I've been building a few servers, as of late, at work. For our Windows workstations, we have an AD domain controller setup which, obviously, handles the authentication for each of those machines. For us, as for our users, it is nice to be able to use our normal logins for all of the server maintenance.

So, I joined the boxes to the domain. Like so many things in the Linux world, this task is, ultimately, not hard and has been done by a gazillion people, most of whom have written on it to some degree or another. But, at the same time, the documentation that is received is almost always sketchy, dropping an "obvious" step or two and simply ploughing through. I found some good resources, but still ended up "patching" my directions to get everything working as it ought. Most of the directions came from the first reference below, the author of which seems to be a man after my own heart. However, I still had to do some tweaking. Note: all commands run as root. Anywhere where REALM is used, this is the full domain (i.e. myorg.local or myorg.net, not simply myorg). Anywhere DOMAIN is used, the short name is what it means (myorg, not myorg.local or myorg.net). pdc_ip_address is the IP address for the primary domain controller. Should be obvious, but let's follow the KISS principle, shall we?

  1. Install the software. Notice that, as opposed to in [1], I installed the package ntp not ntp-server 
    apt-get install libkrb53 krb5-config samba winbind ntpdate ntp
  2. Stopping the services.
    sudo /etc/init.d/samba stop
    sudo /etc/init.d/winbind stop
    sudo /etc/init.d/ntp stop
  3. Kerberos needs to be able to do a reverse DNS lookup on the domain controller [1]. This caused me all sorts of problems. In our network, this simply wasn't happening automatically. Rather than try to figure out why, I added the domain controller to /etc/hosts and restarted the networking service. The downside to this, of course, is if for some reason (like, maybe, a network upgrade) the IP for the domain controller changed in /etc/hosts.
  4. Configure Kerberos as in [1]
    • Add a section like the following to the section [realms] 
      REALMNAME {
kdc = pdc_ip_address
}
    • In the section libdefaults, set the default realm like so:
[libdefaults]
default_realm = REALMNAME
  5. Configure ntp as in [1]
    • Add a line of the form 
      server pdc_ip_address
to /etc/ntp
    • Start the service with /etc/init.d/ntp start
  6. Configure Winbind as in [1] with the following supplemental lines (note: the last few lines disable printing; this was good for the server I was using and suppressed complaints in the logs, but if you need printing take them out): 
    realm = REALMNAME
workgroup = DOMAINNAME
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind enum users = yes
winbind enum groups = yes
winbind separator = \
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
  7. Configure nsswitch

    • Make the following changes to /etc/nsswitch:

      passwd:         files winbind
    • Then, update your configuration with ldconfig
group:          files winbind

  8. Join the domain with:

    sudo net ads join -U "DOMAINADMIN"
  9. Start samba and winbind
    /etc/init.d/samba start
    /etc/init.d/winbind start
  10. Test
    Run: wbinfo -u
    If you get a list of domain users, you're on. Otherwise, check logs and doublecheck yourself.
  11. Make the following changes to your pam authentication:

    # /etc/pam.d/common-account
account	sufficient	pam_winbind.so
account	required	pam_unix.so
    # /etc/pam.d/common-auth
auth	sufficient	pam_winbind.so
auth	required	pam_unix.so use_first_pass
    # /etc/pam.d/common-session
session	required	pam_mkhomedir.so skel=/etc/skel/ umask=0022
session	sufficient	pam_winbind.so
  12. Try and login with a domain user. This can be done "at the box" or through an SSH session if sshd has been configured to use PAM

This is almost verbatim from [1]. The changes occur in making an addition to /etc/hosts and restarting networking BEFORE continuing and in some extra lines to /etc/samba/smb.conf. Oddly enough, when I was working on a workstation instead of a server, Ubuntu's GUIfied version of this process was overly involved and a general pain in the neck.
References

  1. Using Winbind to Resolve Active Directory Accounts in Debian
  2. Samba Documentation: Chapter 24: Winbind: Use of Domain Accounts