Thursday, February 07, 2013

Ubuntu Server as Domain Member Server

network domain server and member server
I have created a network like the picture above, a simulation, using VMWare 9.0, because of the limitations of the equipment. It would be nice if you could use in the real network. I assume you are already familiar with using linux and windows, including windows server 2008. And the network you created, has met the following conditions:
  •   a windows server 2008 R2,
·         LAN IP, 10.10.0.2, hostname (DC name) = SERVER-AD-01.NGERI.CO.ID
·         domain: NGERI.CO.ID,
·         DNS is running well
·         More options, DHCP is already running.
  • Windows XP or Windows 7 as an OS users / client computer.
·         Lan IP 10.10.0.0/24, and make sure it's join the domain NGERI.CO.ID
  • Install fresh Ubuntu server 12.04.1 / 12.10 (this version that I have tried, for other versions, might also be used, try it yourself.)
The domain name and IP address can be changed by your own desires. If the above conditions are met, proceed with the following:
1.      IP address. Change the IP address to static. Edit /etc/network/interfaces,
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 10.10.0.6
netmask 255.255.255.0
network 10.10.0.0
broadcast 10.10.0.255
gateway 10.10.0.1
dns-nameservers 10.10.0.2 8.8.8.8

2.      Hostname. Change the hostname in accordance with your wishes, and then save. For example-UBUNTU SERVER. Edit in /etc/hostname
SERVER-UBUNTU

In /etc/hosts, add the following line, do not forget saved.
10.10.0.6 server-ubuntu server-ubuntu.ngeri.co.id

3.       Install necessary packages & configure
# apt-get update
# apt-get install openssh-server mc vim
# apt-get install ntp krb5-user samba winbind
When you asked about configure kerberos, fill in your domain name. For example, in my case, type NGERI.CO.ID. and select ok.
configuring kerberos authentication 1

Next, you will be asked about the hostname (DC name) of the domain server, in this case, type SERVER-AD-01.NGERI.CO.ID. and select OK.
configuring kerberos authentication 2

And lastly, Enter the administrator password of the server domain. For example, "xxgirxx". Then select ok.
configuring kerberos authentication 3

 4.      NTP. Define ntp server, to synchronize time between servers with domain member server. In /etc/ntp.conf:
server 10.10.0.2 

5.      Samba
# mv /etc/samba/smb.conf /etc/samba/smb.conf.old 
# vim /etc/samba/smb.conf.

[global]
    workgroup = NGERI
    server string = Samba Server Version %v
    security = ads
    realm = NGERI.CO.ID
    password server = xxngerixx
    domain master = no
    local master = no
    preferred master = no
    idmap backend = tdb
    idmap uid = 10000-99999
    idmap gid = 10000-99999
    idmap config TEST:backend = rid
    idmap config TEST:range = 10000-99999
    winbind separator = +
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    winbind nested groups = yes
    winbind refresh tickets = yes
    template homedir = /home/%D/%U
    template shell = /bin/bash
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    restrict anonymous = 2
    log file = /var/log/samba/log.%m
    max log size = 50
#========================= Share Definitions ======================
[testshare]
    comment = Test share
    path = /home/testshare
    read only = no
    valid users = @"TEST+Domain Users"
    force group = "Domain Users"
    directory mode = 0750
    force directory mode = 0750
    create mode = 0640
    force create mode = 0640
    # Hide share from users who don't have access
    access based share enum = yes
    # Hide files/directories if user doesn't read access
    hide unreadable = yes
Do not forget to saved, and of course the above configurations customized to your needs. Then create a folder for samba sharing.
# mkdir /home/testshare

6.      Authentication winbind. Edit /etc/nsswitch.conf, and update the following lines:
passwd: compat winbind
group: compat winbind

7.      Kerberos, look in / etc/krb5.conf, make sure that a few lines below, there was and is correct.
[libdefaults]
        default_realm = NGERI.CO.ID
# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        NGERI.CO.ID = {
                kdc = SERVER-AD-01.NGERI.CO.ID
                admin_server = xxngerixx
        }

[domain_realm]
        .ngeri.co.id = NGERI.CO.ID
        ngeri.co.id = NGERI.CO.ID
That’s all… now reboot…

It's time to try.
# kinit administrator
Password for administrator@NGERI.CO.ID:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@NGERI.CO.ID

Valid starting    Expires           Service principal
04/02/2013 21:08  05/02/2013 07:09  krbtgt/NGERI.CO.ID@NGERI.CO.ID
        renew until 05/02/2013 21:08
Join Samba to the domain:
# net ads join -U administrator
Enter administrator's password:
Using short domain name -- NGERI
Joined 'SERVER-UBUNTU' to realm 'NGERI.CO.ID'
Test that Winbind can list your AD users and groups:
# wbinfo -u
# wbinfo –g

Now, through the client computer (windows), login using the domain users. Click start-run. In the box, type \\server-ubuntu\ then click ok. A window should open showing the \\server-ubuntu\testshare.
At this time, Ubuntu has been successfully used as a Member Server, and could be server for file sharing. You must have a plan for the File Server. Which domain users can access, which files can be accessed, and so on. Of course, use the file permissions on the /etc/samba/smb.conf, to make the rules. For example, I want each domain users possessed its own folder in Drive File Server. And for the domain users do not have permissions, folders and files invisible.
On Ubuntu, create some folders.
# cd /home/share
# mkdir ngeri datauser1 datauser2
# chown ngeri ngeri
# chown user1 datauser1
# chown user2 datauser2
# chgrp “domain users”  /home/share/*
And in smb.conf
directory mode = 0700
    force directory mode = 0700
    create mode = 0600
    force create mode = 0600

Ok. At this point, I think, I do not need to explain more about this permission, because I think, you have already known about this.

Reference :
http://ubuntuforums.org/showthread.php?t=280702. I modified it based on my experiments using ubuntu 12:10.

2 comments:

  1. Nice post...I look forward to reading more, and getting a more active part in the talks here, whilst picking up some knowledge as well..

    ReplyDelete