Setting up full Windows AD support (shares and login) on Ubuntu
You will need to install Samba and Winbind, and set up some stuff in pam. Then you need to join the domain.
This installs the necessary packages as well as some useful extras:
apt-get install ldap-utils samba winbind smbfs smbldap-tools smbclient
Samba and Winbind
This is a complete configuration, minus any shares:
[global] workgroup = MYDOMAIN realm = mydomain.com server string = MYHOSTNAME and its description wins server = 10.200.10.10 client schannel = no dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = domain encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash template homedir = /home/%D/%U template primary group = "Domain Users" winbind cache time = 1800 nt acl support = Yes preserve case = Yes winbind use default domain = yes unix charset = ISO8859-1 create mask = 0770 directory mask = 0770
If you want to change the separator used between domain name and user name to something other than the default backslash, you can add this:
winbind separator = +
Here you need to let the system know to ask winbind for account and group information. Add "winbind" to the lines for "passwd", "group" and "shadow":
passwd: compat winbind group: compat winbind shadow: compat winbind
Add this to /etc/pam.d/common-auth:
auth sufficient pam_winbind.so
Add this to /etc/pam.d/common-account:
account sufficient pam_winbind.so
Add this to /etc/pam.d/common-session:
session required pam_mkhomedir.so skel=/etc/skel umask=0027
sudoUse visudo to comment out all the trash in /etc/sudoers and add this, to allow only domain admins to use sudo indiscrimininately:
%admin ALL=(ALL) ALL %domain\ admins ALL=(ALL) ALL
Remember to enable PasswordAuthentication in /etc/ssh/sshd_config. This should of course be disabled on all systems unless it is needed for things like this.
Joining the domain
net rpc join member -n MYHOSTNAME -w MYDOMAIN -S mydomaincontroller.mydomain.com -U adminuser
When all this is done, you need to restart samba, winbind and sshd. Or you may want to reboot the system.
/etc/init.d/winbind restart /etc/init.d/samba restart /etc/init.d/sshd restart