Thomas Mullaly

DevOps, Security and IT Leadership

Ubuntu Winbind RID Client

Network Time Protocol

Keeping a computer system’s clock accurate is critical for many things. In setting up samba and winbind to connect to a windows domain you need kerberos working. Kerberos is dependent on the clock accuracy of the clients and servers.

Do not install ntpd on virtual machines!!! Virtual machines should have the client vm tools installed, which among other things, keeps the clock synced with the host machine. You should have some sort of time synchronization installed on the host machine.

sudo apt-get install ntp


sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config

use TOM.UMB.EDU as Realm

Edit /etc/krb5.conf

vi /etc/krb5.conf

Make it look like this:

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

pam = {
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false

test kerberos

[root@rid-nfs ~]# host -t srv has SRV record 0 100 88

Samba and winbind

sudo apt-get install samba winbind

vi /etc/samba/smb.conf

     workgroup = TOM
     realm = TOM.UMB.EDU
     preferred master = no
     server string = Home Directory Server
     security = ADS
     encrypt passwords = yes
     log level = 3
     log file = /var/log/samba/%m
     max log size = 50
     printcap name = cups
     printing = cups
     winbind enum users = Yes
     winbind enum groups = Yes
     winbind use default domain = Yes
     winbind nested groups = Yes
     winbind separator = +
     winbind cache time = 10
     idmap uid = 10000-20000
     idmap gid = 10000-20000
     idmap config TOM: backend = rid
     idmap config TOM: range = 10000-20000
     allow trusted domains = No
     template shell = /bin/bash
     template homedir = /home/%D/%U
     ;template primary group = "Domain Users"

  vi nsswitch.conf

restart winbind nmbd and smbd

join the domain net ads join -U Administrator

test wbinfo -u wbinfo -g getent passwd

As root: kinit -V net ads info


Edit your /etc/nsswitch.conf file and add winbind

passwd:         compat winbind
group:          compat winbind
shadow:         compat

Home Directories

You’ve got three choices here

The traditional unix network used a centralized fileserver/fileservers to store the user’s home directory. Upon logon to any system on the network, the user’s home directory would be auto-mounted and appear local. This worked very well in the 80’s and early 90’s but today we live in a different world.

Traditional Unix Automount

###Configure Automount

sudo apt-get install autofs

To mount user home directories at login, we need to configure the automount service. Open /etc/auto.master and add the following entry. /home /etc/auto.home

Now create /etc/auto.home and add this line

* -fstype=nfs,nolock,nosuid

Configure PAM

If you want to be able to change your password


password   sufficient
password   required nullok obscure min=4 max=8 md5

The New Way, PAM Make Home Directory

The pam_mkhomedir PAM module will create a users home directory if it does not exist when the session begins. This allows users to be present in central database (such as NIS, kerberos or LDAP) without using a distributed file system or pre-creating a large number of directories. The skeleton directory (usually /etc/skel/) is used to copy default files and also set’s a umask for the creation. This is probably the best for performance reasons and local disks a big and cheap. All software should be in source control anyway.

The new users home directory will not be removed after logout of the user.

Add this to /etc/pam.d/common-account

session    required skel=/etc/skel/ umask=0022

You can read more about it on the debian documentation site:

smb auto mounting

Actually you can skip nfs altogether and mount the users windows homedirectory:

Install libpam-mount:

apt-get install libpam-mount

When you install libpam-mount it should add the pammount directive in pam.d/common-session

I changed where the directory gets mounted to be just /home/username in smb.conf

Now edit the /etc/security/pam_mount.conf.xml

<!-- mkmountpoint enable="1" remove="true" / -->
<mkmountpoint enable="1" remove="false" />

<volume user="*" server="snap" path="home_dir" mountpoint="home" fstype="cifs" />

<cifsmount>mount -t cifs //%(SERVER)/%(USER) %(MNTPT)/%(USER) -o "user=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)"</cifsmount>

<umount>umount %(MNTPT)/%(USER)</umount>