Connecting Ubuntu 14.04.x (16.04.x) to a Zentyal 4.x (5.x) Domain

[agathon]

A proper guide for connecting Ubuntu 14.04.x to a Zentyal 4.0 domain using 'winbind' seems to be lacking out there in the world so I shall share the knowledge, of hours (days) of troubleshooting, that I use in getting my Ubuntu 14.04.x workstation or server to work in perfect harmony with Zentyal 4.0.  This also allows, in certain cases, the users home on the server to be mounted on the client.

Some pre-requisites:

• Properly configured Zentyal 4.0 server to support Domain logons.
• Properly configure and working DNS system with both the server and client(s) having a FQDN.
• A general desire to do this without using likewise, powerbroker, centrify, or something similar.

Assumptions for this example:

• The domain is 'whateverdomain.local'
• The Zentyal server's hostname is 'zentyal'
• The Ubuntu hostname is 'ubuntu'
• Both the Zentyal server and the clients have their times synced.
• Both server and client(s) have FQDN.

Step 1
Configure your nsswitch.conf file.

root@ubuntu:~# vim /etc/nsswitch.conf

# line 11 as follows
hosts:          files dns

root@ubuntu:~# apt-get install winbind libpam-winbind libnss-winbind krb5-config

# specify Realm
 +------------------+ Configuring Kerberos Authentication +------------------+
 | When users attempt to use Kerberos and specify a principal or user name   |
 | without specifying what administrative Kerberos realm that principal      |
 | belongs to, the system appends the default realm.  The default realm may  |
 | also be used as the realm of a Kerberos service running on the local      |
 | machine.  Often, the default realm is the uppercase version of the local  |
 | DNS domain.                                                               |
 |                                                                           |
 | Default Kerberos version 5 realm:                                         |
 |                                                                           |
 | WHATEVERDOMAIN.LOCAL_____________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+
# specify the hostname of AD DS
     +--------------+ Configuring Kerberos Authentication +---------------+
     | Enter the hostnames of Kerberos servers in the WHATEVERDOMAIN.LOCAL|
     | Kerberos realm separated by spaces.                                |
     |                                                                    |
     | Kerberos servers for your realm:                                   |
     |                                                                    |
     | zentyal.whateverdomain.local______________________________________ |
     |                                                                    |
     |                               <Ok>                                 |
     |                                                                    |
     +--------------------------------------------------------------------+
# specify the hostname of AD DS
 +------------------+ Configuring Kerberos Authentication +------------------+
 | Enter the hostname of the administrative (password changing) server for   |
 | the FD3S.SERVER.WORLD Kerberos realm.                                     |
 |                                                                           |
 | Administrative server for your Kerberos realm:                            |
 |                                                                           |
 | zentyal.whateverdomain.local_____________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+


Step 2b
Sometimes, you may not get the steps for adding the kerberos server and administrative server.
To do so, run the following command.
oot@ubuntu:~# dpkg-reconfigure krb5-config


Step 3
Configure smb.conf and nsswitch.conf file again.

root@ubuntu:~# vim /etc/samba/smb.conf

# line 29: change workgroup name to the one for AD DS and add lines like follows
   workgroup = WHATEVERDOMAIN
   password server = zentyal.whateverdomain.local
   realm = WHATEVERDOMAIN.LOCAL
   security = ads
   idmap config * : range = 16777216-33554431
   template homedir = /h/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = true


root@ubuntu:~# vim /etc/nsswitch.conf

# line 7: add like follows
passwd:   compat winbind
group:    compat winbind
shadow:   compat winbind

Step 4a
Follow this step if you are configuring this on a desktop or server.
Note that the directory for the users home does not need to be /h. It can be whatever necessary but it has to be the same as the 'template homedir' in step 3.

root@ubuntu:~# mkdir /h

root@ubuntu:~# apt-get install cifs-utils smbclient libpam-mount

root@ubuntu:~# vim /etc/security/pam_mount.conf.xml

# line 17: add the following in the volume definitions
<volume user="*" fstype="cifs" server="zentyal" path="%(USER)" mountpoint="/s/%(USER)" options="workgroup=whateverdomain,uid=%(USER),dir_mode=0700,sec=ntlm,nosuid,nodev" />

Step 4b
Follow this step if you are configuring this on a laptop.
Note that the directory for the users home does not need to be /h. It can be whatever necessary but it has to be the same as the 'template homedir' in step 3.

root@ubuntu:~# mkdir /h

root@ubuntu:~# vim /etc/pam.d/common-session
# add at the last line if you need ( auto create a home directory when initial login )
 session optional        pam_mkhomedir.so skel=/etc/skel umask=077

Step 5
Finally joining the client to the server.

# join AD Domain ( net ads join -U [administrative user on AD])

root@ubuntu:~# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- WHATEVERDOMAIN
Joined 'UBUNTU' to dns domain 'whateverdomain.local'
No DNS domain configured for client. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER
Do not worry about that DNS fail if you get it.

Step 6
Restart the client that you have just joined to the Zentyal domain and attempt to log in using a domain using.
You can also test to see if everything has worked properly with the following commands to see if they return the correct information.

root@ubuntu:~# wbinfo -u

root@ubuntu:~# wbinfo -g


Much of this follows the steps from http://www.server-world.info/en/note?os=Ubuntu_14.04&p=samba&f=3.

If you have found any errors, feel free to message. Hope this helps someone out there!
To note, this actually works well in certain Windows Domain Active Directory setups too.

[MOSEK]

I have some problems.

when I install the first packages, only the first dialog appear. I didn't think much of it, but at the end when I did everything else you said, it wouldn't recognize my domain users

[agathon]

How is your domain set up if I may ask? Sounds like whatever name you put in for the domain may have sent you down a different configuration path. I could be wrong though. I would appreciate more information about your setup and configuration so that I may be able to help you.

[vargax]

Hi,

I just create a small script to automate part of the process... Just adjust the variables at the beginning of the script to match your environment.

Tested in clean install of Ubuntu 14.04.2 desktop edition.

Code: [Select]

#!/bin/bash
DOMAIN='INET'
REALM='INET.EXAMPLE.COM'
DOMAIN_ADMIN='administrator'
PASSWORD_SERVER='pdc.inet.example.com'

clear;
echo "---------------------------------------------"
echo "domain_join.sh v0.1-20150526.1153"
echo "SAMBA/Kerbeos semi-automatic domain join script"
echo "IT - Activar Servicios y Almacenaje SAS"
echo "---------------------------------------------"

echo "Setting up directory service..."
sed -i 's& mdns4_minimal \[NOTFOUND=return\]&&g' /etc/nsswitch.conf
aptitude install winbind libpam-winbind libnss-winbind krb5-config
sed -i "s&workgroup = WORKGROUP&\t workgroup = $DOMAIN \n\t password server = $PASSWORD_SERVER \n\t realm = $REALM \n\t security = ads \n\t idmap config * : range = 16777216-33554431 \n\t template homedir = /home/%U \n\t template shell = /bin/bash \n\t winbind use default domain = true \n\t winbind offline logon = true&g" /etc/samba/smb.conf
sed -i 's&compat&compat winbind&g' /etc/nsswitch.conf
echo "session optional        pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session

echo "  Joining client to domain..."
net ads join -U $DOMAIN_ADMIN

echo "  Setting up Lightdm..."
echo "[SeatDefaults]
greeter-hide-users=true
greeter-show-remote-login=false
greeter-show-manual-login=true" > /usr/share/lightdm/lightdm.conf.d/50-domain.conf
printf "Do you want to restrict guest login in this pc? (y/n) "
read continuar
if [ "$continuar" == "y" ]; then
    echo "allow-guest=false" >> /usr/share/lightdm/lightdm.conf.d/50-domain.conf
fi

echo "  Setting up sudoers..."
sed -i '26i%domain^admins ALL=(ALL) ALL' /etc/sudoers

echo "Setting up clock sync..."
echo "ntpdate -u $PASSWORD_SERVER" > /etc/cron.daily/ntpdate
chmod +x /etc/cron.daily/ntpdate

CVC