KUbuntu Desktop

Add Kubuntu Desktop to test network

Download the latest Kubuntu LTS Desktop installation image and create the server in VirtualBox:

  • Name: KUBUNTU.samdom.example.com
  • Type: Linux
  • Version: Ubuntu (64-bit)
  • RAM: 3072 MB
  • Virtual HD: 50.00 GB
  • HD Type: VDI, dynamically allocated

Change the Network settings for Adapter 1 to the NAT Network And Adapter 2 to the Host-only Adapter.

Attach the installation image to the server’s Optical Drive and start the server.

  • Hostname: KUBUNTU.samdom.example.com
  • Leave the root password blank.
  • Enter the desired user name and password for the admin (sudo) account.
  • Make your disk partition selections and write changes to disk.
  • Install the GRUB boot loader on /dev/sda
  • Finish the installation and reboot.

Login as the admin user. Change to use static IP address on the second adapter to enable SSH logins from the host machine. Make these changes to enp0s8

address 192.168.56.7
netmask 255.255.255.0

Install upgrades and the openssh server:

  • apt update
  • apt dist-upgrade
  • apt install openssh-server

Reboot the machine to switch to the static IP address.

Change the default UMASK in /etc/login.defs
UMASK 002

Sync time with the AD DC by adding this line to the /etc/systemd/timesyncd.conf file:

  • NTP=DC1.samdom.example.com

Install the software required by Ubuntu machine to be fully integrated into the domain by running the command:

apt install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind git

After all packages finish installing, test Kerberos authentication against an AD administrative account and list the ticket by issuing the commands:

kinit administrator
klist

Join Kubuntu to Samba4 AD DC

Backup the default configuration file of Samba, and create a new one:

mv /etc/samba/smb.conf /etc/samba/smb.conf.initial
nano /etc/samba/smb.conf

Add these lines to the new Samba (version >= 4.6.0) configuration file and save it:

[global]
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM
security = ADS
dns forwarder = 10.0.2.1
idmap config * : backend = tdb
idmap config *:range = 3000-7999
idmap config SAMDOM : backend = ad
idmap config SAMDOM : range = 10000-999999
idmap config SAMDOM : unix_nss_info = yes
winbind use default domain = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
protocol = SMB3
usershare max shares = 0
 

[homes]

comment = Home Directories
browseable = no
read only = no
create mask = 0644
directory mask = 2755

[Public]

path = /opt/Public
browsable = yes
read only = no
public = yes
guest ok = yes
create mask = 0664
directory mask = 2775

Stop all Samba daemons, join the domain with the ticket obtained earlier, and restart the daemons:

systemctl stop smbd nmbd winbind
net ads join -k
systemctl start smbd nmbd winbind

Install WSD Daemon


As root, clone git repository and edit file:

git clone https://github.com/christgau/wsdd
cd wsdd
nano etc/systemd/wsdd.service

After=multi-user.target
Wants=multi-user.target
ExecStart=/usr/bin/wsdd –shortlog –domain SAMDOM –ipv4only
User=daemon
Group=daemon

Copy the files to the correct locations, enable the service, and start it:

cp src/wsdd.py /usr/bin/wsdd
cp etc/systemd/wsdd.service /etc/systemd/system
systemctl daemon-reload
systemctl enable wsdd.service
systemctl start wsdd.service

Configure AD Accounts Authentication

Add winbind value for passwd and group lines in the /etc/nsswitch.conf configuration file:

passwd: compat winbind systemd
group: compat winbind systemd

Edit the file /usr/share/pam-configs/mkhomedir

Name: Create home directory on login
Default: yes
Priority: 900
Session-Type: Additional
Session-Interactive-Only: yes
Session:
required pam_mkhomedir.so

Enable  entries required for winbind service to automatically create home directories for each domain account at the first login:

pam-auth-update

Give sudo access to members of “domain admins”:

echo "%domain\ admins ALL=(ALL) ALL" > /etc/sudoers.d/SAMDOM
chmod 0440 /etc/sudoers.d/SAMDOM

Create the Public folder:

mkdir /opt/Public
chgrp “Domain Users” /opt/Public
chmod 2775 /opt/Public

Reboot and test

To have an open mind, you must think it possible you may be mistaken.