Authenticating Debian & Samba to Active Directory (!)

Linux Samba Configuration: ?samba

Debian Samba server connecting to Active directory

1. Installing software

The first thing that you need to do is to install the required packages.

Windows server information

In this configuration I used the following windows info.

Domain name: is414 Fully qualified domain name: Window domain controller: rkb-server

Kerberos setup

Open /etc/krb5.conf

add the following lines to the krb.conf file.

After that has been completed do the following:

Verify that it worked by using the following command:

Samba Setup

Open the samba configuration file /etc/samba/smb.conf and add the following:

Creating a share in /etc/samba/smb.conf. Replace ?WindowsShare with any name you want. first create the folder:

Add the following in the /etc/samba/smb.conf

Test your configuration with the following command:

Now you must restart the samba deamon.

Winbind configuration

Stop the winbind deamon.

edit the couple of lines of the /etc/nsswitch.conf file.

Joining the Domain

start the samba and winbind deamons

Join the domain with the following command

Test winbind with the following commands

The wbinfo – u should list the AD users

The wbinfo – g should list the AD groups

All that is left is to test the connection from the server to verify that the share is working.

Linux Client Configuration:

Joining a Debian Client to Active Directory

Note: This walkthrough was taken almost entirely from A few configuration changes in the PAM section and verbiage used are the only differences.

Required Software/Packages

Name Version MS Server 2003 w/AD and DNS 2003 Standard Linux (Ubuntu 6.10) Winbind 3.0.22-lubuntu4.1 Samba 3.0.22.-lubuntu4.1 Krb5-user 1.4.3-9ubuntu1.2 Libpam-krb5 2.4-1

Time settings

Kerberos requires that the device time be within a few minutes of the server time. Utilize NTP-Server to confirm time synchronization.

Location: /etc/default/ntpdate

#servers to check NTPSERVERS= “” #additional options for ntpdate NTPOPTIONS= “-u”

root@linux:~# /etc/init.d/ntpdate restart

*Synchronizing clock to… [ok]


A valid FQDN is necessary for Kerberos and AD. Edit the local host file so that it is resolvable.

Location: /etc/hosts localhost linux

Configure Kerberos

Use apt-get install to install the following packages:

krb5 template Location: /etc/krb5.conf



# dns_lookup_realm = false # dns_lookup_kdc = true




Test your configuration by requesting a ticket root@linux:~# kinit Password for : ****

Use klist to verify request worked root@linux:~# klist Ticket cache: File: /tmp/krb5cc_0 Default principal:

Valid starting Expires Service principal 05/16/07 10:30:42 05/16/07 20:30:01 Krbtgt/

Join the Domain

Use apt-get install to install the following packages:

Join Location: /etc/samba/smb.conf


# winbind separator = +

Restart services root@linux:~# /etc/init.d/winbind stop root@linux:~# /etc/init.d/samba restart root@linux:~# /etc/init.d/winbind start

Request Kerberos TGT for an account root@linux:~# n et ads join

Using short domain name – test

Joined ‘Linux’ to realm ‘’

Test # wbinfo – u

Setup Authentication

nsswitch Location: /etc/nsswitch.conf

passwd: compat winbind group: compat winbind shadow: compat

Test root@linux:~# getent passwd

root:x:0:0:root:/root:/bin/bash . . . test+administrator:x:10000:10000:Administrator:/home/test/administrator:/bin/b… test+gast:x:10001:10001:Gast:/home/LAB/gast:/bin/bash . . .

root@linux:~#: getent group

root:x:0: daemon:x:1: bin:x:2: . . . test+organizations-admins:x:10005:administrator test+domain-admins:x:10006: user, administrator . . .


Location: /etc/pam.d/common-account

account sufficient account required

Location: /etc/pam.d/common-auth

auth sufficient auth sufficient nullok_secure use_first_pass auth required

Location: /etc/pam.d/common-session

session required session required umask=0022 skel=/etc/skel

Location: /etc/pam.d/sudo

Auth sufficient Auth sufficient use_first_pass Auth required

@include common-account

Final Config

Each domain needs a directory in home root@linux:~# mkdir /home/test

Login login: test+user password: **** . . . test+user@linux:~$