Linux (commonly pronounced LIH-N?ks in English; variants exist) is a Unix-like computer operating system. Linux is one of the most prominent examples of free software and open source development: typically all underlying source code can be freely modified, used, and redistributed by anyone.

Tags | | | |

Binding Debian / Ubuntu to an Active Directory

To begin, obviously you should NOT be doing this on a production server or workstation. Also it's important to note that everyones domain is slightly different, so if this solution does not work 100% for your domain, you may just need to tweak one of the config files below. DON'T GIVE UP, enterprises bind active directories to linux, WE bind Active Directories to linux, IT CAN BE DONE.



To begin, I will be using the domain "example.name.domain" in place of the full domain name, EXAMPLE in place of the short name. A common mistake people will make when attempting this the first time is to not pay attention to the case. It's important that where UPPERCASE is used, you use uppercase. Also I use "computername" in place of the computers name, it's also important that case and spelling remain exactly the same across all of the configuration files. Last I use "xxx" in place of the numeric value of any IP address.



For ubuntu users, you MAY need to add the Universe and Multiverse repositories first: (Debian users can skipo to "Update The Package list")


sudo nano /etc/apt/sources.list


un-comment the following line


# deb http://us.archive.ubuntu.com/ubuntu/ edgy universe
# deb-src http://us.archive.ubuntu.com/ubuntu/ edgy universe


It should now read:


deb http://us.archive.ubuntu.com/ubuntu/ edgy main restricted universe multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ edgy main restricted universe multiverse


Add the following to the security line:


deb http://security.ubuntu.com/ubuntu edgy-security main restricted universe
deb-src http://security.ubuntu.com/ubuntu edgy-security main restricted universe


Update the package lists


sudo apt-get updatesudo apt-get upgrade

Install the needed packages


sudo apt-get install krb5-user winbind samba ntpdate

Correct the time synchronization


sudo ntpdate pool.ntp.org


Configure the /etc/krb5.conf file



Use the following command to open and edit the file


sudo nano /etc/krb5.conf


It should contain the following values:



[libdefaults]
default_realm = EXAMPLE.NAME.DOMAIN
ticket_lifetime = 24000
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
EXAMPLE.NAME.DOMAIN = {
kdc = EXAMPLE.NAME.DOMAIN
default_domain = EXAMPLE.NAME.DOMAIN}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.example.name.domain = EXAMPLE.NAME.DOMAIN
example.name.domain = EXAMPLE.NAME.DOMAIN


Configure the /etc/samba/smb.conf file


Change the following line


# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = MSHOME

to


*This has been updated to work with Ubuntu 9.04, previously you would get an error stating permission denied

[global]
workgroup = EXAMPLE
realm = EXAMPLE.NAME.DOMAIN
server string = computername
security = ADS
obey pam restrictions = Yes
password server = EXAMPLE.NAME.DOMAIN
passdb backend = tdbsam
restrict anonymous = 2
log level = 2
log file = /var/log/samba/%m
printcap name = cups
local master = No
domain master = No
idmap uid = 10000-10000000
idmap gid = 10000-10000000
template shell = /bin/bash
winbind separator = +
winbind use default domain = Yes
cups options = raw
socket options = TCP_NODELAY TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 IPTOS_LOWDELAY
encrypt passwords = yes
invalid users = root
acl check permissions = no
unix extensions = no


This varies from network to network, but you can try to uncomment the following line, Recomment if you can't join later:


valid users = %S


Edit /etc/nsswitch.conf


The file should look the example below.



passwd: files winbind
group: files winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis


Modify the PAM settings



/etc/pam.d/common-account should contain only the following lines



account sufficient pam_winbind.so
account required pam_unix.so


/etc/pam.d/common-auth should contain only the following lines



auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass debug


Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below



password required pam_unix.so nullok obscure min=4 max=50 md5


Make sure the /etc/pam.d/common-session file contains the following line



#session optional pam_foreground.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel


Set pam to lookup the UID and GID values /etc/pam.d/samba



auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so


Make a directory to hold domain user home directories



sudo mkdir /home/EXAMPLE



Modify the host file



The top of /etc/hosts should read:
Note that xxx should be replaced with a DNS name in domain


cat /etc/hosts

127.0.0.1 localhost
127.0.1.1 computername.example.name.domain computername
127.0.1.1 computername.example.name.domain localhost computername
xxx.xxx.xxx.xxx EXAMPLE.NAME.DOMAIN EXAMPLE


Resolv.conf


This is a critical step, make sure that the machine is allowed to point to the correct Ldap dns servers or you will get an error when you bind to the ADS.



search example.name.domain
nameserver xxx.xxx.xxx.xxx


The name server values can be found in DNS entry found on a windows computer (for example) by using the following command line code:


C:\ipconfig /all


Test the DNS lookup



Replace machine_name with a DNS name of a server or workstation on your network


nslookup machine_name


This should resolve and look like the following output:


Server: xxx.xxx.xxx.xxx
Address: xxx.xxx.xxx.xxx
Name: machine_name.example.name.domain
Address: xxx.xxx.xxx.xxx


Test your FQDN


hostname -a


The above command will result in the same computer name as you have specified in the config files.



hostname -f


The above command will result in the following format:
computer name.example.name.domain

If this does not work, go back and check your hosts file



Initialize Kerberos



kinit domain_admin_account


A domain admin is anyone that can control the users container, this is basically a user that could add or remove users or objects to the domain, if you can't do this, ask your AD administrator to do this step for you.

Enter the password for the user, if nothing comes back after you type it in, your good, otherwise re-review the above steps.

Next check to be sure you got a ticket from the domain controller:


klist


Join the system to the domain



sudo net ads join -U username@EXAMPLE.NAME.DOMAIN


Restart Samba


Order is important


sudo /etc/init.d/samba stop;sudo /etc/init.d/winbind restart;sudo /etc/init.d/samba start


Restart SSH and Test Connectivity



sudo /etc/init.d/ssh restart


Try to ssh into the computer using your NT login name as the user name IE EXAMPLE\username


Problems


If when logging into the machine one gets a "no logon servers" error winbind\samba may not be starting properly. Try restarting them manually, and then logging in. Another issue, the name service cache daemon (nscd) can interfere with winbind, as winbind maintains its own cache. Remove it.


sudo apt-get remove nscd


Some names or groups are not resolved with getent, but others are not




The range of your idmap parameter is not wide enough to encompass all the users or groups

idmap uid = 16777216-33554431
idmap gid = 16777216-33554431



Comments

Feel free to leave a comment or question

Name: (Optional but appreciated):

Comment:

Use [code] [/code] for code block style



Security Code: