Nasty Hacky Active Directory Integration on Gutsy

Everything listed here is done as root, so get your sudo on.

Where you see ENV{'FOO'} substitute for appropriate values, sample values are as follows: 

export DOMAIN_ADMIN=rcadmin
export DOMAIN_PASS=YOURPASS
export MACHINE_FQDN=cai17.music.uga.edu
export MACHINE_OU=Music
export AD_DOMAIN=LABS.AD.UGA.EDU
export AD_SHORTNAME=LABS

/etc/hosts

The real hostname needs to be present in /etc/hosts, mine looks like this 

127.0.0.1       localhost
127.0.1.1       cai17 cai17.music.uga.edu

Install Samba and Friends

apt-get install samba winbind krb5-user  -y

/etc/samba/smb.conf

The following settings are important and changed from the defaults, the full smb.cnf at end of this document for your edification. Again, this is not the complete smb.conf. 

   security = ads
   workgroup = $ENV{'AD_SHORTNAME'}
   realm = $ENV{'AD_DOMAIN'}
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind separator = +
   winbind enum users = no
   winbind enum groups = no
   winbind use default domain = yes
   template homedir = /home/%U
   template shell = /bin/bash
   client use spnego = yes
   domain master = no
   encrypt passwords = no

/etc/nsswitch.conf

* all instances of the word compat get replaced with compat winbind * all instances of the word dns get replaced with dns wins

Configuring Pam

/etc/pam.d/common-account

a new line should be inserted at the beginning of this file 

account     sufficient     pam_winbind.so

/etc/pam.d/common-auth

a new line should be inserted at the beginning of this file 

auth     sufficient     pam_winbind.so

/etc/pam.d/common-session

a new line should be inserted in /etc/pam.d/common-session immediately after the line containing pam_unix.so 

session required        pam_mkhomedir.so        umask=022 skel=/etc/skel

Configure Kerberos

Kerberos server should be identical to your AD_DOMAIN 

dpkg-reconfigure krb5-config

Set the Clock To Match The Domain

ntpdate $AD_DOMAIN

and add an entry to /etc/crontab so we stay on time 

*/5 *   * * *   root    ntpdate labs.ad.uga.edu

Join the Domain

Dont include the last bit if you dont have a sub ou to join 

net ads join createcomputer=$MACHINE_OU -U$DOMAIN_ADMIN%$DOMAIN_PASS

Restart Samba and Winbind

# restart things
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start

Install Netatalk

apt-get install netatalk -y

/etc/netatalk/afpd.conf

edit /etc/netatalk/afpd.conf, it should read 

 - -transall -uamlist uams_clrtxt.so,uams_dhx.so -nosavepassword

or alternatively this, but it is NOT needed for OS X SSO from login-window 

- -transall -uamlist uams_dhx.so,uams_gss.so  -k5service afpserver -k5keytab /etc/krb5.keytab  -k5realm LABS.AD.UGA.EDU -fqdn $MACHINE_FQDN:548

/etc/netatalk/atalkd.conf

/etc/netatalk/atalkd.conf should read 

eth0

Enabling Encrypted Password Support

All modern macs refuse to connect without encrypted password support, which must be compiled in by the user for licencing reasons. 

apt-get source netatalk
sudo apt-get build-dep netatalk devscripts fakeroot cracklib2-dev -y
cd netatalk-2.0.3
DEB_BUILD_OPTIONS=ssl debuild
dpkg -i ../netatalk-*.deb

Appendix: Full /etc/samba/smb.cnf

[global]
workgroup =  LABS
server string = %h server (Samba, Ubuntu)

dns proxy = no

log file = /var/log/samba/log.%m

max log size = 1000

log level = 2
syslog = 0

panic action = /usr/share/samba/panic-action %d

security = ads
realm = LABS.AD.UGA.EDU
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes

invalid users = root

passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *passwd:*password\supdated\ssuccessfully* .

socket options = TCP_NODELAY

idmap uid = 10000-20000
idmap gid = 10000-20000

winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
domain master = no

[homes]
   comment = Home Directories
   browseable = no
   writable = yes

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   public = no
   writable = no
   create mode = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

[group]
        comment = "Group Folders"
        path = /group
        browseable = yes
        writable = yes

RobCaskey/ActiveDirectoryGrumpy (last edited 2008-08-06 16:40:52 by localhost)