Final CISS-150 Project (75 points)
(Updated May 12, 2023)
Omnes relinquite spes, o vos intrantes [Abandon hope, all ye who enter here.]
This is it—the last project. Here we will make all three guests operate in a heterogeneous way. That is, Windows 10 will authenticate against the Active Directory (AD) domain in Windows 2019 and pull the roaming profile from Ubuntu.
Much of the groundwork has already been done. Here we are adding the final piece – Ubuntu. This requires some detailed tailoring to get it right. All of the information you need is here.
NOTE: It is HIGHLY recommended that you read through these details at least one time BEFORE you begin entering commands.
You must remember that having an active knowledge of your hostnames (NOT what VMware calls them!), their IP addresses and what you are to provide for the domain/realm/workgroup is essential. Three systems must coordinate and communicate effectively. For this to be successful, you must provide each of them with the most accurate information possible. Failure to do this will mean a considerable amount of time debugging where things went wrong. If you do not have all the information noted above and do not fully understand the bullets noted below, STOP! When you have had an opportunity to gather and confirm these details, then you should proceed.
A few things to remember here BEFORE you begin:
- Make sure all of your IPs and hostnames are well known.
- Windows 10 (should have been joined to AD in a previous project!) and Ubuntu will use the DNS server on Windows 2019.
- Understand that there is a lot of editing in Ubuntu that needs to be done so pay close attention when asked to EDIT/MODIFY or REPLACE the contents of a file.
- Understand that the hostnames used in this instructional document are NOT your hostnames.
- Understand this is not a 5-minute project – it may take a day or two to complete.
- Watch the spelling of certain commands, the case used, and the spacing of the arguments. It could make all of the difference.
NOTE: All Ubuntu work should be done as the superuser.
Before you do anything else, make sure you turn off the firewall on Ubuntu if you were tinkering in previous projects. You will likely not have the ports necessary for Samba to be accessed properly. Run the following:
ufw disable
Installing and configuring Samba (Ubuntu)
Install the necessary packages:
apt-get install openssh-server samba samba-common winbind krb5-user libnss-winbind libpam-winbind
During the installation, you may be asked for the Kerberos server for your realm. You can click through it. We will be replacing the file that it generates anyway.
The configuration process is a little involved. First, you need to stop any running Samba processes by using the following commands:
service winbind stop service smbd stop service nmbd stop
You will want to download a special script that will do most of the heavy lifting. Now run the following:
wget https://programmingby.design/project-data/make-conf.bash chmod u+x make-conf.bash ./make-conf.bash
Be sure you enter Y or y when prompted. If you do not see the messages:
/etc/krb5.conf written successfully. /etc/samba/smb.conf written successfully.
then something has gone wrong and you should either retry or contact your instructor.
Changing DNS and /etc/hosts (Ubuntu)
The DNS server for the Ubuntu host needs to be changed to point to the Windows 2019 server. You can do this in the GUI by right-clicking on the network icon, selecting Edit Connections, and then editing the Wired configuration. You should change the 8.8.8.8 IP address for the DNS server to reflect the IP of the Windows 2019 server.
After that is complete, the /etc/hosts file probably looks something like:
127.0.0.1 localhost 127.0.1.1 yourhostname # IPv6 stuff below
The problem with this is the IP address of yourhostname is not enough to make joining the AD realm successful. In addition, the IP address of the Windows 2019 server needs to be added.
Make changes to the file (eliminating the 127.0.1.1 IP) such that it resembles:
127.0.0.1 localhost 192.168.1.xx yourhostname.domain#.net yourhostname 192.168.1.xx yourwin2k19.domain#.net yourwin2k19
Note about the above changes: You need to reflect the actual IP addresses of your VMs. In addition, you have to reflect the real hostnames that you’ve assigned to the VMs. If you guess, this will never work – it MUST be precise.
After all of the changes are committed, it would be a good idea to reboot.
Just a couple of more files…
The /etc/nsswitch.conf needs adjusting. Two lines need modification shown in bold (DO NOT REMOVE files or else your system will cease to boot!):
passwd: files systemd sss winbind group: files systemd sss winbind
And, finally, you will need to change the /etc/pam.d/common-session file. Under the line that contains pam_unix add the following:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Joining Samba to the AD domain (Ubuntu)
The process of joining Samba to Active Directory is almost complete. We need to get a ticket from AD. This is done by running the following command:
kinit administrator
This will prompt for the password of the Administrator account in Active Directory. Once the ticket is granted we join the domain with the following command:
net ads join -U administrator
If everything went well, you should receive a message that it joined:
root@student-vm:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- ADMIN
Joined 'STUDENT-VM' to realm 'admin.net'
But you may have had trouble with updating the DNS. This MUST BE FIXED and is usually related to having the DNS in Ubuntu pointing to the wrong server!
It looks like the following:
root@student-vm:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- ADMIN
Joined 'STUDENT-VM' to realm 'admin.net'
No DNS domain configured for student-vm. Unable to perform DNS Update.
DNS update failed!
OR
root@student-vm:~# net ads join -U administrator Enter administrator's password: Using short domain name -- ADMIN Joined 'STUDENT-VM' to realm 'admin.net' DNS Update for student-vm.admin.net failed: ERROR_DNS_GSS_ERROR DNS update failed!
If you see these errors, reboot Ubuntu, become the superuser, run the following:
service winbind stop service smbd stop service nmbd stop
and try joining again. If you still get the error, CONTACT YOUR INSTRUCTOR!
Now we can start the Samba services:
service nmbd start service smbd start service winbind start
These services will start automatically with each reboot.
Now we will confirm that things are running as they should. This is done by confirming that users from the Windows Active Directory space are being propagated into Linux with the following commands:
root@student-vm:~# wbinfo -u administrator guest krbtgt
AND
root@student-vm:~# wbinfo -g domain computers domain controllers schema admins enterprise admins cert publishers domain admins domain users domain guests group policy creator owners ras and ias servers allowed rodc password replication group denied rodc password replication group read-only domain controllers enterprise read-only domain controllers dnsadmins dnsupdateproxy
The above output shows that Samba on Linux has access to the user and group information in the AD realm. The next test is to make sure that they map to Linux UID/GID values so that anything that happens in Linux can be translated to AD and back again (using the winbind daemon). This is done with the following:
root@student-vm:~# getent passwd [local user info removed to show the AD users] administrator:*:10500:10513:Administrator:/home/ADMIN/administrator:/bin/bash guest:*:10501:10514:Guest:/home/ADMIN/guest:/bin/bash krbtgt:*:10502:10513:krbtgt:/home/ADMIN/krbtgt:/bin/bash
root@student-vm:~# getent group [local group info removed to show the AD groups] domain computers:x:10515: domain controllers:x:10516: schema admins:x:10518:administrator enterprise admins:x:10519:administrator cert publishers:x:10517: domain admins:x:10512:administrator domain users:x:10513: domain guests:x:10514: group policy creator owners:x:10520:administrator ras and ias servers:x:10553: allowed rodc password replication group:x:10571: denied rodc password replication group:x:10572:krbtgt read-only domain controllers:x:10521: enterprise read-only domain controllers:x:10498: dnsadmins:x:11101: dnsupdateproxy:x:11102:
Note that what we are looking for is the list of users and groups that originally appeared in the wbinfo commands. If they show up here, then the mapping is working correctly. If they do not appear, then you must determine why that is occurring.
In Windows 2019, select Start, then Administrative Tools, then Active Directory Users and Computers. Once there, expand your domain and right-click on Users and create a new user.
NOTE: The username you choose MUST NOT be a username that already exists in Ubuntu. Otherwise the next test will use the local Ubuntu account and not the account from Active Directory!
NOTE: When creating the user account, be sure to set the password and uncheck the requirement to change the password at next login.
Testing the test account
Before proceeding, ensure you have the SSH server installed. You can do this by running:
apt-get install openssh-server
From Ubuntu, we will now test the account. The following shows the test using ssh and a user called testuser that was created in Active Directory.
root@student-vm:~# ssh testuser@localhost The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is 45:28:51:8a:8c:d6:ed:d1:33:2a:46:77:6b:83:4c:f6. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. testuser@localhost's password: Creating directory '/home/ADMIN/testuser'. Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-28-generic x86_64) * Documentation: https://help.ubuntu.com/ The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. testuser@student-vm:~$ pwd /home/ADMIN/testuser testuser@student-vm:~$ ls -al total 36 drwxr-xr-x 3 testuser domain users 4096 May 8 07:29 . drwxr-xr-x 3 root root 4096 May 8 07:29 .. -rw-r--r-- 1 testuser domain users 220 May 8 07:29 .bash_logout -rw-r--r-- 1 testuser domain users 3486 May 8 07:29 .bashrc drwx------ 2 testuser domain users 4096 May 8 07:29 .cache -rw-r--r-- 1 testuser domain users 8445 May 8 07:29 examples.desktop -rw-r--r-- 1 testuser domain users 675 May 8 07:29 .profile
The above example shows the login, creation of the new user directory, the home path (pwd) and a directory listing (ls -al) where both the AD user and primary group are displayed in the output.
Now return to the Windows 2019 Active Directory Users and Computers application.
- Right-click on the user we’ve tested and select
Properties. - Select the
Profiletab. - In the
User profilesection, enter theProfile pathvalue \\linuxserver\username\profile where linuxserver is the DNS name of your Samba server and username is the name of the user you are currently editing.
Finally, go to your Windows 10 guest and login with the test user account you’ve been modifying.
You will get a desktop and everything will look normal.
On the Ubuntu guest if you check the user’s directory you will now see:
root@student-vm:~# cd /home/ADMIN/testuser/ root@student-vm:/home/ADMIN/testuser# ls -al total 48 drwxr-xr-x 4 testuser domain users 4096 May 8 07:51 . drwxr-xr-x 3 root root 4096 May 8 07:29 .. -rw------- 1 testuser domain users 11 May 8 07:35 .bash_history -rw-r--r-- 1 testuser domain users 220 May 8 07:29 .bash_logout -rw-r--r-- 1 testuser domain users 3486 May 8 07:29 .bashrc drwx------ 2 testuser domain users 4096 May 8 07:29 .cache -rw-r--r-- 1 testuser domain users 8445 May 8 07:29 examples.desktop -rw-r--r-- 1 testuser domain users 675 May 8 07:29 .profile drwxrwx---+ 2 testuser domain users 4096 May 8 07:51 profile.V6
Note that the profile.V6 folder was not there previously but is currently empty. This is the roaming profile that Windows creates that is intended to follow the user from machine to machine in the domain. User settings are preserved between logins and PCs.
When you log out of Windows 10, the changes are written back to the Linux Samba server and confirmed with:
root@student-vm:/home/ADMIN/testuser# ls -al profile.V6/ total 624 drwxrwx---+ 14 testuser domain users 4096 May 8 07:52 . drwxr-xr-x 4 testuser domain users 4096 May 8 07:51 .. drwxrwxr-x+ 3 testuser domain users 4096 May 8 07:50 AppData drwxrwxr-x+ 2 testuser domain users 4096 May 8 07:51 Contacts drwxrwxr-x+ 2 testuser domain users 4096 May 8 07:51 Desktop drwxrwxr-x+ 2 testuser domain users 4096 May 8 07:51 Documents drwxrwxr-x+ 2 testuser domain users 4096 May 8 07:51 Downloads drwxrwxr-x+ 4 testuser domain users 4096 May 8 07:51 Favorites drwxrwxr-x+ 2 testuser domain users 4096 May 8 07:51 Links drwxrwxr-x+ 2 testuser domain users 4096 May 8 07:51 Music -rwxrwx---+ 1 testuser domain users 524288 May 8 07:51 NTUSER.DAT -rw-rwx---+ 1 testuser domain users 250 May 8 07:52 ntuser.ini drwxrwxr-x+ 2 testuser domain users 4096 May 8 07:51 Pictures drwxrwxr-x+ 2 testuser domain users 4096 May 8 07:51 Saved Games drwxrwxr-x+ 2 testuser domain users 4096 May 8 07:51 Searches drwxrwxr-x+ 2 testuser domain users 4096 May 8 07:51 Videos
You have now completed the trifecta of Windows 2019 being an Active Directory Domain Controller with Windows 10 as a PC joined to the domain and Ubuntu Linux running Samba as a Domain Member Server serving roaming profiles for users.
Proper heterogeneous integration has been achieved.