I have created
a network like the picture above, a simulation, using VMWare 9.0, because of
the limitations of the equipment. It would be nice if you could use in the real
network. I assume you are already familiar with using linux and windows,
including windows server 2008. And the network you created, has met the
following conditions:
- a windows server 2008 R2,
·
LAN IP, 10.10.0.2, hostname (DC name) =
SERVER-AD-01.NGERI.CO.ID
·
domain: NGERI.CO.ID,
·
DNS is running well
- Windows XP or Windows 7 as an OS users / client computer.
·
Lan IP 10.10.0.0/24, and make sure it's join the domain
NGERI.CO.ID
- Install fresh Ubuntu server 12.04.1 / 12.10 (this version that I have tried, for other versions, might also be used, try it yourself.)
The domain name
and IP address can be changed by your own desires. If the above conditions are
met, proceed with the following:
1.
IP address. Change the IP address to static. Edit /etc/network/interfaces,
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 10.10.0.6
netmask 255.255.255.0
network 10.10.0.0
broadcast 10.10.0.255
gateway 10.10.0.1
dns-nameservers 10.10.0.2 8.8.8.8
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 10.10.0.6
netmask 255.255.255.0
network 10.10.0.0
broadcast 10.10.0.255
gateway 10.10.0.1
dns-nameservers 10.10.0.2 8.8.8.8
2.
Hostname. Change the hostname in accordance with your
wishes, and then save. For example-UBUNTU SERVER. Edit in /etc/hostname
SERVER-UBUNTU
In /etc/hosts, add the following line,
do not forget saved.
10.10.0.6 server-ubuntu server-ubuntu.ngeri.co.id
10.10.0.6 server-ubuntu server-ubuntu.ngeri.co.id
3.
Install necessary packages & configure
# apt-get update
# apt-get install openssh-server mc vim
# apt-get install ntp krb5-user samba
winbind
When you
asked about configure kerberos, fill in your domain name. For example, in my
case, type NGERI.CO.ID. and select ok.
Next, you will be asked about the hostname (DC name) of
the domain server, in this case, type SERVER-AD-01.NGERI.CO.ID. and select OK.
And
lastly, Enter the administrator password of the server domain. For example,
"xxgirxx". Then select ok.
4.
NTP. Define ntp server, to synchronize time between
servers with domain member server. In /etc/ntp.conf:
server 10.10.0.2
server 10.10.0.2
5.
Samba
#
mv /etc/samba/smb.conf /etc/samba/smb.conf.old
#
vim /etc/samba/smb.conf.
[global]
workgroup = NGERI
server string = Samba Server Version %v
security = ads
realm = NGERI.CO.ID
password server = xxngerixx
domain master = no
local master = no
preferred master = no
idmap backend = tdb
idmap uid = 10000-99999
idmap gid = 10000-99999
idmap config TEST:backend = rid
idmap config TEST:range = 10000-99999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
log file = /var/log/samba/log.%m
max log size = 50
#========================= Share
Definitions ======================
[testshare]
comment = Test share
path = /home/testshare
read only = no
valid users = @"TEST+Domain Users"
force group = "Domain Users"
directory mode = 0750
force directory mode = 0750
create mode = 0640
force create mode = 0640
# Hide share from users who don't have access
access based share enum = yes
# Hide files/directories if user doesn't read access
hide unreadable = yes
Do not forget to saved, and of course the above
configurations customized to your needs. Then create a folder for samba
sharing.
#
mkdir /home/testshare
6.
Authentication
winbind. Edit /etc/nsswitch.conf,
and update the following lines:
passwd:
compat winbind
group:
compat winbind
7.
Kerberos, look in / etc/krb5.conf, make sure that a few
lines below, there was and is correct.
[libdefaults]
default_realm = NGERI.CO.ID
#
The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
NGERI.CO.ID = {
kdc = SERVER-AD-01.NGERI.CO.ID
admin_server = xxngerixx
}
[domain_realm]
.ngeri.co.id = NGERI.CO.ID
ngeri.co.id = NGERI.CO.ID
That’s
all… now reboot…
It's time to try.
# kinit administrator
Password for
administrator@NGERI.CO.ID:
# klist
Ticket cache:
FILE:/tmp/krb5cc_0
Default principal:
administrator@NGERI.CO.ID
Valid starting Expires Service principal
04/02/2013 21:08 05/02/2013 07:09 krbtgt/NGERI.CO.ID@NGERI.CO.ID
renew until 05/02/2013 21:08
Join Samba to the domain:
# net ads join -U
administrator
Enter administrator's
password:
Using short domain
name -- NGERI
Joined 'SERVER-UBUNTU'
to realm 'NGERI.CO.ID'
Test that Winbind can list your AD
users and groups:
#
wbinfo -u
# wbinfo –g
Now, through the client computer
(windows), login using the domain users. Click start-run. In the box, type
\\server-ubuntu\ then click ok. A window should open showing the \\server-ubuntu\testshare.
At this time, Ubuntu has been
successfully used as a Member Server, and could be server for file sharing. You
must have a plan for the File Server. Which domain users can access, which
files can be accessed, and so on. Of course, use the file permissions on the /etc/samba/smb.conf,
to make the rules. For example, I want each domain users possessed its own folder
in Drive File Server. And for the domain users do not have permissions, folders
and files invisible.
On Ubuntu, create some folders.
On Ubuntu, create some folders.
# cd /home/share
# mkdir ngeri datauser1
datauser2
# chown ngeri ngeri
# chown user1
datauser1
# chown user2
datauser2
# chgrp “domain
users” /home/share/*
And in smb.conf
directory
mode = 0700
force directory mode = 0700
create mode = 0600
force create mode = 0600
Reference :
http://ubuntuforums.org/showthread.php?t=280702. I modified it based on my experiments using ubuntu 12:10.
Nice post...I look forward to reading more, and getting a more active part in the talks here, whilst picking up some knowledge as well..
ReplyDeleteI enjooyed reading your post
ReplyDelete