I've been building a few servers, as of late, at work. For our Windows workstations, we have an AD domain controller setup which, obviously, handles the authentication for each of those machines. For us, as for our users, it is nice to be able to use our normal logins for all of the server maintenance.
So, I joined the boxes to the domain. Like so many things in the Linux world, this task is, ultimately, not hard and has been done by a gazillion people, most of whom have written on it to some degree or another. But, at the same time, the documentation that is received is almost always sketchy, dropping an "obvious" step or two and simply ploughing through. I found some good resources, but still ended up "patching" my directions to get everything working as it ought. Most of the directions came from the first reference below, the author of which seems to be a man after my own heart. However, I still had to do some tweaking. Note: all commands run as root. Anywhere where REALM is used, this is the full domain (i.e. myorg.local or myorg.net, not simply myorg). Anywhere DOMAIN is used, the short name is what it means (myorg, not myorg.local or myorg.net). pdc_ip_address is the IP address for the primary domain controller. Should be obvious, but let's follow the KISS principle, shall we?
- Install the software. Notice that, as opposed to in [1], I installed the package ntp not ntp-server
apt-get install libkrb53 krb5-config samba winbind ntpdate ntp
- Stopping the services.
sudo /etc/init.d/samba stop
sudo /etc/init.d/winbind stop
sudo /etc/init.d/ntp stop - Kerberos needs to be able to do a reverse DNS lookup on the domain controller [1]. This caused me all sorts of problems. In our network, this simply wasn't happening automatically. Rather than try to figure out why, I added the domain controller to /etc/hosts and restarted the networking service. The downside to this, of course, is if for some reason (like, maybe, a network upgrade) the IP for the domain controller changed in /etc/hosts.
- Configure Kerberos as in [1]
- Add a section like the following to the section [realms]
REALMNAME { kdc = pdc_ip_address }
-
In the section libdefaults, set the default realm like so: [libdefaults] default_realm = REALMNAME
- Add a section like the following to the section [realms]
- Configure ntp as in [1]
- Add a line of the form
server pdc_ip_address to /etc/ntp
- Start the service with /etc/init.d/ntp start
- Add a line of the form
- Configure Winbind as in [1] with the following supplemental lines (note: the last few lines disable printing; this was good for the server I was using and suppressed complaints in the logs, but if you need printing take them out):
realm = REALMNAME workgroup = DOMAINNAME security = ads idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash template homedir = /home/%D/%U winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind enum users = yes winbind enum groups = yes winbind separator = \ load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes
- Configure nsswitch
- Make the following changes to /etc/nsswitch:
passwd: files winbind
-
Then, update your configuration with ldconfig group: files winbind
- Make the following changes to /etc/nsswitch:
- Join the domain with:
sudo net ads join -U "DOMAINADMIN"
- Start samba and winbind
/etc/init.d/samba start
/etc/init.d/winbind start - Test
Run: wbinfo -u
If you get a list of domain users, you're on. Otherwise, check logs and doublecheck yourself. - Make the following changes to your pam authentication:
# /etc/pam.d/common-account account sufficient pam_winbind.so account required pam_unix.so
# /etc/pam.d/common-auth auth sufficient pam_winbind.so auth required pam_unix.so use_first_pass
# /etc/pam.d/common-session session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session sufficient pam_winbind.so
-
Try and login with a domain user. This can be done "at the box" or through an SSH session if sshd has been configured to use PAM
This is almost verbatim from [1]. The changes occur in making an addition to /etc/hosts and restarting networking BEFORE continuing and in some extra lines to /etc/samba/smb.conf. Oddly enough, when I was working on a workstation instead of a server, Ubuntu's GUIfied version of this process was overly involved and a general pain in the neck.
References
- Using Winbind to Resolve Active Directory Accounts in Debian
- Samba Documentation: Chapter 24: Winbind: Use of Domain Accounts