Spoiler : I actually found a much easier way to do this – click here if you’re trying to get this done ASAP! That being said, this article is still excellent for the learning experience. Enjoy!
I have some spare time on my hands this Saturday entire freaking weekend and thought that I would clear up some of the confusion regarding running a mixed Linux / Microsoft environment; more specifically I will be doing a tutorial on integrating Ubuntu 12.10 into a Server 2008 Active Directory environment. The end goal for this exercise is going to be getting Active Directory and Ubuntu to communicate, then I’ll be setting up some basic Samba sharing with user permissions down the road. Enjoy :)
First things first, make sure that your DNS on both systems are healthy and talking to each other. Add a Static A record on the Server 2008 DC that points back to the Ubuntu machine that will be joining the domain. Check name resolution of this static entry by running ping -a against the IP in question. If it returns a hostname, that’s one step out of the way.
Screenshot of ping -a running against an Ubuntu host
Now hop onto your Ubuntu box and configure networking with the following goals in mind; setting a static IP and routes, DNS, and adding host records for the Domain Controller ( DC01 in this case.) First let’s set a static IP – change directory ( cd ) to /etc/network/ , then list the contents of the working directory to reveal the “interfaces” file.
cd /etc/network/
/etc/network$ ls
if-down.d if-post-down.d if-pre-up.d if-up.d interfaces interfaces~
Now launch the text editor of your choice and open up the interfaces file, set the entries as follows while keeping it in tune with your network. Make sure to set the dns-nameservers line to point back to your domain controller. Don’t forget the gateway entry either, otherwise you won’t have any routing ;)
iface eth0 inet static
address 192.168.1.137
netmask 255.255.255.0
network 192.168.1.0
gateway 192.168.1.1
dns-nameservers 192.168.1.147
dns-search techstaty.local
After restarting the /etc/init.d/networking/interfaces daemon, ping your localhost and an external IP to make sure that routing and DNS are working as intended.
ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_req=1 ttl=64 time=0.026 ms
ping google.com
PING google.com (74.125.239.6) 56(84) bytes of data.
64 bytes from lax04s09-in-f6.1e100.net (74.125.239.6): icmp_req=1 ttl=54 time=27.0 ms
Now that we’ve configured the static addressing on eth0 and are confident that it’s working correctly, it’s time to setup our hosts and resolv.conf files. Change directory to /etc/ and run the text editor of your choice against /etc/hosts. Add static entries for both the hostname of the domain controller, and the FQDN ( full domain ) as follows.
192.168.1.147 dc01.techstaty.local
192.168.1.147 dc01
Ping the domain controller by hostname and confirm that it’s returning returning the expected IP address.
ping dc01
PING dc01 (192.168.1.147) 56(84) bytes of data.
Now open up /etc/resolv.conf and set a static entry designating your domain controller as the primary DNS server.
nameserver 192.168.1.147
Ping an external domain to confirm that DNS is healthy and functional.
ping reddit.com
PING reddit.com (64.208.126.154) 56(84) bytes of data.
Now that we’ve configured the most important part, we can start installing packages and configuring them accordingly to start talking to Active Directory, install the most current versions of Samba and Kerberos.
sudo apt-get install samba
Reading through the verbose response, note that aptitude is suggesting the installation of additional packages. I’m only familiar with two of them, but go ahead and install them anyways – resolving package dependencies down the road sucks. Now that Samba has been installed, let’s get Kerberos out of the way.
sudo apt-get install krb5-kdc krb5-admin-server
You’ll be prompted to provide a name for the admin and kerberos servers, go ahead and set it to the Domain Controller for this tutorial.
Configuring Kerberos Authentication
Next we need to configure our authentication method, PAM in this case, so that it can talk with Active Directory. Navigate to /etc/pam.d and the following entries to the common-auth file.
auth sufficient pam_krb5.so ccache=/tmp/krb5cc_%u
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so
Next up, add the following entries to /etc/pam.d/common-session.
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
Since we are the ones managing and maintaining the Active Directory machine, and also working with a forest functional level of Server 2008 on our domain, we can skip working with the ADAM tool from Microsoft and also having to extend our domain schema. However, it’s a good idea at this point to install the Server for NIS feature so you can effectively edit and manage the NIX attributes for AD objects ( users, computers etc ) with the GUI.
Hop onto your domain controller and open the server manager, expand the Roles for AD Directory Services, then Add Role Services. You’re looking for the Identity Management for UNIX role services, go ahead and install this role service and any other dependencies that it prompts you for.
Identity Management for UNIX
Since this is a Microsoft product, of course we have to reboot ;)
Active DirectoryDomain Services – Add Services Restart
Now the fun stuff; testing our Ubuntu system by querying the Active Directory server. It’s easier to figure out how to connect first, rather than reconfigure the settings over and over. Go ahead and install the following packages so we can run our queries.
sudo apt-get install libnss-ldap ldap-utils
Now point the installer towards the LDAP Server, and fill in the correct distinguished name values for your domain.
Distinguished Name Of The Search Base
Accept the defaults until you reach the configuring ldap-auth-config portion, enter the correct values for your network.
Configuring ldap-auth-config
Enter the password for the account in question and the package installation will finish. In the next part of the article, we’ll be working with the ldapsearch tool.
