Linux Winbind Setup: Difference between revisions
From Pumping Station One
creation of winbind setup howto |
|||
| (22 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Hostname == | |||
Put the machines hostname in /etc/hostname | |||
'''thing2''' | |||
And set the fqdn in /etc/hosts | |||
127.0.0.1 '''thing2'''.ad.pumpingstationone.org localhost '''thing2''' | |||
== Installation == | == Installation == | ||
=== Arch Linux === | |||
sudo pacman -S krb5 samba | sudo pacman -S krb5 samba | ||
=== Debian === | |||
sudo apt-get install krb5-user libnss-winbind libpam-winbind ntp samba winbind | |||
=== Ubuntu === | |||
sudo apt-get install krb5-user ntp samba winbind | |||
* Default Kerberos version 5 realm: AD.PUMPINGSTATIONONE.ORG | |||
== /etc/nsswitch.conf == | == /etc/nsswitch.conf == | ||
| Line 24: | Line 47: | ||
== /etc/samba/smb.conf == | == /etc/samba/smb.conf == | ||
If there is an existing smb.conf file, move it: | |||
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.default | |||
[global] | [global] | ||
workgroup = PS1 | workgroup = PS1 | ||
| Line 39: | Line 67: | ||
idmap config *:range = 70001-80000 | idmap config *:range = 70001-80000 | ||
idmap config *:backend = tdb | idmap config *:backend = tdb | ||
template shell = /bin/bash | |||
== Join the domain == | |||
Use your account, you must be in the Domain Admins group. If you are adding a machine and are not in the Domain Admins group, Join the [[Systems Group]] and ask. | |||
sudo net ads join -U '''administrator'''@AD.PUMPINGSTATIONONE.ORG | |||
== /etc/pam.d/system-auth == | |||
=== Ubuntu === | |||
Ubuntu sets up pam_winbind.so automatically. | |||
=== Arch === | |||
In Arch, make the following changes to system-auth | |||
%PAM-1.0 | |||
auth required pam_env.so | |||
auth sufficient pam_unix.so try_first_pass nullok | |||
auth required pam_winbind.so use_first_pass use_authtok | |||
auth optional pam_permit.so | |||
account sufficient pam_unix.so | |||
account sufficient pam_winbind.so use_first_pass use_authtok | |||
account optional pam_permit.so | |||
account required pam_time.so | |||
password sufficient pam_unix.so try_first_pass nullok sha512 shadow | |||
password sufficient pam_winbind.so use_first_pass use_authtok | |||
password optional pam_permit.so | |||
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 | |||
session required pam_limits.so | |||
session required pam_env.so | |||
session sufficient pam_unix.so | |||
session sufficient pam_winbind.so use_first_pass use_authtok | |||
session optional pam_permit.so | |||
== /etc/sudoers.d/domain_admins == | |||
%domain\ admins ALL=(ALL:ALL) ALL | |||
%PS1\\domain\ admins ALL=(ALL:ALL) ALL | |||
Then make sure the file has proper permissions: | |||
sudo chmod 0440 /etc/sudoers.d/domain_admins | |||
== pam_mkhomdir.so == | |||
pam_mkhomdir is responsible for creating the home directory of users that don't have one. Without it you get the following message. | |||
Could not chdir to home directory /home/PS1/username: No such file or directory | |||
=== ubuntu === | |||
Create a file called /usr/share/pam-configs/my_mkhomedir: | |||
Name: activate mkhomedir | |||
Default: yes | |||
Priority: 900 | |||
Session-Type: Additional | |||
Session: | |||
required pam_mkhomedir.so umask=0022 skel=/etc/skel | |||
and then run: | |||
sudo pam-auth-update | |||
== /etc/lightdm/lightdm.conf == | |||
Ubuntu Only, enable showing the other ''user'' login. | |||
[SeatDefaults] | |||
user-session=ubuntu | |||
greeter-session=unity-greeter | |||
autologin-user=ps1member | |||
'''greeter-show-manual-login=true''' | |||
