[Samba] join an ubuntu desktop client do samba domain, and login in
Bob Miller
bob at computerisms.ca
Thu Mar 3 10:18:04 MST 2011
On Thu, 2011-03-03 at 09:25 +0100, Marcello Romani wrote:
> Il 03/03/2011 09:15, fdelval at rojatex.com ha scritto:
> > Hello,
> > I did all the steps to build a DC, i even joined windows clients ok.
> >
> > Now i want to add a ubuntu desktop.
> > Ok, i modified the Workgroup and other parameters in smb.conf, i ran the
> > net rpc join -S DOMPDC -UAdministrator%password
> > i got an OK messange.
> >
> >
> > Now, i reboot, the login screen appears and.....?
> >
> > i cant login with MyDomain\Myuser, nor i cant find an user management
> > screen to add my domain users...
> >
> >
> > i cant find info on that, how do i login with domain users in an ubuntu
> > desktop?
> >
> > thanks
> >
>
> Although a bit dated, I belive this might be helpful:
>
> http://www.ubuntugeek.com/how-to-add-ubuntu-804-to-win-server-2003-active-directory-domain.html
>
> It talks about Likewise-open.
>
> --
> Marcello Romani
I was charged with this task recently, took quite a bit of time to put
everything together, but I have it working.
I am not clear if you are using a samba pdc or a windows pdc, I expect
the ubuntu workstation set up should be close or the same for either. I
use a samba pdc, and I found it necessary to refine my group permissions
system using the net command to get this working (the command that
brought it all together was `net sam mapunixgroup` or some such, which
led to having to remap group users, which led to shares on windows
workstations with domain permissions breaking, which led to several
applications breaking until permissions were re-applied). In other
words, this only works if all your ducks are in a row on the samba pdc.
But I have a handful of ubuntu machines in a primarily XP environment
connecting to a Samba pdc. The ubuntu machines will also work through
an openswan vpn.
This set up will allow users to log in with just their domain.name
(instead of DOMAIN\domain.name), and will mount the same shares as the
windows computers will do via the logon script. Here are the notes,
good luck with everything:
1. sudo su
2. apt-get install winbind samba libpam-mount smbfs
3. mv /etc/hosts /etc/hosts.orig
4. vi /etc/hosts <= set this file so that it contains only the
following lines:
127.0.0.1 localhost TEST1 TEST1.ctfn.ca
127.0.1.1 TEST1
192.168.150.10 pdc pdc.domain.com
5. mkdir /home/DOMAIN
6. vi /etc/nsswitch.conf <= modify the following 3 lines, leave the
rest of the file as is:
passwd: compat winbind
group: compat winbind
hosts: files dns wins mdns4_minimal mdns4
7. mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
8. vi /etc/samba/smb.conf <= copy/paste the following into this
file:
[global]
;Workstation Settings
workgroup = DOMAIN
netbios name = TEST1
server string = %h
security = domain
idmap backend = tdb
idmap uid = 15000-20000
idmap gid = 15000-20000
wins server = 192.168.150.10
winbind use default domain = yes
winbind enum groups = yes
winbind enum users = yes
password server = 192.168.150.10
template shell = /bin/bash
template homedir = /home/%D/%U
;Logging
log level = 2
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
9. /etc/init.d/smbd restart
10. /etc/init.d/nmbd restart
11. /etc/init.d/winbind restart
12. net join DOMAIN <= If this does not return a line stating join
Domain DOMAIN was successful, stop and review, you missed
something.
13. cd /etc/pam.d <= Note: modifying files in this location
incorrectly may result in locking you out of the machine. Boot
from a live cd and copy the original files back to fix.
14. mv common-account common-account.orig
15. vi common-account <= copy/paste the following into this file:
account [success=2 default=ignore] pam_winbind.so
account [success=1 default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
16. mv common-auth common-auth.orig
17. vi common-auth <= copy/paste the following into this file:
auth [success=2 default=ignore] pam_unix.so
nullok_secure
auth [success=1 default=ignore] pam_winbind.so
use_first_pass
auth requisite pam_deny.so
auth optional pam_mount.so
auth required pam_permit.so
18. mv common-session common-session.orig
19. vi common-session <= copy/paste the following into this file:
session required pam_unix.so nullok_secure
session required pam_mkhomedir.so skel=/etc/skel
umask=0022
session optional pam_mount.so
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_ck_connector.so nox11
20. mv /etc/security/pam_mount.conf.xml /etc/security/pam_mount.conf.xml.orig
21. vi /etc/security/pam_mount.conf.xml <= copy/paste the following
into this file:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<debug enable="0" />
<volume options="user=%(DOMAIN_USER),domain=DOMAIN" \
fstype="cifs" server="mainlian" path="Common" \
mountpoint="/home/DOMAIN/%(DOMAIN_USER)/Common"
></volume>
<volume options="user=
%(DOMAIN_USER),domain=DOMAIN,noperm" \ fstype="cifs"
server="mainlian" path="Departments" \
mountpoint="/home/DOMAIN/%(DOMAIN_USER)/Departments"
></volume>
<volume options="user=%(DOMAIN_USER),domain=DOMAIN" \
fstype="cifs" server="mainlian" path="%(DOMAIN_USER)" \
mountpoint="/home/DOMAIN/%(DOMAIN_USER)/Documents"
></volume>
<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>
<logout wait="0" hup="0" term="0" kill="0" />
<mkmountpoint enable="1" remove="true" />
</pam_mount>
22. Open system==>Administration==>login screen==>press the unlock
button==>enter password for network-admin
23. Uncheck "play login sound" and uncheck "show list of users".
Ensure "show the screen for choosing who will log in is
selected"
24. Log out user network-admin and log in with domain user.
25. Open Departments mount from Desktop, drag department folders for
this user to menu on left side of nautilus window.
Bob Miller
334-7117/660-5315
http://computerisms.ca
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions
More information about the samba
mailing list