Add Kubuntu Desktop to test network
Download the latest Kubuntu LTS Desktop installation image and create the server in VirtualBox:
- Name: KUBUNTU.samdom.example.com
- Type: Linux
- Version: Ubuntu (64-bit)
- RAM: 3072 MB
- Virtual HD: 50.00 GB
- HD Type: VDI, dynamically allocated
Change the Network settings for Adapter 1 to the NAT Network And Adapter 2 to the Host-only Adapter.
Attach the installation image to the server’s Optical Drive and start the server.
- Hostname: KUBUNTU.samdom.example.com
- Leave the root password blank.
- Enter the desired user name and password for the admin (sudo) account.
- Make your disk partition selections and write changes to disk.
- Install the GRUB boot loader on /dev/sda
- Finish the installation and reboot.
Login as the admin user. Change to use static IP address on the second adapter to enable SSH logins from the host machine. Make these changes to enp0s8
address 192.168.56.7
netmask 255.255.255.0
Install upgrades and the openssh server:
apt update
apt dist-upgrade
apt install openssh-server
Reboot the machine to switch to the static IP address.
Change the default UMASK in /etc/login.defs
UMASK 002
Sync time with the AD DC by adding this line to the /etc/systemd/timesyncd.conf file:
- NTP=DC1.samdom.example.com
Install the software required by Ubuntu machine to be fully integrated into the domain by running the command:
apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind git
After all packages finish installing, test Kerberos authentication against an AD administrative account and list the ticket by issuing the commands:
kinit administrator
klist
Join Kubuntu to Samba4 AD DC
Backup the default configuration file of Samba, and create a new one:
mv /etc/samba/smb.conf /etc/samba/smb.conf.initial
nano /etc/samba/smb.conf
Add these lines to the new Samba (version >= 4.6.0) configuration file and save it:
[global]
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM
security = ADS
dns forwarder = 10.0.2.1
idmap config * : backend = tdb
idmap config *:range = 3000-7999
idmap config SAMDOM : backend = ad
idmap config SAMDOM : range = 10000-999999
idmap config SAMDOM : unix_nss_info = yes
winbind use default domain = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
protocol = SMB3
usershare max shares = 0
[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0644
directory mask = 2755
[Public]
path = /opt/Public
browsable = yes
read only = no
public = yes
guest ok = yes
create mask = 0664
directory mask = 2775
Stop all Samba daemons, join the domain with the ticket obtained earlier, and restart the daemons:
systemctl stop smbd nmbd winbind
net ads join -k
systemctl start smbd nmbd winbind
Install WSD Daemon
As root, clone git repository and edit file:
git clone https://github.com/christgau/wsdd
cd wsdd
nano etc/systemd/wsdd.service
After=multi-user.target
Wants=multi-user.target
ExecStart=/usr/bin/wsdd –shortlog –domain SAMDOM –ipv4only
User=daemon
Group=daemon
Copy the files to the correct locations, enable the service, and start it:
cp src/wsdd.py /usr/bin/wsdd
cp etc/systemd/wsdd.service /etc/systemd/system
systemctl daemon-reload
systemctl enable wsdd.service
systemctl start wsdd.service
Configure AD Accounts Authentication
Add winbind value for passwd and group lines in the /etc/nsswitch.conf configuration file:
passwd: compat winbind systemd
group: compat winbind systemd
Edit the file /usr/share/pam-configs/mkhomedir
Name: Create home directory on login
Default: yes
Priority: 900
Session-Type: Additional
Session-Interactive-Only: yes
Session:
required pam_mkhomedir.so
Enable entries required for winbind service to automatically create home directories for each domain account at the first login:
pam-auth-update
Give sudo access to members of “domain admins”:
echo "%domain\ admins ALL=(ALL) ALL" > /etc/sudoers.d/SAMDOM
chmod 0440 /etc/sudoers.d/SAMDOM
Create the Public folder:
mkdir /opt/Public
chgrp “Domain Users” /opt/Public
chmod 2775 /opt/Public
Reboot and test