Join Linux to an Active Directory Domain

This document will walk you through the steps needed to join linux to an Active Directory Domain and allow users to login using their Active Directory credentials.

You will need the latest versions of the following software packages:
krb5
samba
winbind

Create your /etc/krb5.conf file similiar to the following:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MEDCTR.AD.WFUBMC.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 MEDCTR.AD.WFUBMC.EDU = {
  kdc = MEDCTR.AD.WFUBMC.EDU:88
  admin_server = MEDCTR.AD.WFUBMC.EDU:749
 }

[domain_realm]
        .MEDCTR.AD.WFUBMC.EDU = MEDCTR.AD.WFUBMC.EDU
        MEDCTR.AD.WFUBMC.EDU = MEDCTR.AD.WFUBMC.EDU
        .medctr = MEDCTR.AD.WFUBMC.EDU
        medctr = MEDCTR.AD.WFUBMC.EDU

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Initialize your connection to the domain

# kinit admin_user@MEDCTR.AD.WFUBMC.EDU

if you get errors, then there is a problem.

# klist

You should see similiar output as follows:

Default principal: chrwilli@MEDCTR.AD.WFUBMC.EDU

Valid starting     Expires            Service principal
02/17/06 16:13:23  02/18/06 02:13:30  krbtgt/MEDCTR.AD.WFUBMC.EDU@MEDCTR.AD.WFUBMC.EDU
        renew until 02/18/06 16:13:23


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cache

Now Edit your /etc/nsswitch.conf and make the following changes:

passwd:     files compat winbind
shadow:     files compat winbind
group:      files compat winbind

Now setup your /etc/samba/smb.conf similiar to the following:

[global]
    security = ads
    workgroup = medctr
    realm = MEDCTR.AD.WFUBMC.EDU
    password server = MEDCTR.AD.WFUBMC.EDU
    idmap uid = 16777216-33554431
    idmap gid = 16777216-33554431
    template shell = /bin/bash
    template homedir = /home/%D/%U
    winbind use default domain = yes
    winbind trusted domains only = no
    winbind separator = +
    log level = 3
    log file = /var/log/samba/%m.log
    max log size = 50
    preferred master = no
    dns proxy = no
    guest ok = no
    guest account = nobody

[homes]
    comment = Home Directories
    browseable = no
    writeable = yes

# This one is useful for people to share files
[tmp]
    comment = Temporary file space
    path = /tmp
    writeable = yes
    guest ok = yes
    browseable = n

Notice the line "template homedir = /home/%D/%U" above. You will need to create /home/%D. In this case we created /home/MEDCTR

Now restart samba....

# service smb restart

Now join the domain with this command:

# net ads join -U admin_user

If you recieve an error similiar to the following, make sure hostname -f returns the name of the pc plus the full domain name you are trying to join. If it does not, you will need to correct this in /etc/hosts

Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'CARTMAN' in realm 'MEDCTR.AD.WFUBMC.EDU'

Test the validity of your join with this command:

# net ads testjoin

Now restart winbind....

# service winbind restart

Test your DOMAIN login with the following:

# wbinfo --authenticate=MEDCTR+username%password

should see this output:

plaintext password authentication succeeded
challenge/response password authentication succeeded

If this step is giving you trouble, try leaving the domain, deleting samba cache and rejoining with this sequence of commands.

# net ads leave
# rm -rf /var/cache/samba/*
# service smb restart
# net ads join -U admin_user
# service winbind restart
# net ads testjoin
# wbinfo --authenticate=MEDCTR+username%password

Now setup pam.d to use winbind for authentication:
This can be also be accomplished using the system-config-authentication tool
Make your /etc/pam.d/system-auth file look similiar to the following:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_localuser.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0077

Notice the last line... this will auto create home directories for any new users logging in.

You can install and setup pam_mount to auto mount shares if you wish:

yum -y install pam_mount

Edit /etc/security/pam_mount.conf. Scroll down to line 60 where you see the line:

options_require nosuid, nodev

comment that line out by placing a # in front. Edit your volumn line for your needs on or about line 94:

volume * smb server share /home/DOMAIN/&/share uid=& - -

* = everyone
& = user logging in

Now add pam_mount to your PAM configuration. I would suggest only adding it to those modules in which users will be logging in through using winbind. My reasoning is that su will ask for your root password twice if you put this in system-auth.

My /etc/pam.d/sshd file

auth       required     pam_stack.so service=system-auth
auth       required     pam_mount.so use_first_pass
account    required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so
session    optional     pam_mount.so

You should now be able to log into this box using your Active Directory Credentials. Feel free to contact me to comment or ask questions.

If you are in a DDNS environment, you may need to add a dns record to your dns server for this machine if you want people to be able to connect to your samba server.
FQDN = "Fully Qualified Domain Name"

# nsupdate
> update add FQDN 86400 A IP
> send
> quit

Flush your DNS cache and try to ping your added FQDN

# net cache flush

Chris Williamson 5-17-2006