INSTALLATION SERVEUR

UBUNTU

Installation Serveur Linux

Rédaction

le Rédigé par Objet de l’évolution Version

26/03/2015 Ph1 Création 1.0

Validation de la procédure le Par

Equipe GLPI

Page 1 sur 19
 INSTALLATION SERVEUR
UBUNTU

Table des matières

1 INSTALLATION DU SYSTEME D’EXPLOITATION.......................................................................3
2 CONFIGURATION RESEAU & MISE A JOUR...............................................................................9
3 PREREQUIS POUR JONCTION AU DOMAINE ACTIVE DIRECTORTY....................................10
4 JONCTION AU DOMAINE ACTIVE DIRECTORY........................................................................19

Page 2 sur 19
 INSTALLATION SERVEUR
UBUNTU

1 INSTALLATION DU SYSTEME D’EXPLOITATION

Après dimensionnement et provisionnement de la VM, insérer l’ISO et procéder à l’installation du

système d’exploitation comme ci-dessous. Dans l’exemple suivant, l’OS est ubuntu Server 14.014 :

Page 3 sur 19
INSTALLATION SERVEUR
UBUNTU

Page 4 sur 19
INSTALLATION SERVEUR
UBUNTU

Page 5 sur 19
INSTALLATION SERVEUR
UBUNTU

Page 6 sur 19
INSTALLATION SERVEUR
UBUNTU

Page 7 sur 19
INSTALLATION SERVEUR
UBUNTU

Page 8 sur 19
INSTALLATION SERVEUR
UBUNTU

Page 9 sur 19
 INSTALLATION SERVEUR
UBUNTU

2 CONFIGURATION RESEAU & MISE A JOUR

S’authentifier sur le système avec :

User : *user*
Mdp : ******

Toutes les commandes suivantes seront exécutées en élévation de privilèges :

sudo su
 Taper le mdp

Si nécessaire, compléter les sources d’updates :

vi /etc/apt/[Link]
Ajouter « multiverse universe » après « restricted »
Pour info, c’est déjà OK sur Ubuntu 14.04, inutile de compléter le fichier.

Créer l’enregistrement DNS de type A de manière statique dans le serveur DNS.

Configuration IP :
vi /etc/network/interfaces

Remplacer :
auto eth0
iface eth0 inet dhcp

Par (par exemple) :

auto eth0
iface eth0 inet static
address V.W.X.Y
netmask Z.Z.Z.Z
network V.W.X.0
broadcast V.W.X.255
gateway V.W.X.254
# dns-* options are implemented by the resolvconf package, if
installed
dns-nameservers V.W.X.Z V.W.X.Z
dns-search [Link]

Page 10 sur 19
 INSTALLATION SERVEUR
UBUNTU

Configuration DNS :
vi /etc/[Link]

Spécifier les IP des serveurs DNS :

nameserver V.W.X.Z
nameserver V.W.X.Z
search [Link]

Redémarrer tous les services réseaux :

/etc/init.d/networking restart

Procéder à la mise à jour du système d’exploitation :

apt-get update
shutdown -r 0 pour redémarrer

3 PREREQUIS POUR JONCTION AU DOMAINE ACTIVE DIRECTORTY

a) Installation des paquets nécessaires :

apt-get install samba winbind
apt-get install cifs-utils
apt-get install smbclient
apt-get install libapache2-mod-auth-ntlm-winbind
apt-get install krb5-user krb5-config ntp

b) kerberos n'aime pas les décalages horaires, bien penser à régler l'heure du serveur linux sur
l'heure d'un des dc :
vi /etc/[Link]
server [Link]

ntpdate [Link]

c) Sauvegarder le fichier [Link] :

cp /etc/samba/[Link] /etc/samba/[Link]

Page 11 sur 19
 INSTALLATION SERVEUR
UBUNTU

Puis l’éditer comme ci-dessous :

vi /etc/samba/[Link]

[global]
allow trusted domains = Yes
workgroup = DOMAIN
server string = %h server (Ubuntu 14.04 GLPI CCIPDLL)
security = ads
realm = [Link]
password server = [Link] [Link] [Link]
domain master = no
local master = no
preferred master = no
idmap backend = tdb
idmap uid = 10000-99999
idmap gid = 10000-99999
idamp config *:backend = rid
idamp config *:range = 10000-99999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/DOMAIN/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = true
restrict anonymous = 2
log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).

max log size = 1000

d) Sauvegarder ensuite le fichier [Link] :

cp /etc/[Link] /etc/[Link]

Puis l’éditer comme ci-dessous :

vi /etc/[Link]
# /etc/[Link]
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind

Page 12 sur 19
 INSTALLATION SERVEUR
UBUNTU

group: compat winbind

shadow: compat

hosts: files dns

networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

e) Sauvegarder le fichier [Link] :

cp /etc/[Link] /etc/[Link]

Puis l’éditer comme ci-dessous :

vi /etc/[Link]
[libdefaults]
default_realm = [Link]

# The following [Link] variables are only for MIT Kerberos.

krb4_config = /etc/[Link]
krb4_realms = /etc/[Link]
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

# The following encryption type specification will be used by MIT Kerberos

# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.

v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}

Page 13 sur 19
 INSTALLATION SERVEUR
UBUNTU

fcc-mit-ticketflags = true

[realms]

[Link] = {
admin_server = [Link]
kdc = [Link]
kdc = [Link]
}

[Link] = {
admin_server = [Link]
kdc = [Link]
kdc = [Link]
kdc = [Link]
kdc = [Link]
}

[domain_realm]

.[Link] = [Link]
[Link] = [Link]
.[Link] = [Link]
[Link] = [Link]

.[Link] = [Link]
[Link] = [Link]
.[Link] = [Link]
[Link] = [Link]

[login]
krb4_convert = true
krb4_get_tickets = false

f) Ajouter les liens symboliques comme ci-dessous :

ln -s /var/lib/samba/winbindd_privileged/pipe /var/run/samba/winbindd_privileged/pipe
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
ln -s libnss_winbind.so /lib/libnss_winbind.so.2

g) Créer un répertoire DOMAIN dans HOME :

cd /home
mkdir DOMAIN
chmod -R 777 DOMAIN/

h) Configurer PAM :
cd /etc/pam.d/
Sauvegarder les fichiers suivants :
cp common-account [Link]
cp common-auth [Link]
cp common-password [Link]

Page 14 sur 19
 INSTALLATION SERVEUR
UBUNTU

cp common-session [Link]
cp common-session-noninteractive [Link]
cp sshd [Link]
Editer successivement les fichiers et les modifier comme ci-dessous :

vi common-account

# /etc/pam.d/common-account - authorization settings common to all

services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)

account [success=2 new_authtok_reqd=done default=ignore]
pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore]
pam_winbind.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success
code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

vi common-auth

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.

Page 15 sur 19
 INSTALLATION SERVEUR
UBUNTU

# To take advantage of this, it is recommended that you configure any

# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)

auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success
code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config

vi common-password
#
# /etc/pam.d/common-password - password-related modules common to all
services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix.

# Explanation of pam_unix options:

#
# The "sha512" option enables salted SHA512 passwords. Without this
option,
# the default is Unix crypt. Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# [Link].
#
# See the pam_unix manpage for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.

# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)

password [success=2 default=ignore] pam_unix.so obscure sha512

Page 16 sur 19
 INSTALLATION SERVEUR
UBUNTU

password [success=1 default=ignore] pam_winbind.so use_authtok

try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success
code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

vi common-session
#
# /etc/pam.d/common-session - session-related modules common to all
services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)

session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success
code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default
in
# /etc/[Link] and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions
etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_winbind.so
session optional pam_systemd.so
# end of pam-auth-update config

Page 17 sur 19
 INSTALLATION SERVEUR
UBUNTU

vi common-session-noninteractive
#
# /etc/pam.d/common-session-noninteractive - session-related modules
# common to all non-interactive services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of all non-interactive sessions.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)

session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success
code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default
in
# /etc/[Link] and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions
etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_winbind.so
# end of pam-auth-update config
vi sshd
Ajouter la ligne suivante :
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
(I added this towards the bottom of /etc/pam.d/sshd, right before the last line, an "@include"
statement.)

Redémarrer les services suivants :

/etc/init.d/smbd restart

/etc/init.d/nmbd restart

/etc/init.d/winbind restart

Page 18 sur 19
 INSTALLATION SERVEUR
UBUNTU

Autoriser le sudo à certains utilisateurs si nécessaire) :

vi /etc/sudoers
%BUILTIN\administrators ALL=(ALL) ALL
%"domain admins" ALL=(ALL) ALL

Si nécessaire, redémarrer le serveur complet :

shutdown -r 0

4 JONCTION AU DOMAINE ACTIVE DIRECTORY

Tester la connexion avec le domaine avec un compte valide :

kinit useradmindudomaine

Ajout du serveur au domaine :

net ads join -U useradmindudomaine
 Taper le mot de passekinit

Tester la consultation d’éléments de l’Active Directory :

klist : Affiche la liste des tickets kerberos en cours

wbinfo –t : Validation du secret partagé

wbinfo –u : Renvoi la liste des utilisateurs du domaine

wbinfo –g : Renvoi la liste des groupes du domaine

net getdomainsid : Renvoie les SID de la machine et du domaine

Page 19 sur 19