I've been building a few servers, as of late, at work. For our Windows workstations, we have an AD domain controller setup which, obviously, handles the authentication for each of those machines. For us, as for our users, it is nice to be able to use our normal logins for all of the server maintenance.

So, I joined the boxes to the domain. Like so many things in the Linux world, this task is, ultimately, not hard and has been done by a gazillion people, most of whom have written on it to some degree or another. But, at the same time, the documentation that is received is almost always sketchy, dropping an "obvious" step or two and simply ploughing through. I found some good resources, but still ended up "patching" my directions to get everything working as it ought. Most of the directions came from the first reference below, the author of which seems to be a man after my own heart. However, I still had to do some tweaking. Note: all commands run as root. Anywhere where REALM is used, this is the full domain (i.e. myorg.local or myorg.net, not simply myorg). Anywhere DOMAIN is used, the short name is what it means (myorg, not myorg.local or myorg.net). pdc_ip_address is the IP address for the primary domain controller. Should be obvious, but let's follow the KISS principle, shall we?

  1. Install the software. Notice that, as opposed to in [1], I installed the package ntp not ntp-server
    apt-get install libkrb53 krb5-config samba winbind ntpdate ntp
  2. Stopping the services.
    sudo /etc/init.d/samba stop
    sudo /etc/init.d/winbind stop
    sudo /etc/init.d/ntp stop
  3. Kerberos needs to be able to do a reverse DNS lookup on the domain controller [1]. This caused me all sorts of problems. In our network, this simply wasn't happening automatically. Rather than try to figure out why, I added the domain controller to /etc/hosts and restarted the networking service. The downside to this, of course, is if for some reason (like, maybe, a network upgrade) the IP for the domain controller changed in /etc/hosts.
  4. Configure Kerberos as in [1]
    • Add a section like the following to the section [realms]
      kdc = pdc_ip_address
    • In the section libdefaults, set the default realm like so:
      default_realm = REALMNAME
  5. Configure ntp as in [1]
    • Add a line of the form
      server pdc_ip_address
      to /etc/ntp
    • Start the service with /etc/init.d/ntp start
  6. Configure Winbind as in [1] with the following supplemental lines (note: the last few lines disable printing; this was good for the server I was using and suppressed complaints in the logs, but if you need printing take them out):
    realm = REALMNAME
    workgroup = DOMAINNAME
    security = ads
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template shell = /bin/bash
    template homedir = /home/%D/%U
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind separator = \
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
  7. Configure nsswitch

    • Make the following changes to /etc/nsswitch:

      passwd:         files winbind
    • Then, update your configuration with ldconfig
      group:          files winbind

  8. Join the domain with:

    sudo net ads join -U "DOMAINADMIN"
  9. Start samba and winbind
    /etc/init.d/samba start
    /etc/init.d/winbind start
  10. Test
    Run: wbinfo -u
    If you get a list of domain users, you're on. Otherwise, check logs and doublecheck yourself.
  11. Make the following changes to your pam authentication:

    # /etc/pam.d/common-account
    account	sufficient	pam_winbind.so
    account	required	pam_unix.so
    # /etc/pam.d/common-auth
    auth	sufficient	pam_winbind.so
    auth	required	pam_unix.so use_first_pass
    # /etc/pam.d/common-session
    session	required	pam_mkhomedir.so skel=/etc/skel/ umask=0022
    session	sufficient	pam_winbind.so
  12. Try and login with a domain user. This can be done "at the box" or through an SSH session if sshd has been configured to use PAM

This is almost verbatim from [1]. The changes occur in making an addition to /etc/hosts and restarting networking BEFORE continuing and in some extra lines to /etc/samba/smb.conf. Oddly enough, when I was working on a workstation instead of a server, Ubuntu's GUIfied version of this process was overly involved and a general pain in the neck.

  1. Using Winbind to Resolve Active Directory Accounts in Debian
  2. Samba Documentation: Chapter 24: Winbind: Use of Domain Accounts