Joining a Debian Client to Active Directory

Note: This walkthrough was taken almost entirely from https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto. A few configuration changes in the PAM section and verbiage used are the only differences.

Required Software/Packages

Name

Version

MS Server 2003 w/AD and DNS

2003 Standard

GNU/Linux

(Ubuntu 6.10)

Winbind

3.0.22-lubuntu4.1

Samba

3.0.22.-lubuntu4.1

Krb5-user

1.4.3-9ubuntu1.2

Libpam-krb5

2.4-1

Time settings

Kerberos requires that the device time be within a few minutes of the server time. Utilize NTP-Server to confirm time synchronization.

Location: /etc/default/ntpdate

#servers to check
NTPSERVERS= “example.test.server.com”
#additional options for ntpdate
NTPOPTIONS= “-u”

root@linux:~# /etc/init.d/ntpdate restart

*Synchronizing clock to example.test.server.com… [ok]

FQDN

A valid FQDN is necessary for Kerberos and AD. Edit the local host file so that it is resolvable.

Location: /etc/hosts

127.0.0.1 linux.test.server.com localhost linux

Configure Kerberos

Use apt-get install to install the following packages:

        krb5-user (Universe repository)
        libpam-krb5 
        krb5-conifg
        libkrb53
        libkadm55

krb5 template Location: /etc/krb5.conf

[logging]
        Default = FILE:/var/log/krb5.log

[libdefaults]
        ticket_lifetime = 24000
        clock-skew = 300
        default_realm = test.server.com
#       dns_lookup_realm = false
#       dns_lookup_kdc = true

[realms]
        test.example.com = {
                kdc = example.test.server.com:88
                admin_server = example.test.server.com:464
                default_domain = test.server.com        

}

[domain_realm]
        .server.com = test.server.com
        server.com = test.server.com

Test your configuration by requesting a ticket root@linux:~# kinit Administrator@test.server.com Password for Administrator@test.server.com : ****

Use klist to verify request worked

root@linux:~# klist
Ticket cache: File: /tmp/krb5cc_0
Default principal: Administrator@test.server.com

Valid starting          Expires Service principal
05/16/07 10:30:42       05/16/07 20:30:01
Krbtgt/test.server.com@test.server.com
        renew until 05/16/07 10:30:42

Join the Domain

Use apt-get install to install the following packages:

        winbind
        samba

Join Location: /etc/samba/smb.conf

[global]
        security = ads
        realm = test.server.com
        password server = 10.0.0.1
        workgroup = test
#       winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use sponego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2
        domain master = no
        local master = no
        preferred master = no
        os level = 0

Restart services

root@linux:~# /etc/init.d/winbind stop
root@linux:~# /etc/init.d/samba restart
root@linux:~# /etc/init.d/winbind start

Request Kerberos TGT for an account

root@linux:~# n et ads join

Using short domain name – test

Joined ‘Linux’ to realm ‘test.server.com’

Test

# wbinfo – u

Setup Authentication

nsswitch Location: /etc/nsswitch.conf

passwd: compat winbind
group:          compat winbind
shadow: compat

Test

root@linux:~# getent passwd

root:x:0:0:root:/root:/bin/bash
. . .
test+administrator:x:10000:10000:Administrator:/home/test/administrator:/bin/b…
test+gast:x:10001:10001:Gast:/home/LAB/gast:/bin/bash
. . .

root@linux:~#: getent group

root:x:0:
daemon:x:1:
bin:x:2:
. . .
test+organizations-admins:x:10005:administrator
test+domain-admins:x:10006: user, administrator
. . . 

PAM

Location: /etc/pam.d/common-account

account sufficient      pam_winbind.so
account required        pam_unix.so

Location: /etc/pam.d/common-auth

auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required   pam_deny.so

Location: /etc/pam.d/common-session

session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

Location: /etc/pam.d/sudo

Auth sufficient pam_winbind.so
Auth sufficient pam_unix.so use_first_pass
Auth required    pam_deny.so

@include common-account

Final Config

Each domain needs a directory in home

root@linux:~# mkdir /home/test

Login
login: test+user
password: ****
. . .
test+user@linux:~$