Debian domain join

How to join Debian Squeeze to Active Directory Domain (winbind method).This makes possible to login as domain user, make samba shares with domain security, ntlm SSO to Apache sites, ntlm auth with Squid proxy.
I'm starting with blank Debian Squeeze installation at server pbx (192.168.7.2)
and Active Directory domain - domain.ru (Kerberos name DOMAIN)
with DC - dc.domain.ru (192.168.7.1)
At first, we need to make sure clock is synchronized with AD, and DNS domain queries are correctly forwarded to DC.

1. To forward domain DNS queries we have two ways:
   • Add/replace in /etc/resolv.conf  this line to forward all DNS queries to DC

     nameserver 192.168.7.1

     and supersede this params from updating by dhcp-client
     

     # nano /etc/dhcp/dhclient.conf
     supersede domain-name "domain.ru";
     prepend domain-name-servers 192.168.7.1;
     

   • Or, if you use bind, add domain forwarding to /etc/bind/named.conf.local
     

     zone "domain.ru" {
       type forward;
       forwarders {
         192.168.7.1;
       };
     };

   Checking DNS resolution:

   # dig domain.ru
   ;; QUESTION SECTION:
   ;domain.ru.                     IN      A
   
   ;; ANSWER SECTION:
   domain.ru.              600     IN      A       192.168.7.1
   

2. To sync clock we need ntpdate

   # aptitude install ntpdate
   # nano /etc/default/ntpdate
   NTPSERVERS="dc.domain.ru"

   # ntpdate -s dc.domain.ru 

   Check time at DC and Debian, it must be synced second to second
3. Check /etc/hosts to include FQDN

   127.0.0.1       localhost
   127.0.1.1       pbx.domain.ru        pbx

4. Ok, preparation completed, let's join domain :) At first we need kerberos packages:

# aptitude install krb5-doc krb5-user krb5-config
Default Kerberos version 5 realm: DOMAIN.RU
Kerberos servers for your realm: dc.domain.ru
Administrative server for your Kerberos realm: dc.domain.ru

Open /etc/krb5.conf and edit like this:

[libdefaults]
default_realm = DOMAIN.RU
ticket_lifetime = 24000
clock_skew = 300
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

[realms]
DOMAIN.RU = {
   kdc = dc.domain.ru
   admin_server = dc.domain.ru
}

[domain_realm]
domain.ru = DOMAIN.RU
domain.ru = DOMAIN.RU

[login]
krb4_convert = true
krb4_get_tickets = false

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5dc.log
admin_server = FILE:/var/log/ksadmind.log

Here, admin_server - is DC with PDC Emulator FSMO kdc - one or more strings with domain controllers names
5. Creating log files:

   # touch /var/log/krb5libs.log
   # touch /var/log/krb5dc.log
   # touch /var/log/ksadmind.log

6. Trying to bind to AD:

   # kinit Administrator
   Password for [email protected]:
   # klist
   Ticket cache: FILE:/tmp/krb5cc_0
   Default principal: [email protected]
   
   Valid starting     Expires            Service principal
   09/25/11 22:05:33  09/26/11 04:45:33  krbtgt/[email protected]

7. Ok, now install samba and winbind

   # aptitude install winbind samba
   Workgroup/Domain Name: DOMAIN

   ...and configure it

   # nano /etc/samba/smb.conf
   [global]
   workgroup = DOMAIN
   server string = %h server
   wins support = no
   dns proxy = no
   interfaces = 127.0.0.0/8 eth0
   bind interfaces only = yes
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ads
   ;AD
   admin users=Administrator
   auth methods = winbind
   case sensitive = no
   client signing = yes
   client ntlmv2 auth = yes
   client use spnego = yes
   debug level = 2
   domain master = no
   dos charset = 866
   encrypt passwords = true
   follow symlinks = yes
   idmap gid = 10000-40000
   idmap uid = 10000-40000
   local master = no
   log level = 1
   null passwords = true
   obey pam restrictions = yes
   os level = 0
   pam password change = yes
   passdb backend = tdbsam
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   passwd program = /usr/bin/passwd %u
   password server = *
   preferred master = no
   realm = DOMAIN.RU
   socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
   template shell = /bin/bash
   unix charset = UTF-8
   unix password sync = yes
   use kerberos keytab = true
   winbind enum groups = yes
   winbind enum users = yes
   winbind nested groups = Yes
   #winbind separator = +
   winbind use default domain = yes
   
   [test]
   browseable = yes
   writeable = yes
   write list = @"Domain Users" @IT DOMAIN\sepa
   path = /tmp/test
   create mask = 0664
   comment = public share
   directory mask = 0777
   valid users = @"Domain Users" @IT DOMAIN\sepa
   
   [homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0700
   directory mask = 0700
   valid users = DOMAIN\%S

   ..and test this:

   # testparm

   Some notes:
   @IT - group names, if name contain spaces, place it in quotes (@"Domain Users")
   DOMAIN\sepa - username from domain
8. Make homedir for domain users

   # mkdir /home/DOMAIN

9. Re-read config and join domain

   # /etc/init.d/winbind stop && /etc/init.d/samba restart && /etc/init.d/winbind start
   # net ads join -U administrator
   Enter administrator's password:
   Using short domain name -- DOMAIN
   Joined 'PBX' to realm 'domain.ru'
   DNS update failed!
   

   And looking to Active Directory Users and Computers
   that's looks nice :)
10. Reloading and checking winbind info about domain users and groups

    # /etc/init.d/winbind force-reload
    # wbinfo -u
    # wbinfo -g

11. Add auth by winbind to /etc/nsswitch.conf

    # nano /etc/nsswitch.conf
    passwd: compat winbind
    group: compat winbind
    shadow: compat winbind
    hosts: files dns

    and check that domain users and groups are added

    # getent passwd
    # getent group

12. Now setup login to Debian as domain users

    # nano /etc/pam.d/common-account
    account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
    account [success=1 new_authtok_reqd=done default=ignore]        pam_winbind.so
    

    # nano /etc/pam.d/common-auth
    auth    [success=2 default=ignore]      pam_unix.so nullok_secure
    auth    [success=1 default=ignore]      pam_winbind.so require_membership_of={SID} krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
    

    Here {SID} is AD SID of group you want to give access to login to debian server. Memebers of this group only can login, this is not grant any rights. We also enable cached logins, so we can login with domain credentials when domain is not accessible (if we already login this user before)

    # nano /etc/pam.d/common-password
    password        [success=2 default=ignore]      pam_unix.so obscure sha512
    password        [success=1 default=ignore]      pam_winbind.so use_authtok try_first_pass
    

13. Automatically make homedir folder for new users

    # nano /etc/pam.d/common-session
    session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
    

14. Give some AD group rights to sudo as root:

    # visudo
    %adgroup        ALL=(ALL) ALL

    If you need use group with spaces in it's name - use "\ " instead spaces (%domain\ admins)

That's all. Try to reboot and login as domain user.

# shutdown -r now

If you have same name for local admin user on debian, and in AD, you can make symlink of homedir

ln -s /home/sepa/ /home/DOMAIN/

When you login by ssh you can use one login name and both passwords (from local user, and AD user)