Joining a Debian Client to Active Directory
Note: This walkthrough was taken almost entirely from https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto. A few configuration changes in the PAM section and verbiage used are the only differences. More work is required to make this Debian-specific.
Required Software/Packages
Name |
Version |
|
MS Server 2003 w/AD and DNS |
2003 Standard |
|
GNU/Linux |
(Debian 6.0 or later) |
|
Winbind |
2:3.6.6-3 |
|
Samba |
2:3.6.6-3 |
|
Krb5-user |
1.10.1+dfsg-2 |
|
Libpam-krb5 |
4.6-1 |
|
libpam-winbind |
||
libnss-winbind |
Time settings
Kerberos requires that the device time be within a few minutes of the server time. See NTP to find out how to keep clocks up-to-date.
FQDN
A valid FQDN is necessary for Kerberos and AD. Edit the local host file so that it is resolvable.
Location: /etc/hosts
127.0.0.1 linux.test.server.com localhost linux
Configure Kerberos
Use apt-get install to install the following packages:
krb5-user libpam-krb5
krb5 template Location: /etc/krb5.conf
[logging] Default = FILE:/var/log/krb5.log [libdefaults] ticket_lifetime = 24000 clock-skew = 300 default_realm = test.server.com # dns_lookup_realm = false # dns_lookup_kdc = true [realms] test.example.com = { kdc = example.test.server.com:88 admin_server = example.test.server.com:464 default_domain = test.server.com } [domain_realm] .server.com = test.server.com server.com = test.server.com
Test your configuration by requesting a ticket
root@linux:~# kinit Administrator@test.server.com Password for Administrator@test.server.com : ****
Use klist to verify request worked
root@linux:~# klist Ticket cache: File: /tmp/krb5cc_0 Default principal: Administrator@test.server.com Valid starting Expires Service principal 05/16/07 10:30:42 05/16/07 20:30:01 Krbtgt/test.server.com@test.server.com renew until 05/16/07 10:30:42
Join the Domain
Use apt-get install to install the following packages:
winbind samba
Join Location: /etc/samba/smb.conf
[global] security = ads realm = test.server.com password server = 10.0.0.1 workgroup = test # winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 domain master = no local master = no preferred master = no os level = 0
Restart services
root@linux:~# /etc/init.d/winbind stop root@linux:~# /etc/init.d/samba restart root@linux:~# /etc/init.d/winbind start
Request Kerberos TGT for an account
root@linux:~# net ads join Using short domain name – test Joined ‘Linux’ to realm ‘test.server.com’
Test
# wbinfo -u
Setup Authentication
nsswitch Location: /etc/nsswitch.conf
passwd: compat winbind group: compat winbind shadow: compat
Test
root@linux:~# getent passwd root:x:0:0:root:/root:/bin/bash . . . test+administrator:x:10000:10000:Administrator:/home/test/administrator:/bin/b… test+gast:x:10001:10001:Gast:/home/LAB/gast:/bin/bash . . .
root@linux:~#: getent group root:x:0: daemon:x:1: bin:x:2: . . . test+organizations-admins:x:10005:administrator test+domain-admins:x:10006: user, administrator . . .
PAM
Location: /etc/pam.d/common-account
account sufficient pam_winbind.so account required pam_unix.so
Location: /etc/pam.d/common-auth
auth sufficient pam_winbind.so auth sufficient pam_unix.so nullok_secure use_first_pass auth required pam_deny.so
Location: /etc/pam.d/common-session
session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Location: /etc/pam.d/sudo
Auth sufficient pam_winbind.so Auth sufficient pam_unix.so use_first_pass Auth required pam_deny.so @include common-account
Final Config
Each domain needs a directory in home
root@linux:~# mkdir /home/test Login login: test+user password: **** . . . test+user@linux:~$