Skip to content

Instantly share code, notes, and snippets.

@soyfrien
Last active September 16, 2018 00:52
Show Gist options
  • Save soyfrien/14bc5fb5bc4c330a041b7088828b2f7b to your computer and use it in GitHub Desktop.
Save soyfrien/14bc5fb5bc4c330a041b7088828b2f7b to your computer and use it in GitHub Desktop.

Gist of How Domain Was Joined

Install software

I installed Samba during the initital server installtion's tasksel-like dialog.

apt install ntp ntpdate winbind libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user

Sync Time with DCs

vim /etc/ntp.conf
Set pool = ada.example.com
Set pool = adb.example.com

service ntp restart

Setup Kerberos

vim /etc/krb5.conf

[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt__enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes

[realms]
EXAMPLE.COM = {
  kdc = ada.example.com
  kdc = adb.example.com
  default_domain = ada.example.com
}

[domain_realm]
.example.com= ADA.EXAMPLE.COM
example.com = ADA.EXAMPLE.COM
.example.com = ADB.EXAMPLE.COM
example.com = ADB.EXAMPLE.COM

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

kinit administrator
klist

Setup Samba & File Sharing

vim /etc/samba/smb.conf

[global]
workgroup = EXAMPLE
security = ads
realm = EXAMPLE.COM
idmap backend = tdb
idmap uid = 10000-99999
idmap gid = 10000-99999
idmap config EXAMPLE:backend = rid
idmap config EXAMPLE:range = 10000-99999
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
winbind offline logon = true
winbind expand groups = 1
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
log file = /var/log/samba/samba.log
log level = 2
;obey pam restrictions = yes
min protocol = SMB2
client min protocol = SMB2
inherit permissions = yes

[homes]
comment = Home directories and personal storage for lab users
read only = No
browseable = No

[data]
comment = Main data store for lab users
path = /data
valid users = +EXAMPLE\labusers
force group = +EXAMPLE\labusers
writable = yes
read only = no
create mask = 2770
force create mode = 2770
directory mask = 2770
force directory mode = 2770
access based share enum = yes

Join domain

net ads join -U administrator

Finishing up: Miscellany

Enable new home directory creation

Pam-auth-update

[*] create home directory on login

Make sure new files have 770 permissions

vim /etc/pam.d/common-session
session optional		pam_umask.so    				umask=0007
session required 		pam_mkhomedir.so skel=/etc/skel/ umask=0077

Allow domain users to change passwords

vim /etc/nsswitch.conf 
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat winbind

Enable SSH login for domain users

vim /etc/pam.d/common-auth
#password       [success=1 default=ignore]   pam_winbind.so use_authtok try_first_pass
password        sufficient                   pam_winbind.so

Restrict login to lab users

vim /etc/ssh/sshd_config
AllowGroups sudo groupName

Finish up or restart

systemctl restart smbd nmbd winbind

Try mapping drives, creating files over SMB, using touch, changing passwords, etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment