A proper guide for connecting Ubuntu 14.04.x to a Zentyal 4.0 domain using 'winbind' seems to be lacking out there in the world so I shall share the knowledge, of hours (days) of troubleshooting, that I use in getting my Ubuntu 14.04.x workstation or server to work in perfect harmony with Zentyal 4.0. This also allows, in certain cases, the users home on the server to be mounted on the client.
Some pre-requisites:
- Properly configured Zentyal 4.0 server to support Domain logons.
- Properly configure and working DNS system with both the server and client(s) having a FQDN.
- A general desire to do this without using likewise, powerbroker, centrify, or something similar.
Assumptions for this example:
- The domain is 'whateverdomain.local'
- The Zentyal server's hostname is 'zentyal'
- The Ubuntu hostname is 'ubuntu'
- Both the Zentyal server and the clients have their times synced.
- Both server and client(s) have FQDN.
Step 1Configure your nsswitch.conf file.
root@ubuntu:~# vim /etc/nsswitch.conf
# line 11 as follows
hosts: files dnsroot@ubuntu:~# apt-get install winbind libpam-winbind libnss-winbind krb5-config
# specify Realm
+------------------+ Configuring Kerberos Authentication +------------------+
| When users attempt to use Kerberos and specify a principal or user name |
| without specifying what administrative Kerberos realm that principal |
| belongs to, the system appends the default realm. The default realm may |
| also be used as the realm of a Kerberos service running on the local |
| machine. Often, the default realm is the uppercase version of the local |
| DNS domain. |
| |
| Default Kerberos version 5 realm: |
| |
| WHATEVERDOMAIN.LOCAL_____________________________________________________ |
| |
| <Ok> |
| |
+---------------------------------------------------------------------------+
# specify the hostname of AD DS
+--------------+ Configuring Kerberos Authentication +---------------+
| Enter the hostnames of Kerberos servers in the WHATEVERDOMAIN.LOCAL|
| Kerberos realm separated by spaces. |
| |
| Kerberos servers for your realm: |
| |
| zentyal.whateverdomain.local______________________________________ |
| |
| <Ok> |
| |
+--------------------------------------------------------------------+
# specify the hostname of AD DS
+------------------+ Configuring Kerberos Authentication +------------------+
| Enter the hostname of the administrative (password changing) server for |
| the FD3S.SERVER.WORLD Kerberos realm. |
| |
| Administrative server for your Kerberos realm: |
| |
| zentyal.whateverdomain.local_____________________________________________ |
| |
| <Ok> |
| |
+---------------------------------------------------------------------------+Step 2bSometimes, you may not get the steps for adding the kerberos server and administrative server.
To do so, run the following command.
oot@ubuntu:~# dpkg-reconfigure krb5-configStep 3Configure smb.conf and nsswitch.conf file again.
root@ubuntu:~# vim /etc/samba/smb.conf
# line 29: change workgroup name to the one for AD DS and add lines like follows
workgroup = WHATEVERDOMAIN
password server = zentyal.whateverdomain.local
realm = WHATEVERDOMAIN.LOCAL
security = ads
idmap config * : range = 16777216-33554431
template homedir = /h/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = true
root@ubuntu:~# vim /etc/nsswitch.conf
# line 7: add like follows
passwd: compat winbind
group: compat winbind
shadow: compat winbindStep 4aFollow this step if you are configuring this on a desktop or server.
Note that the directory for the users home does not need to be /h. It can be whatever necessary but it has to be the same as the 'template homedir' in step 3.root@ubuntu:~# mkdir /h
root@ubuntu:~# apt-get install cifs-utils smbclient libpam-mount
root@ubuntu:~# vim /etc/security/pam_mount.conf.xml
# line 17: add the following in the volume definitions
<volume user="*" fstype="cifs" server="zentyal" path="%(USER)" mountpoint="/s/%(USER)" options="workgroup=whateverdomain,uid=%(USER),dir_mode=0700,sec=ntlm,nosuid,nodev" />Step 4bFollow this step if you are configuring this on a laptop.
Note that the directory for the users home does not need to be /h. It can be whatever necessary but it has to be the same as the 'template homedir' in step 3.root@ubuntu:~# mkdir /h
root@ubuntu:~# vim /etc/pam.d/common-session
# add at the last line if you need ( auto create a home directory when initial login )
session optional pam_mkhomedir.so skel=/etc/skel umask=077Step 5Finally joining the client to the server.
# join AD Domain ( net ads join -U [administrative user on AD])
root@ubuntu:~# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- WHATEVERDOMAIN
Joined 'UBUNTU' to dns domain 'whateverdomain.local'
No DNS domain configured for client. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETERDo not worry about that DNS fail if you get it.Step 6Restart the client that you have just joined to the Zentyal domain and attempt to log in using a domain using.
You can also test to see if everything has worked properly with the following commands to see if they return the correct information.
root@ubuntu:~# wbinfo -u
root@ubuntu:~# wbinfo -gMuch of this follows the steps from
http://www.server-world.info/en/note?os=Ubuntu_14.04&p=samba&f=3.
If you have found any errors, feel free to message. Hope this helps someone out there!
To note, this actually works well in certain Windows Domain Active Directory setups too.