

Ubuntu client for Samba4

Having waded through so much out of date rubbish on Google and having given up on winbind this time last year, We thought we'd write this to save others the pain. This works now or until Ubuntu decide to move the goalposts again. So, it works for 12.10.

**UPDATE: tested with 13.04. All still OK.

Joining an Ubuntu client to a samba4 domain
All the stuff we need is in the Ubuntu repos.

In this example, we'll use
DC fqdn: hh1.hh3.site running Samba 4.0.5 under openSUSE 12.3
Client: DHCP

1. Make some keytabs on the DC
samba-tool user add nslcd-service
samba-tool domain exportkeytab /tmp/nslcd.keytab --principal=nslcd-service
samba-tool domain exportkeytab /tmp/admin.keytab --Principal=Administrator
Use scp or a USB memory to transfer the keytabs from /tmp on the DC to /etc on the client. chmod 0600 the keytabs and
chown nslcd:nslcd /etc/nslcd.keytab
Now delete the keytabs from /tmp or from the USB

idmap_ldb:use rfc2307 = Yes
to the [global] section of smb.conf

2. Setup the network on the client, setting the first DNS server to the IP of your DC

Add the line  hh1.hh3.site  hh1
to /etc/hosts

3. Install stuff:
apt-get install krb5-user krb5-config libpam-krb5 auth-client-config sasl2-bin libsasl2-2 libsasl2-modules libsasl2-modules-gssapi-mit libnss-ldapd
Enter your Kerberos realm and the IP of your DC when asked. For me: HH3.SITE and

4. Edit /etc/nslcd.conf
uid nslcd
gid nslcd
#If you do not have the posixAccount class then uncomment filters
#filter  passwd  (objectClass=user) 
#filter  group (objectClass=group)
uri ldap://
base dc=hh3,dc=site
map    passwd uid              samAccountName
map    passwd homeDirectory    unixHomeDirectory
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/nslcd.tkt

5. Make a startup script in /usr/local/bin Call it s4start and chmod + x it.
echo "Starting Samba 4 POSIX services "
k5start -f /etc/nslcd.keytab -U -o nslcd -K 540 -k /tmp/nslcd.tkt &
service nslcd restart
echo Getting tickets
kinit -k -t /etc/admin.keytab Administrator
echo "done. . ."

6. Edit /etc/samba/smb.conf
workgroup = MARINA
realm = HH3.SITE
security = ADS
kerberos method = system keytab

7. Edit /etc/lightdm/lightdm.conf
greeter-show-manual-login = true

8. Join the domain
sudo net ads join -UAdministrator

9. Get tickets and start the show
sudo s4start

10. Prevent nslcd calling k5start We'll do that ourselves. Un-comment K5START_START line and set it to no in /etc/default/nslcd

# Defaults for nslcd init script
# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
# and krb5_ccname is set to a file-type ticket cache.
# Set to "yes" to force starting k5start, any other value will not start
# k5start.
# Options for k5start.
#K5START_PRINCIPAL="host/$(hostname -f)"

11. get a ticket upon logging in
sudo auth-client-config -a -p kerberos_example
UPDATE: Its seems to create it's own ticket cache now without the need for this. e.g. when an authenticated user goes to a cifs mounted share: a ticket cache appears under /tmp e.g. krb5cc_3000032
and, (yes again). 
sudo pam-auth-update

Override the settings making sure that kerberos is selected. Don't know why but we are using automounted cifs and you need to have a ticket for the multiuser logins. Just do it anyway.

Lastly, reset /etc/nsswitch.conf

group compat ldap
passwd compat ldap

That's it. Hope it saves you time. It looks a lot but you can do it in around 20 minutes copying and pasting from here.
CAUTION: Some of the lines may wrap on your browser