Debian Microsoft Active Directory Integration

1. Join Lindex debian into Microsoft Active directory 

2. Install Software

1
 aptitude install libkrb53 krb5-config krb5-user samba winbind ntpdate ntp

3. Stop the Services

1
2
3
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/ntp stop

4. Configure Kerberos

 /etc/krb5.conf.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[logging]
        default = FILE:/var/log/krb.log
        kdc = FILE:/var/log/kdc.log
        admin_server = FILE:/var/log/kadmin.log

[libdefaults]
        default_realm = NOMBLOT.ORG
        default_tgs_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
        default_tkt_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
        permitted_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
        dns_lookup_realm = true
        dns_lookup_kdc = true
        udp_preference_limit = 0

[domain_realm]
	.cloud.nomblot.org = NOMBLOT.ORG
        .nomblot.org = NOMBLOT.ORG

[realms]
        NOMBLOT.ORG = {
                kdc = srv003.nomblot.org.com:88
                kpasswd_server = srv003.nomblot.org:464
        }


5. Configure NTP

1
ntpdate 192.168.16.200

When successful, ntpdate synchronizes your clock enough to start the NTP daemon, which handles all further synchronization. To point this daemon at the Windows domain controller, locate the first uncommented line in /etc/ntp.conf beginning with server and make the following change:

1
2
# Our primary DC
server 192.168.16.200

With this setting in place, restart the NTP daemon:

1
/etc/init.d/ntp start

To confirm that your workstation is contacting the primary domain controller for time updates, run ntpq -p. If everything is configured correctly, you should see your primary domain controller’s IP address or DNS name at the top of the list.

6. Configure DNS resolution

Add your ActiveDirectory IP-Address to /etc/resolv.conf

1
nameserver 192.168.16.200

7. Configure Winbind

The Winbind service is the engine of this operation. It handles all communication with the Active Directory domain controller and manages the Windows-to-Unix translations that must occur.

You configure this service in /etc/samba/smb.conf. The following lines should be added to its global section:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Global parameters
[global]
    workgroup = NOMBLOT
    realm = NOMBLOT.ORG
    server string = %h server (Samba %v)
    load printers = no
    security = ads
    local master = no
    domain master = no
    preferred master = no
    wins server = 192.168.16.200
    dns proxy = no
    winbind uid = 10000-20000
    winbind gid = 10000-20000
    winbind use default domain = yes
    interfaces = eth0 lo
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    panic action = /usr/share/samba/panic-action %d
    invalid users = root
    template homedir = /home/%D/%U
    template shell = /bin/bash
    winbind offline logon = yes
    winbind refresh tickets = yes

The winbind use default domain option modifies the representation of Windows usernames. By default, Windows users must login by prefixing their username with workgroup followed by a ‘\\’ (DOMAINNAME\\username). As a convenience for users, you can set winbind use default domain to yes so that they no longer need to include this prefix. Just be wary of conflicts with existing local accounts.

8. Configure Nsswitch

Your system uses /etc/nsswitch.conf to determine where it should look to resolve various types of lookups. To resolve users and groups from Active Directory, add a reference to the Winbind name service module in the passwd and group lines. Below is the relevant portion of /etc/nsswitch.conf no more, no less:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# /etc/nsswitch.conf
#
 
passwd:         compat winbind
group:          compat winbind
shadow:         compat
 
hosts:          files dns wins
networks:       files
 
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
 
netgroup:       nis

To activate these changes run the following command:

1
ldconfig

9. Join the Domain

With Kerberos and Winbind configured, you’re now ready to join your Debian workstation to the Windows Active Directory domain.

With these housekeeping items taken care of, try joining the domain:

1
net ads join -U Administrator

replace Administrator with user that has privileges to add computers to the domain.

If all goes well, you should receive a short message stating that you have successfully joined the domain.

10. Edit PAM settings

1
2
3
4
vim /etc/pam.d/common-account
# should contain the following lines:
account sufficient pam_winbind.so
account required pam_unix.so
1
2
3
4
vim /etc/pam.d/common-auth
# should contain the following lines:
auth    sufficient      pam_unix.so
auth    required        pam_winbind.so  use_first_pass
1
2
3
vim /etc/pam.d/common-password
# should be similar to the one shown below:
password   required   pam_unix.so nullok obscure min=4 max=50 md5
1
2
3
vim /etc/pam.d/common-session
# file contains the following line:
session     required    pam_mkhomedir.so umask=0022 skel=/etc/skel

11. Restart these services in order

1
2
3
4
5
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
/etc/init.d/ssh restart

12. Verify 
At this point, you should be able to resolve users and groups from the Windows Active Directory domain using getent passwd and getent group. If these commands don’t display your Windows accounts, try to resolve them using wbinfo -u andwbinfo -g.

Useful information about your status:

1
net ads status

If you want to leave Domain, use:

1
net ads leave -U Administrator

Comments