More details on how to integrate Ubuntu 10.04 into a Windows Domain

I notice that my notes from a couple of days ago gets a lot of hits, so I  feel inclined to be a bit more detailed about how to integrate Ubuntu Lucid Lynx in to a windows domain.

Setting up Kerberos

This is worth doing regardless of whether or not you set up PAM. You can see why later.

1. Install the following packages:

sudo apt-get install krb5-config krb5-user

During the installation process, it will ask you for your realm. Enter the Realm for your Windows Domain (talk to your Active Directory administrator if you don’t know)

2. Edit /etc/krb5.conf

You will need to add a stanza for your realm in /etc/krb5.conf. something like this:

<REALM> = {
 kdc = <active directory server>
 admin_server = <active directory server>
 default_domain  = <domain.name>
 }

3. Test

kinit <user>

The user should be a windows domain user. When challenged input the windows password for that account. Look for the ticket with the klist command.

Setting up PAM

If you want to sign in to your desktop / server using your Windows network credentials, then do follow these steps.

1. Prerequisite -This is your get out of jail free card

Set up the root account. If you mess this up and you need to fix it, then you need to be able sign in as root. I strongly recommend you do this so that you can.

sudo passwd root

and then test:

su -

Glad we got that done – lets move on.

2. Install the PAM module

sudo apt-get install libpam-krb5

Ubuntu sets up PAM for you, so that should be it.

3. Test

Try to log in to the computer with your windows credentials. There must be a local account already created and the user name and must be the same as the domain user name. It should just work.  Run klist and you should also see a ticket. Nice!

Applications

Firefox

If you have kerborized web applications, or spnego enabled sites, then you can configure Firefox to use your kerberos ticket to negotiate for you and logging you in unchallenged. You need to type the following in to the location bar (preferably in another tab – you don;t want to lose this page just yet)

about:config

Say that you will be careful and make sure the following attributes are set to true:

  • network.automatic-ntlm-auth.allow-proxies
  • network.negotiate-auth.allow-proxies
  • network.negotiate-auth.using-native-gsslib

Set the following to your local DNS sub-domain. This defines the scope of the trust for sites it will try to negotiate with:

  • network.automatic-ntlm-auth.trusted-uris
  • network.negotiate-auth.trusted-uris

Next time you attach to such a web site, then you will get logged in.

Pidgin

If your company uses the Microsoft Office Communicator Suite for IM, then you too can join the conversaton with the Sipe plugin. Install it with this commend:

sudo apt-get install pidgin-sipe

Once you have restarted Pidgin, then you can add an account. Here are some guidelines:

  • Protocol: Office Communicator
  • Username: Exchange email address
  • Login: <DOMAIN>\<User>
  • Password: <domain password>
  • In the advanced tab, set the server to your IM server.

Kerberos seemingly works but the version that is here has not really worked for me. Give it a try by blanking out the password and checking the kerberos box and see how you do.

Mounting Windows File Shares

Once you have a kerberos ticket, then you can mount file shares without providing a user name or password. You can use the connect to server form in the Places menu. You set the service type to be windows server, set the server to the fully qualified domain name of the windows file server and enter the share name. You do not need to put a user name of domain in. Bookmark if you like. The share should open up in nautilus with no further prompting.

Evolution

I tried the evolution-mapi plugin which implements the Exchange MAPI protocol. It works but I found it sluggish and still very buggy. I would wait a little longer for anything more serious than testing.

That’s all folks!

If you have any other tricks that I have not mentioned then let us know.

Advertisements

9 Responses to More details on how to integrate Ubuntu 10.04 into a Windows Domain

  1. creatox says:

    There seems to be a typo in step 1.
    instead of
    sudo apt-get install krb-config krb5-user
    should be:
    sudo apt-get install krb5-config krb5-user

  2. sasallys says:

    you are right – article updated

  3. davidkolb says:

    Arrived here off a google search. Thanks. Works great.

  4. rafaelri says:

    Do you have any ideas if this should also work for authenticating over an ISA proxy server and how should I configure in this particular case?

    best regards,
    Rafael Ribeiro

    • sasallys says:

      I have never worked with ISA proxy, but my understanding is that kerberos should pass straight through the proxy and work so long as both the server and the client (in this case your browser) can see the KDC (ie. Active Directory). If the negotiated authentication is NTLM then it will not work. The IIS in Windows Server 2008 will try krb/spnego first then twill fall back to NTLM. That way Internet Explorer users will still get negotiated authentication.

      • rafaelri says:

        In fact it works. But there is a tricky thing… you have to specify proxy address as a hostname, if you specify as an IP Firefox simply asks you for a password (without trying ntlm_auth), you swap it with the proxy hostname and it magically works!

        regards,
        Rafael Ribeiro

  5. i skipped the realm entry how can entry it again?

  6. Azhar Rahman says:

    Many many thanks, it works great, i was trying for this from long back, Finally i got it with your help.
    i have integrated many Ubuntu machines with Win2k8.
    Can i install this packages like krb5-config krb5-user without apt, because after 10.04LTS . apt may not work. and even i want to use 9.04 / 9.10 repositories will not work.
    So is there any manual method for installing all these packages.

    Thanks again.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: