Joining a Debian Client to Active Directory
Note: This walkthrough was taken almost entirely from https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto. A few configuration changes in the PAM section and verbiage used are the only differences. More work is required to make this Debian-specific.
Required Software/Packages
Name |
Version |
|
MS Server 2003 w/AD and DNS |
2003 Standard |
|
GNU/Linux |
(Debian 6.0 or later) |
|
Winbind |
2:3.6.6-3 |
|
Samba |
2:3.6.6-3 |
|
Krb5-user |
1.10.1+dfsg-2 |
|
Libpam-krb5 |
4.6-1 |
|
Time settings
Kerberos requires that the device time be within a few minutes of the server time. See NTP to find out how to keep clocks up-to-date.
FQDN
A valid FQDN is necessary for Kerberos and AD. Edit the local host file so that it is resolvable.
Location: /etc/hosts
127.0.0.1 linux.test.server.com localhost linux
Configure Kerberos
Use apt-get install to install the following packages:
krb5-user
libpam-krb5 krb5 template Location: /etc/krb5.conf
[logging]
Default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
clock-skew = 300
default_realm = test.server.com
# dns_lookup_realm = false
# dns_lookup_kdc = true
[realms]
test.example.com = {
kdc = example.test.server.com:88
admin_server = example.test.server.com:464
default_domain = test.server.com
}
[domain_realm]
.server.com = test.server.com
server.com = test.server.comTest your configuration by requesting a ticket root@linux:~# kinit Administrator@test.server.com Password for Administrator@test.server.com : ****
Use klist to verify request worked
root@linux:~# klist
Ticket cache: File: /tmp/krb5cc_0
Default principal: Administrator@test.server.com
Valid starting Expires Service principal
05/16/07 10:30:42 05/16/07 20:30:01
Krbtgt/test.server.com@test.server.com
renew until 05/16/07 10:30:42
Join the Domain
Use apt-get install to install the following packages:
winbind
sambaJoin Location: /etc/samba/smb.conf
[global]
security = ads
realm = test.server.com
password server = 10.0.0.1
workgroup = test
# winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0Restart services
root@linux:~# /etc/init.d/winbind stop root@linux:~# /etc/init.d/samba restart root@linux:~# /etc/init.d/winbind start
Request Kerberos TGT for an account
root@linux:~# net ads join Using short domain name – test Joined ‘Linux’ to realm ‘test.server.com’
Test
# wbinfo -u
Setup Authentication
nsswitch Location: /etc/nsswitch.conf
passwd: compat winbind group: compat winbind shadow: compat
Test
root@linux:~# getent passwd root:x:0:0:root:/root:/bin/bash . . . test+administrator:x:10000:10000:Administrator:/home/test/administrator:/bin/b… test+gast:x:10001:10001:Gast:/home/LAB/gast:/bin/bash . . .
root@linux:~#: getent group root:x:0: daemon:x:1: bin:x:2: . . . test+organizations-admins:x:10005:administrator test+domain-admins:x:10006: user, administrator . . .
PAM
Location: /etc/pam.d/common-account
account sufficient pam_winbind.so account required pam_unix.so
Location: /etc/pam.d/common-auth
auth sufficient pam_winbind.so auth sufficient pam_unix.so nullok_secure use_first_pass auth required pam_deny.so
Location: /etc/pam.d/common-session
session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Location: /etc/pam.d/sudo
Auth sufficient pam_winbind.so Auth sufficient pam_unix.so use_first_pass Auth required pam_deny.so @include common-account
Final Config
Each domain needs a directory in home
root@linux:~# mkdir /home/test Login login: test+user password: **** . . . test+user@linux:~$