Debian domain join

How to join Debian Squeeze to Active Directory Domain (winbind method).This makes possible to login as domain user, make samba shares with domain security, ntlm SSO to Apache sites, ntlm auth with Squid proxy.
I'm starting with blank Debian Squeeze installation at server pbx (
and Active Directory domain - domain.ru (Kerberos name DOMAIN)
with DC - dc.domain.ru (
At first, we need to make sure clock is synchronized with AD, and DNS domain queries are correctly forwarded to DC.
  1. To forward domain DNS queries we have two ways:
    • Add/replace in /etc/resolv.conf  this line to forward all DNS queries to DC
      and supersede this params from updating by dhcp-client
      # nano /etc/dhcp/dhclient.conf
      supersede domain-name "domain.ru";
      prepend domain-name-servers;
    • Or, if you use bind, add domain forwarding to /etc/bind/named.conf.local
      zone "domain.ru" {
        type forward;
        forwarders {
    Checking DNS resolution:
    # dig domain.ru
    ;domain.ru.                     IN      A
    domain.ru.              600     IN      A
  2. To sync clock we need ntpdate
    # aptitude install ntpdate
    # nano /etc/default/ntpdate
    # ntpdate -s dc.domain.ru 
    Check time at DC and Debian, it must be synced second to second
  3. Check /etc/hosts to include FQDN       localhost       pbx.domain.ru        pbx
  4. Ok, preparation completed, let's join domain :) At first we need kerberos packages:
  5. # aptitude install krb5-doc krb5-user krb5-config
    Default Kerberos version 5 realm: DOMAIN.RU
    Kerberos servers for your realm: dc.domain.ru
    Administrative server for your Kerberos realm: dc.domain.ru
    Open /etc/krb5.conf and edit like this:
    default_realm = DOMAIN.RU
    ticket_lifetime = 24000
    clock_skew = 300
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    DOMAIN.RU = {
       kdc = dc.domain.ru
       admin_server = dc.domain.ru
    domain.ru = DOMAIN.RU
    domain.ru = DOMAIN.RU
    krb4_convert = true
    krb4_get_tickets = false
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5dc.log
    admin_server = FILE:/var/log/ksadmind.log
    Here, admin_server - is DC with PDC Emulator FSMO kdc - one or more strings with domain controllers names
  6. Creating log files:
    # touch /var/log/krb5libs.log
    # touch /var/log/krb5dc.log
    # touch /var/log/ksadmind.log
  7. Trying to bind to AD:
    # kinit Administrator
    Password for [email protected]:
    # klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: [email protected]
    Valid starting     Expires            Service principal
    09/25/11 22:05:33  09/26/11 04:45:33  krbtgt/[email protected]
  8. Ok, now install samba and winbind
    # aptitude install winbind samba
    Workgroup/Domain Name: DOMAIN
    ...and configure it
    # nano /etc/samba/smb.conf
    workgroup = DOMAIN
    server string = %h server
    wins support = no
    dns proxy = no
    interfaces = eth0
    bind interfaces only = yes
    log file = /var/log/samba/log.%m
    max log size = 1000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    security = ads
    admin users=Administrator
    auth methods = winbind
    case sensitive = no
    client signing = yes
    client ntlmv2 auth = yes
    client use spnego = yes
    debug level = 2
    domain master = no
    dos charset = 866
    encrypt passwords = true
    follow symlinks = yes
    idmap gid = 10000-40000
    idmap uid = 10000-40000
    local master = no
    log level = 1
    null passwords = true
    obey pam restrictions = yes
    os level = 0
    pam password change = yes
    passdb backend = tdbsam
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    passwd program = /usr/bin/passwd %u
    password server = *
    preferred master = no
    realm = DOMAIN.RU
    socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
    template shell = /bin/bash
    unix charset = UTF-8
    unix password sync = yes
    use kerberos keytab = true
    winbind enum groups = yes
    winbind enum users = yes
    winbind nested groups = Yes
    #winbind separator = +
    winbind use default domain = yes
    browseable = yes
    writeable = yes
    write list = @"Domain Users" @IT DOMAIN\sepa
    path = /tmp/test
    create mask = 0664
    comment = public share
    directory mask = 0777
    valid users = @"Domain Users" @IT DOMAIN\sepa
    comment = Home Directories
    browseable = no
    read only = no
    create mask = 0700
    directory mask = 0700
    valid users = DOMAIN\%S
    ..and test this:
    # testparm
    Some notes:
    @IT - group names, if name contain spaces, place it in quotes (@"Domain Users")
    DOMAIN\sepa - username from domain
  9. Make homedir for domain users
    # mkdir /home/DOMAIN
  10. Re-read config and join domain
    # /etc/init.d/winbind stop && /etc/init.d/samba restart && /etc/init.d/winbind start
    # net ads join -U administrator
    Enter administrator's password:
    Using short domain name -- DOMAIN
    Joined 'PBX' to realm 'domain.ru'
    DNS update failed!
    And looking to Active Directory Users and Computers
    that's looks nice :)
  11. Reloading and checking winbind info about domain users and groups
    # /etc/init.d/winbind force-reload
    # wbinfo -u
    # wbinfo -g
  12. Add auth by winbind to /etc/nsswitch.conf
    # nano /etc/nsswitch.conf
    passwd: compat winbind
    group: compat winbind
    shadow: compat winbind
    hosts: files dns
    and check that domain users and groups are added
    # getent passwd
    # getent group
  13. Now setup login to Debian as domain users
    # nano /etc/pam.d/common-account
    account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
    account [success=1 new_authtok_reqd=done default=ignore]        pam_winbind.so
    # nano /etc/pam.d/common-auth
    auth    [success=2 default=ignore]      pam_unix.so nullok_secure
    auth    [success=1 default=ignore]      pam_winbind.so require_membership_of={SID} krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
    Here {SID} is AD SID of group you want to give access to login to debian server. Memebers of this group only can login, this is not grant any rights. We also enable cached logins, so we can login with domain credentials when domain is not accessible (if we already login this user before)
    # nano /etc/pam.d/common-password
    password        [success=2 default=ignore]      pam_unix.so obscure sha512
    password        [success=1 default=ignore]      pam_winbind.so use_authtok try_first_pass
  14. Automatically make homedir folder for new users
    # nano /etc/pam.d/common-session
    session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
  15. Give some AD group rights to sudo as root:
    # visudo
    %adgroup        ALL=(ALL) ALL
    If you need use group with spaces in it's name - use "\ " instead spaces (%domain\ admins)
That's all. Try to reboot and login as domain user.
# shutdown -r now
If you have same name for local admin user on debian, and in AD, you can make symlink of homedir
ln -s /home/sepa/ /home/DOMAIN/
When you login by ssh you can use one login name and both passwords (from local user, and AD user)

No comments:

Post a Comment