Adding Ubuntu to the domain and then modifying sudoers to enable a group to gain access

I found this in a couple of different places and decided to put it together into one place. I did this for the linux servers I am managing so that I didn’t have to keep track of usernames and passwords and make sure everything was in sync and got changed when needed. Luckily I am running Ubuntu, which made this even easier:

Here is the process to add a linux machine running ubuntu to a domain:

sudo apt-get update
sudo apt-get install likewise-open
sudo domainjoin-cli join fqdn.of.your.domain Administrator
sudo update-rc.d likewise-open defaults
sudo /etc/init.d/likewise-open start

Now to modify the system to allow any user in a specified group on the domain access to sudo do the following:

sudo visudo

Go down to:
#Members of the Admin group may gain root privileges and do the following:
%(domain)\\(group) ALL=(ALL) ALL

This will allow the members of that group to sudo any command on the system.

/etc/samba/lwiauthd.conf: add line

“winbind use default domain = yes”

sudo /etc/init.d/likewise-open restart

then you can log in as “USER” instead of “DOMAIN\USER”

Installing and Configuring Kerberos, Samba, and Winbind on Ubuntu Server 5

Installing and Configuring Kerberos, Samba, and Winbind on Ubuntu Server 5
Steps
Step 1: Install the Required Packages
Note: Enter Y when asked if you want to install the additional packages
apt-get install krb5-user
apt-get install winbind samba
Step 2: Edit the /etc/krb5.conf File
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.INTERNAL
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN.INTERNAL = {
kdc = domainserver.domain.internal
admin_server = domainserver.domain.internal
default_domain = DOMAIN.INTERNAL
}
[domain_realm]
.domain.internal = DOMAIN.INTERNAL
domain.internal = DOMAIN.INTERNAL
Step 3: Edit /etc/samba/smb/conf
Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!!
1) Make the edits. The configuration shown is the bare minimum and doesn't share anything.
[global]
security = ads
netbios name = CMHRG02
realm = DOMAIN.INTERNAL
password server = domainserver.domain.internal
workgroup = DOMAIN
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
2) Test the configuration with the testparm command
Step 4: Edit /etc/nsswitch.conf to look like the example below
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Step 5: Modify the PAM settings
1) /etc/pam.d/common-account should contain only the following lines
account sufficient pam_winbind.so
account required pam_unix.so
2) /etc/pam.d/common-auth should contain only the following lines
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below
password required pam_unix.so nullok obscure min=4 max=50 md5
4) Make sure the /etc/pam.d/common-session file contains the following line
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Step 6: Make a directory to hold domain user home directories
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file
mkdir /home/DOMAIN
Step 7: Initialize Kerberos
1) kinit domain_admin_account@DOMAIN.INTERNAL
Next check to be sure you got a ticket from the domain controller
2) klist
Step 8: Join the system to the
net ads join -U domainadminuser@DOMAIN.INTERNAL
Step 9: Restart Samba-related Services (Or reboot the server)
Note: The order is important
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
Step 10: Restart SSH and Test Connectivity
Note: If you rebooted the server in the previous step, just try and login.
/etc/init.d/ssh restart
ssh useraccount@server
If you can login using your active directory username and password then everything is working!
Step 11: Configure SUDO
1) First create a group in Active Directory called UnixAdmins and add the names of people whom you want to be able to use sudo to admin the server.
2) Next, add the UnixAdmins group to the /etc/sudoers so these users can use sudo
%UnixAdmins ALL=(ALL) ALL
HELPFUL COMMAND LINES
1) List the derived UNIX GID values for Active Directory groups
for gid in $(wbinfo -r <username>); \
do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done
2) See the Active Directory SID for a particular named user
wbinfo –n <username>