Debian Samba filesharing with Microsoft Active Directory authentication
07 July 2009
I was trying to get my Debian Linux machines authenticating to a
Microsoft Active Directory. There are a few howtos on this subject, but
I had to merge them together to get it to work in a nice way on my
Debian machine.Therefor I wrote this little howto, so it should be easier for Debian users to get their Linux box authenticated on a Windows Active Directory.
There are some steps you've to follow to get it to work. There are some variables in this text, where you have use your own names or IP's.
Well, let's start!
Step 1
Install the needed packages by running the following command
# apt-get install krb5-config krb5-user krb5-doc winbind samba rdate
Step 2
Edit /etc/hosts so it looks like this:
## /etc/hosts
127.0.0.1 hostname.DOMAIN.LOCAL localhost hostname
Step 3
edit /etc/krb5.conf so it looks like this:
## /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
clock_skew = 300
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.LOCAL = {
kdc = hostname-of-your-domaincontroller.DOMAIN.LOCAL
admin_server = hostname-of-your-domaincontroller.DOMAIN.LOCAL
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.kerberos.server = DOMAIN.LOCAL
.DOMAIN.LOCAL = DOMAIN.LOCAL
Step 4
Test connection to Active Directory by entering the following commands:
# kinit Administrator@DOMAIN.LOCAL
Step 5
check if the request for the Active Directory ticket was successful using the kinit command
# klist
The result of this command should be something like this:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DOMAIN.LOCAL
Valid starting Expires Service principal
09/10/08 12:07:01 09/10/08 22:05:53 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
renew until 09/11/08 12:07:01
Step 6
Configure Samba by adjusting the Samba configuration file. Open /etc/samba/smb.conf and edit the file, so it looks like this:
## /etc/samba/smb.conf
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
load printers = no
preferred master = no
local master = no
server string = fileserver
password server = ip-of-your-domaincontroller
encrypt passwords = yes
security = ADS
netbios name = hostname-of-your-linux-fileserver
client signing = Yes
dns proxy = No
wins server = ip-of-your-domaincontroller
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
Step 7
Restart samba by entering the following command:
# /etc/init.d/samba restart
Now you're ready to join the Active Directory.
Step 8
Join the local domain / Active Directory by entering the following command:
# net ads join -U administrator
You will be asked to enter the Active Directory Administrator password. When the commandline doesn't return a value, your connection to the Active Directory is set up.
Step 9
Get the list of domainusers:
# wbinfo -u
Step 10
Get the list of domain groups:
# wbinfo -g
Step 11
Check your Samba configuration:
# testparm -v
Step 12
Edit /etc/nsswitch.conf by making it look like this:
/etc/nsswitch.conf
passwd: compat winbind
shadow: compat winbind
group: compat winbind
Step 13
Create a home directory for each domain in /home
# mkdir /home/DOMAIN
And you're done! Your Linux box should now be working fine, using your Windows domaincontroller for authentication.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Extra configuration/feature
It's possible to change your Active Directory password using the passwd command. This can be helpful for people who like using the terminal. Also, Linux applications that use passwd for changing passwords will be able to change your AD password.
This feature can be enabled by editing /etc/pam.d/passwd and /etc/pam.d/passwd. Make sure the files looks like this:
## /etc/pam.d/passwd
password sufficient pam_winbind.so
password required pam_unix.so
## /etc/pam.d/passwd
password sufficient pam_winbind.so
password required pam_unix.so
auth include system-auth
account include system-auth
password include system-auth
Do you have a question, a problem or a feature? Don't hesitate to drop me a line or post a
comment.
2009-08-11 by dp
I am having a issue at step 4 running kinit Administrator@domain.LOCALI get the following error - kinit(v5): Cannot find KDC for requested realm while getting initial credentials.Any idea on how I can fix this issue?Thanks2009-08-15 by Ruben Leusink
Hi dp,The kinit script can't find the Domain Controller. Did you enter the right dns hostname in step three?Another thing it could be is a time difference of more then five minutes between your Linux server and the Domain Controller.Let me know if this helps you out.- Ruben2009-09-28 by oes tsetnoc
Hi, Just like to tell you that this piece of info is one quick to the point, no nonsense, workable and effective way to have directories shared in Linux as fast as possible. It worked for me and thank you for the effort. Keep up the good work.2010-02-05 by renantech
This is really a well laid out website. I like how you have presented the information in full detail. Keep up the great work2010-03-12 by r.serg
NOTE:
Step 3edit /etc/krb5.conf so it looks like this:## /etc/krb5.conf
......................................
[realms]DOMAIN.LOCAL = {
kdc = hostname-of-your-domaincontroller.DOMAIN.LOCAL
admin_server = hostname-of-your-domaincontroller.DOMAIN.LOCAL
kpasswd_server = hostname-of-your-domaincontroller.DOMAIN.LOCAL
default_domain = DOMAIN.LOCAL
}
.....................................
without this (kpasswd_server=...) you would get this error:sudo net ads join -U administrator
Enter administrator's password:
Using short domain name -- DOMAIN.LOCAL
Joined 'FILESERVER' to realm 'domain.local'
[2010/03/12 09:26:10, 0] libads/kerberos.c:ads_kinit_password(356)
kerberos_kinit_password FILESERVER$@DOMAIN.LOCAL failed: Client not found in Kerberos database