Linux / Unix‎ > ‎

Ubuntu Active Directory integration

WinBind Linux Active Directory Domain integration : guide for UBUNTU 12.04

Install required and usefull packages :

apt-get install winbind samba heimdal-clients heimdal-clients-x libpam-heimdal libgssapi3-heimdal libsasl2-modules-gssapi-heimdal libsasl2-modules-ldap 
apt-get install openldap-utils auth-client-config ssh ntp

Service auto-start

update-rc.d winbind enable

check key system configuration files :



nameserver ?
nameserver ?
search domain1 domaine2 ...
domain your-domain

/etc/hosts             localhost
X.X.X.X            srv001


passwd: files winbind db
group: files winbind db
shadow: files winbind


        default = FILE:/var/log/krb.log
        kdc = FILE:/var/log/kdc.log
        admin_server = FILE:/var/log/kadmin.log

        default_realm = NOMBLOT.ORG
        default_tgs_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
        default_tkt_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
        permitted_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
        dns_lookup_realm = true
        dns_lookup_kdc = true
        udp_preference_limit = 0

[domain_realm] = NOMBLOT.ORG = NOMBLOT.ORG

        NOMBLOT.ORG = {
                kdc =
                kpasswd_server =


        server string = %h
        workgroup = NOMBLOT
        realm =
        security = ads
        domain master = no
        local master = no
        allow trusted domains = no
        socket options = TCP_NODELAY
        template homedir = /home/%U
        template shell = /bin/bash
        kerberos method = secrets and keytab
	password server = *
	client ntlmv2 auth = yes

        idmap config NOMBLOT:backend = ad
        idmap config NOMBLOT:default = yes
        idmap config NOMBLOT:schema_mode = rfc2307
        idmap config NOMBLOT:range = 500 - 300000000
	idmap config *:backend = ad
        idmap config *:range = 500 - 300000000
        idmap cache time = 1209600
        idmap negative cache time = 1209600
	username map cache time	= 300
	winbind cache time = 300
        winbind expand groups = 10
        winbind use default domain = yes
	winbind refresh tickets = yes
        winbind nss info = rfc2307
        winbind offline logon = yes
        winbind enum users = no
        winbind enum groups = no
	winbind nested groups = yes
	winbind reconnect delay = 5

	# bug winbind, if set to yes cause winbind cache ignored
	winbind normalize names = no

        dns proxy = no
        log file = /var/log/samba/log.%m
	log level = 0 idmap:0 winbind:1
        max log size = 1000
        obey pam restrictions = yes
        pam password change = yes
	name resolve order = host
	create krb5 conf = no
	private dir = /var/lib/samba
	state directory = /var/lib/samba
	cache directory = /var/cache/samba
	lock directory = /var/lib/samba
	pid directory = /var/run
	dos charset = ASCII
	unix charset = UTF8
	display charset = UTF8
	invalid users = root daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody libuuid syslog messagebus colord lightdm whoopsie avahi-autoipd avahi usbmux kernoops pulse rtkit saned speech-dispatcher hplip sshd

Join system 

#net ads join -U AdminLoginName

Create keytab:
#net ads keytab create -U AdminLoginName

add service to keytab (Used for kerberised service like apache, squid, ...)

#net ads keytab add HTTP -U AdminLoginName

 List services from keytab

 #net ads keytab list 



Configure OpenSSH 

Edit and add to /etc/ssh/sshd_config.conf :

GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes


Configure LDAP GSSAPI 

Edit and modify /etc/ldap/ldap.conf :

URI     ldap://  ldap://
SASL_MACHINE_CCACHE    FILE:/etc/krb5.ccache
SASL_MACHINE_KEYTAB    /etc/krb5.keytab

Apache2 with Kerberos

aptitude install libapache2-mod-auth-kerb libapache2-mod-auth-sys-group libapache2-mod-authz-unixgroup apache2
a2enmod auth_kerb authz_unixgroup


create HTTP  service in key tab,  copy keytab for apache, and fix access rights :

net ads keytab add HTTP -U AdminLoginName
cp /etc/krb5.keytab /etc/apache2/http.keytab
chown www-data:www-data /etc/apache2/http.keytab 
chmod 600 /etc/apache2/http.keytab  



Lines to insert on a site to use Kerberos authentication:

AuthName "Zone Kerberos"
AuthType Kerberos
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbSaveCredentials off
KrbServiceName HTTP
Krb5Keytab /etc/apache2/http.keytab
AuthzUnixgroup on
Require group nomdugroupe
Require user nomduuser
Require valid-user



Configure internet browsers

Firefox (Linux and Windows)!

network.negotiate-auth.trusted-uris (default: empty) –
network.negotiate-auth.delegation-uris (default: empty) -

Chromium and google chrome on linux

Chrome (on linux) needs to be launched with:

$chromium-browser --auth-server-whitelist="*" --auth-negotiate-delegate-whitelist="*"
$google-chrome --auth-server-whitelist="*" --auth-negotiate-delegate-whitelist="*"


Destroy credentials


List credentials


Leave the domain

#net ads leave -U AdminLoginName



Debug :

 AD :

check AD machine account properties (with ADSEDIT) :  ServicePrincipalName must exist



Winbind :

stop winbind daemon and run it in debug mode :

service winbind stop

winbindd -S -i -d4 -n




net ads join -U pat -S my-AD-server -d 10


 ssh , server side :
/usr/sbin/sshd -d -p 2222
 ssh , client side :
ssh -vvvv srvnnn-bes -p 2222 -d 20



In case of virtual machine duplicate, do remove /var/lib/samba files, join machine again.


get user groups details

wbinfo -r pnomblot | xargs -i  wbinfo --gid-info={}
net ads user info pnomblot
getent group / passwd not returning AD users/groups
enum must be set to yes to make this work
If you’re getting bad id information on a linux system using winbind, you can flush the winbind cache to trigger an update. To do this, run:
net cache flush


Attention, le groupe primaire n'est pas utilisable (fixé à "Utilisateurs du domaine" pour la pluspart des users) !

recopier "utilisateurs du domaine" dans un groupe ne fonctionne pas non plus !