Binding Debian or Ubuntu to an Active Directory

Posted by Dark Training on May 12, 2008 tags: | ubuntu | debian

To begin, obviously you should NOT be doing this on a production server or workstation. Also it's important to note that everyones domain is slightly different, so if this solution does not work 100% for your domain, you may just need to tweak one of the config files below. DON'T GIVE UP, enterprises bind active directories to linux, WE bind Active Directories to linux, IT CAN BE DONE.

To begin, I will be using the domain "example.name.domain" in place of the full domain name, EXAMPLE in place of the short name. A common mistake people will make when attempting this the first time is to not pay attention to the case. It's important that where UPPERCASE is used, you use uppercase. Also I use "computername" in place of the computers name, it's also important that case and spelling remain exactly the same across all of the configuration files. Last I use "xxx" in place of the numeric value of any IP address.

For ubuntu users, you MAY need to add the Universe and Multiverse repositories first: (Debian users can skipo to "Update The Package list") 

sudo nano /etc/apt/sources.list
un-comment the following line 
 # deb http://us.archive.ubuntu.com/ubuntu/ edgy universe
 # deb-src http://us.archive.ubuntu.com/ubuntu/ edgy universe
It should now read: 
 deb http://us.archive.ubuntu.com/ubuntu/ edgy main restricted <strong>universe multiverse</strong>
 deb-src http://us.archive.ubuntu.com/ubuntu/ edgy main restricted <strong>universe multiverse</strong>
Add the following to the security line: 
 deb http://security.ubuntu.com/ubuntu edgy-security main restricted <strong>universe</strong>
 deb-src http://security.ubuntu.com/ubuntu edgy-security main restricted <strong>universe</strong>
Update the package lists 
sudo apt-get updatesudo apt-get upgrade
Install the needed packages 
sudo apt-get install krb5-user winbind samba ntpdate
Correct the time synchronization 
sudo ntpdate pool.ntp.org

Configure the /etc/krb5.conf file

Use the following command to open and edit the file 
sudo nano /etc/krb5.conf
It should contain the following values: 
 [libdefaults]
        default_realm = <strong>EXAMPLE.NAME.DOMAIN</strong>
        ticket_lifetime = 24000
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
 [realms]
 <strong>EXAMPLE.NAME.DOMAIN = {
      kdc = EXAMPLE.NAME.DOMAIN
      default_domain = EXAMPLE.NAME.DOMAIN}</strong>
 [domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        <strong>.example.name.domain = EXAMPLE.NAME.DOMAIN</strong>
        <strong>example.name.domain = EXAMPLE.NAME.DOMAIN</strong>

Configure the /etc/samba/smb.conf file

Change the following line 
# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = MSHOME
to *This has been updated to work with Ubuntu 9.04, previously you would get an error stating permission denied 
[global]
        workgroup = <strong>EXAMPLE</strong>
        realm = <strong>EXAMPLE.NAME.DOMAIN</strong>
        server string = <strong>computername</strong>
        security = ADS
        obey pam restrictions = Yes
        password server = <strong>EXAMPLE.NAME.DOMAIN</strong>
        passdb backend = tdbsam
        restrict anonymous = 2
        log level = 2
        log file = /var/log/samba/%m
        printcap name = cups
        local master = No
        domain master = No
        idmap uid = 10000-10000000
        idmap gid = 10000-10000000
        template shell = /bin/bash
        winbind separator = + 
        winbind use default domain = Yes
        cups options = raw
        socket options = TCP_NODELAY TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 IPTOS_LOWDELAY 
        encrypt passwords = yes
        invalid users = root
        acl check permissions = no
        unix extensions = no
This varies from network to network, but you can try to uncomment the following line, Recomment if you can't join later: 
valid users = %S

Edit /etc/nsswitch.conf

The file should look the example below. 
passwd:         files winbind
 group:          files winbind
 shadow:         compat
 hosts:          files dns wins
 networks:       files
 protocols:      db files
 services:       db files
 ethers:         db files
 rpc:            db files
 netgroup:       nis

Modify the PAM settings

/etc/pam.d/common-account should contain only the following lines 
account sufficient      pam_winbind.so
 account required        pam_unix.so
/etc/pam.d/common-auth should contain only the following lines 
auth    sufficient      pam_winbind.so
 auth    required        pam_unix.so nullok_secure use_first_pass debug
Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below 
password   required   pam_unix.so nullok obscure min=4 max=50 md5
Make sure the /etc/pam.d/common-session file contains the following line 
#session optional        pam_foreground.so
 session required        pam_mkhomedir.so umask=0022 skel=/etc/skel
Set pam to lookup the UID and GID values /etc/pam.d/samba 
auth required /lib/security/pam_winbind.so
 account required /lib/security/pam_winbind.so

Make a directory to hold domain user home directories

sudo mkdir /home/EXAMPLE

Modify the host file

The top of /etc/hosts should read: Note that xxx should be replaced with a DNS name in domain 
cat /etc/hosts

 127.0.0.1       localhost
 127.0.1.1       computername.example.name.domain  computername
 127.0.1.1       computername.example.name.domain  localhost computername
 xxx.xxx.xxx.xxx EXAMPLE.NAME.DOMAIN EXAMPLE

Resolv.conf

This is a critical step, make sure that the machine is allowed to point to the correct Ldap dns servers or you will get an error when you bind to the ADS. 
 search example.name.domain
 nameserver xxx.xxx.xxx.xxx
The name server values can be found in DNS entry found on a windows computer (for example) by using the following command line code: 
C:\ipconfig /all

Test the DNS lookup

Replace machine_name with a DNS name of a server or workstation on your network 
 nslookup machine_name
This should resolve and look like the following output: 
 Server:         xxx.xxx.xxx.xxx
 Address:        xxx.xxx.xxx.xxx
 Name:   machine_name.example.name.domain
 Address: xxx.xxx.xxx.xxx

Test your FQDN

 hostname -a
The above command will result in the same computer name as you have specified in the config files. 
 hostname -f

The above command will result in the following format: computer name.example.name.domain

If this does not work, go back and check your hosts file

Initialize Kerberos 

kinit domain_admin_account

A domain admin is anyone that can control the users container, this is basically a user that could add or remove users or objects to the domain, if you can't do this, ask your AD administrator to do this step for you.

Enter the password for the user, if nothing comes back after you type it in, your good, otherwise re-review the above steps.

Next check to be sure you got a ticket from the domain controller:

klist

Join the system to the domain 

sudo net ads join -U <strong>username</strong>@EXAMPLE.NAME.DOMAIN

Restart Samba

Order is important 
sudo /etc/init.d/samba stop;sudo /etc/init.d/winbind restart;sudo /etc/init.d/samba start

Restart SSH and Test Connectivity 

sudo /etc/init.d/ssh restart
Try to ssh into the computer using your NT login name as the user name IE EXAMPLE\username

Problems

If when logging into the machine one gets a "no logon servers" error winbind\samba may not be starting properly. Try restarting them manually, and then logging in. Another issue, the name service cache daemon (nscd) can interfere with winbind, as winbind maintains its own cache. Remove it. 
sudo apt-get remove nscd

Some names or groups are not resolved with getent, but others are not

The range of your idmap parameter is not wide enough to encompass all the users or groups

idmap uid = 16777216-33554431
idmap gid = 16777216-33554431