Ubuntu LDAP/Kerberos Windows 2008 AD authentication
This wiki page describes how to add your Ubuntu !Server/Wokstation to a Microsoft Windows 2008 AD domain.
If your server/workstation uses Centrifydc or Likewise remove these packages. Make sure you can login as root user (without sudo).
Setup NTP for time synchronization
For a working Kerberos authentication you want to have your Linux time synchronized with the Domain time!
Have your Linux time and your domain controller time synchronize from the same source. The time server at the LUMC = time.lumc.nl
Valid starting Expires Service principal
26/07/2012 09:46 26/07/2012 19:46 krbtgt/LUMCNET.PROD.INTERN@LUMCNET.PROD.INTERN
renew until 27/07/2012 09:46
Install the packages:
sudo apt-get install -y libpam-ldapd libnss-ldapd
Change the LDAP server URI to:
Accept LDAP server search base this should be:
Choose the Name services to configure:
Shut down the Name Service Cache Daemon
service nscd stop
Replace the /etc/nslcd.conf file with attached nslcd.conf file
restart the nslcd service
service nslcd restart
If with debian wheezy you get an error like this :
'''[....] Restarting LDAP connection daemon: nslcdnslcd: /etc/nslcd.conf:43: unknown attribute to map: '!UniqueMember' failed!'''
Comment out the following line in you /etc/nslcd.conf file : #map group !UniqueMember member
Test your LDAP with:
this should return all the users local and from LDAP
This should return all the groups local and from LDAP
Fine Tune your configuration
By now you should be able to login with you AD account. Only your home dir is not automatically created and you have a default shell /bin/sh.
Change the default shell from dash to bash;
To restrick access with SSH edit vi /etc/security/access.conf add :
-:ALL EXCEPT root vill (domain group name):ALL
This will resctict all users ssh access except local user root,vill and the Domain group, use () around the group name!!
Activate your changes by issuing pam-auth-update make sure you have the following selected: