I was trying to get my Debian Linux machines authenticating to a Microsoft Active Directory. There are a few howtos on this subject, but I had to merge them together to get it to work in a nice way on my Debian machine.

Therefor I wrote this little howto, so it should be easier for Debian users to get their Linux box authenticated on a Windows Active Directory.

There are some steps you've to follow to get it to work. There are some variables in this text, where you have use your own names or IP's.

Well, let's start!


Step 1

Install the needed packages by running the following command

# apt-get install krb5-config krb5-user krb5-doc winbind samba rdate

Step 2

Edit /etc/hosts so it looks like this:

## /etc/hosts

127.0.0.1 hostname.DOMAIN.LOCAL localhost hostname

Step 3

edit /etc/krb5.conf so it looks like this:

## /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log


[libdefaults]

default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
clock_skew = 300
ticket_lifetime = 24h
forwardable = yes

[realms]

DOMAIN.LOCAL = {
kdc = hostname-of-your-domaincontroller.DOMAIN.LOCAL
admin_server = hostname-of-your-domaincontroller.DOMAIN.LOCAL
default_domain = DOMAIN.LOCAL
}


[domain_realm]

.kerberos.server = DOMAIN.LOCAL
.DOMAIN.LOCAL = DOMAIN.LOCAL

Step 4

Test connection to Active Directory by entering the following commands:

# kinit Administrator@DOMAIN.LOCAL

Step 5

check if the request for the Active Directory ticket was successful using the kinit command

# klist

The result of this command should be something like this:

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: administrator@DOMAIN.LOCAL


Valid starting Expires Service principal

09/10/08 12:07:01 09/10/08 22:05:53 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL

renew until 09/11/08 12:07:01

Step 6

Configure Samba by adjusting the Samba configuration file. Open /etc/samba/smb.conf and edit the file, so it looks like this:

## /etc/samba/smb.conf 

[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
load printers = no
preferred master = no
local master = no
server string = fileserver
password server = ip-of-your-domaincontroller
encrypt passwords = yes
security = ADS
netbios name = hostname-of-your-linux-fileserver
client signing = Yes
dns proxy = No
wins server = ip-of-your-domaincontroller
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes

Step 7

Restart samba by entering the following command:

# /etc/init.d/samba restart

Now you're ready to join the Active Directory.


Step 8

Join the local domain / Active Directory by entering the following command:

# net ads join -U administrator

You will be asked to enter the Active Directory Administrator password. When the commandline doesn't return a value, your connection to the Active Directory is set up.

Step 9

Get the list of domainusers:

# wbinfo -u

Step 10

Get the list of domain groups:

# wbinfo -g

Step 11

Check your Samba configuration:

# testparm -v

Step 12

Edit /etc/nsswitch.conf by making it look like this:

/etc/nsswitch.conf

passwd:     compat winbind
shadow:     compat winbind
group:       compat winbind

Step 13

Create a home directory for each domain in /home

# mkdir /home/DOMAIN

And you're done! Your Linux box should now be working fine, using your Windows domaincontroller for authentication.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Extra configuration/feature

It's possible to change your Active Directory password using the passwd command. This can be helpful for people who like using the terminal. Also, Linux applications that use passwd for changing passwords will be able to change your AD password.

This feature can be enabled by editing /etc/pam.d/passwd and /etc/pam.d/passwd. Make sure the files looks like this:

## /etc/pam.d/passwd

password    sufficient     pam_winbind.so
password    required      pam_unix.so


## /etc/pam.d/passwd

password    sufficient    pam_winbind.so
password    required     pam_unix.so

auth           include      system-auth
account      include      system-auth
password    include      system-auth

Do you have a question, a problem or a feature? Don't hesitate to drop me a line or post a
comment.