Active Directory - Join Linux to a Domain

From Nocrashwiki

Join Linux to an Active Directory Domain New Page This document will walk you through the steps needed to join linux to an Active Directory Domain and allow users to login using their Active Directory credentials.

You will need the latest versions of the following software packages:

Create your /etc/krb5.conf file similiar to the following:

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

kdc = DOMAIN.COM:88
admin_server = DOMAIN.COM:749

.medctr = DOMAIN.COM
medctr = DOMAIN.COM

profile = /var/kerberos/krb5kdc/kdc.conf

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

Initialize your connection to the domain

# kinit 
[email protected] 

if you get errors, then there is a problem.

# klist

You should see similiar output as follows:

Default principal: 
 [email protected] 

Valid starting     Expires            Service principal
02/17/06 16:13:23  02/18/06 02:13:30  krbtgt/
 [email protected] 
renew until 02/18/06 16:13:23

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cache

Now Edit your /etc/nsswitch.conf and make the following changes:

passwd:     files compat winbind
shadow:     files compat winbind
group:      files compat winbind

Now setup your /etc/samba/smb.conf similiar to the following:

security = ads
workgroup = medctr
realm = DOMAIN.COM
password server = DOMAIN.COM
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
template homedir = /home/%D/%U
winbind use default domain = yes
winbind trusted domains only = no
winbind separator = +
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
preferred master = no
dns proxy = no
guest ok = no
guest account = nobody

comment = Home Directories
browseable = no
writeable = yes

# This one is useful for people to share files
comment = Temporary file space
path = /tmp
writeable = yes
guest ok = yes
browseable = n

Notice the line "template homedir = /home/%D/%U" above. You will need to create /home/%D. In this case we created /home/MEDCTR

Now restart samba....

# service smb restart

Now join the domain with this command:

# net ads join -U admin_user

If you recieve an error similiar to the following, make sure hostname -f returns the name of the pc plus the full domain name you are trying to join. If it does not, you will need to correct this in /etc/hosts

Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Disabled account for 'CARTMAN' in realm 'DOMAIN.COM'

Test the validity of your join with this command:

# net ads testjoin

Now restart winbind....

# service winbind restart

Test your DOMAIN login with the following:

# wbinfo --authenticate=MEDCTR+username%password

should see this output:

plaintext password authentication succeeded
challenge/response password authentication succeeded

If this step is giving you trouble, try leaving the domain, deleting samba cache and rejoining with this sequence of commands.

# net ads leave
# rm -rf /var/cache/samba/*
# service smb restart
# net ads join -U admin_user
# service winbind restart
# net ads testjoin
# wbinfo --authenticate=MEDCTR+username%password

Now setup pam.d to use winbind for authentication:
This can be also be accomplished using the system-config-authentication tool
Make your /etc/pam.d/system-auth file look similiar to the following:

auth        required      /lib/security/$ISA/
auth        sufficient    /lib/security/$ISA/ likeauth nullok
auth        sufficient    /lib/security/$ISA/ use_first_pass
auth        required      /lib/security/$ISA/

account     required      /lib/security/$ISA/ broken_shadow
account     sufficient    /lib/security/$ISA/
account     sufficient    /lib/security/$ISA/ uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/
account     required      /lib/security/$ISA/

password    requisite     /lib/security/$ISA/ retry=3
password    sufficient    /lib/security/$ISA/ nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/ use_authtok
password    required      /lib/security/$ISA/

session     required      /lib/security/$ISA/
session     required      /lib/security/$ISA/
session     required      /lib/security/$ISA/ skel=/etc/skel/ umask=0077

Notice the last line... this will auto create home directories for any new users logging in.

You can install and setup pam_mount to auto mount shares if you wish:

yum -y install pam_mount

Edit /etc/security/pam_mount.conf. Scroll down to line 60 where you see the line:

options_require nosuid, nodev

comment that line out by placing a # in front. Edit your volumn line for your needs on or about line 94:

volume * smb server share /home/DOMAIN/&/share uid=& - -

* = everyone
& = user logging in

Now add pam_mount to your PAM configuration. I would suggest only adding it to those modules in which users will be logging in through using winbind. My reasoning is that su will ask for your root password twice if you put this in system-auth.

My /etc/pam.d/sshd file

auth       required service=system-auth
auth       required use_first_pass
account    required
account    required service=system-auth
password   required service=system-auth
session    required service=system-auth
session    required
session    optional

You should now be able to log into this box using your Active Directory Credentials. Feel free to contact me to comment or ask questions.

If you are in a DDNS environment, you may need to add a dns record to your dns server for this machine if you want people to be able to connect to your samba server. FQDN = "Fully Qualified Domain Name"

# nsupdate
> update add FQDN 86400 A IP
> send
> quit

Flush your DNS cache and try to ping your added FQDN

# net cache flush

Main Page