zeldor.biz

Linux, programming and more

Copyright © 2023
Log in

Debian join windows domain

December 23, 2010 by Igor Drobot 20 Comments

1. Introduction

I recently was assigned the task of joining a Debian server to a Windows Server 2003 Active Directory domain. Though most of the documentation I read for doing this was rather straightforward, 100% of that documentation turned out to be only 75% useful. While all were easy to follow, at the end of the day I found myself piecing together bits of information from all different sources. Only after deciphering cryptic log messages, consulting my colleagues, and experimenting did I finally have this working. Here I try to provide a complete walkthrough of this joining procedure, paying close attention to the often overlooked details I encountered in my trials.

I use:
Debian squeeze
samba 2:3.2.5-4l
winbind 2:3.2.5-4l
krb5-config 1.22
krb5-user 1.6.dfsg.4

192.168.11.100 – is my Windows AD Server (Windows Server 2003)
192.168.11.200 – Debian server
REDIRECTOR.NAME – is my domain

2. Install Software

1
 aptitude install libkrb53 krb5-config krb5-user samba winbind ntpdate ntp

aptitude install libkrb53 krb5-config krb5-user samba winbind ntpdate ntp

3. Stop the Services

1
2
3
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/ntp stop

/etc/init.d/samba stop /etc/init.d/winbind stop /etc/init.d/ntp stop

4. Configure Kerberos

Active Directory uses the Kerberos protocol for service requests. To configure your server as a Kerberos client, you will need to modify /etc/krb5.conf.

The first thing you will need to configure is the Kerberos realm of your domain.

Working example config:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
[libdefaults]
    default_realm = REDIRECTOR.NAME
 
# The following krb5.conf variables are only for MIT Kerberos.
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
 
# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
 
#   default_tgs_enctypes = des3-hmac-sha1
#   default_tkt_enctypes = des3-hmac-sha1
#   permitted_enctypes = des3-hmac-sha1
 
# The following libdefaults parameters are only for Heimdal Kerberos.
    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true
    dns_lookup_realm = false
    dns_lookup_kdc = false
 
[realms]
    REDIRECTOR.NAME = {
        kdc = 192.168.11.100:88
        admin_server = 192.168.11.100
    }
 
[domain_realm]
    .redirector.name = REDIRECTOR.NAME
    redirector.name = REDIRECTOR.NAME
 
[login]
    krb4_convert = true
    krb4_get_tickets = false

[libdefaults] default_realm = REDIRECTOR.NAME # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true dns_lookup_realm = false dns_lookup_kdc = false [realms] REDIRECTOR.NAME = { kdc = 192.168.11.100:88 admin_server = 192.168.11.100 } [domain_realm] .redirector.name = REDIRECTOR.NAME redirector.name = REDIRECTOR.NAME [login] krb4_convert = true krb4_get_tickets = false

5. Configure NTP

The Kerberos protocol relies heavily on timestamps. If the clock on the Debian server is out of sync with the primary domain controller, things will break. Windows Server 2003 by default broadcasts its time via the Network Time Protocol (NTP). To synchronize your clock with the primary domain controller, try the following:

1
ntpdate 192.168.11.100

ntpdate 192.168.11.100

If you receive an “the NTP socket is in use, exiting” error, you need to stop the NTP daemon (/etc/init.d/ntp stop) and try again. If ntpdate still fails, chances are that either the Windows Time Service is not running or one or more firewalls between the workstation and the domain controller are blocking port 123/UDP. Start the service and/or create exceptions for this port and try again.

When successful, ntpdate synchronizes your clock enough to start the NTP daemon, which handles all further synchronization. To point this daemon at the Windows domain controller, locate the first uncommented line in /etc/ntp.conf beginning with server and make the following change:

1
2
# Our primary DC
server 192.168.11.100

# Our primary DC server 192.168.11.100

With this setting in place, restart the NTP daemon:

1
/etc/init.d/ntp start

/etc/init.d/ntp start

To confirm that your workstation is contacting the primary domain controller for time updates, run ntpq -p. If everything is configured correctly, you should see your primary domain controller’s IP address or DNS name at the top of the list.

6. Configure DNS resolution

Add your ActiveDirectory IP-Address to /etc/resolv.conf

1
nameserver 192.168.11.100

nameserver 192.168.11.100

7. Configure Winbind

The Winbind service is the engine of this operation. It handles all communication with the Active Directory domain controller and manages the Windows-to-Unix translations that must occur.

You configure this service in /etc/samba/smb.conf. The following lines should be added to its global section:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Global parameters
[global]
    workgroup = REDIRECTOR
    realm = REDIRECTOR.NAME
    server string = %h server (Samba %v)
    load printers = no
    security = ads
    local master = no
    domain master = no
    preferred master = no
    wins server = 192.168.11.100
    dns proxy = no
    winbind uid = 10000-20000
    winbind gid = 10000-20000
    winbind use default domain = yes
    interfaces = eth0 lo
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    panic action = /usr/share/samba/panic-action %d
    invalid users = root
    template homedir = /home/%D/%U
    template shell = /bin/bash
    winbind offline logon = yes
    winbind refresh tickets = yes

# Global parameters [global] workgroup = REDIRECTOR realm = REDIRECTOR.NAME server string = %h server (Samba %v) load printers = no security = ads local master = no domain master = no preferred master = no wins server = 192.168.11.100 dns proxy = no winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes interfaces = eth0 lo syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 panic action = /usr/share/samba/panic-action %d invalid users = root template homedir = /home/%D/%U template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes

The winbind use default domain option modifies the representation of Windows usernames. By default, Windows users must login by prefixing their username with workgroup followed by a ‘\\’ (DOMAINNAME\\username). As a convenience for users, you can set winbind use default domain to yes so that they no longer need to include this prefix. Just be wary of conflicts with existing local accounts.

8. Configure Nsswitch

Your system uses /etc/nsswitch.conf to determine where it should look to resolve various types of lookups. To resolve users and groups from Active Directory, add a reference to the Winbind name service module in the passwd and group lines. Below is the relevant portion of /etc/nsswitch.conf no more, no less:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
 
passwd:         compat winbind
group:          compat winbind
shadow:         compat
 
hosts:          files dns wins
networks:       files
 
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
 
netgroup:       nis

# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat hosts: files dns wins networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis

To activate these changes run the following command:

1
ldconfig

ldconfig

9. Join the Domain

With Kerberos and Winbind configured, you’re now ready to join your Debian workstation to the Windows Active Directory domain.

With these housekeeping items taken care of, try joining the domain:

1
net ads join -U Administrator

net ads join -U Administrator

Optional replace Administrator with another user that has privileges to add computers to the domain.

If all goes well, you should receive a short message stating that you have successfully joined the domain.

10. Edit PAM settings

1
2
3
4
vim /etc/pam.d/common-account
# should contain the following lines:
account sufficient pam_winbind.so
account required pam_unix.so

vim /etc/pam.d/common-account # should contain the following lines: account sufficient pam_winbind.so account required pam_unix.so

1
2
3
4
vim /etc/pam.d/common-auth
# should contain the following lines:
auth    sufficient      pam_unix.so
auth    required        pam_winbind.so  use_first_pass

vim /etc/pam.d/common-auth # should contain the following lines: auth sufficient pam_unix.so auth required pam_winbind.so use_first_pass

1
2
3
vim /etc/pam.d/common-password
# should be similar to the one shown below:
password   required   pam_unix.so nullok obscure min=4 max=50 md5

vim /etc/pam.d/common-password # should be similar to the one shown below: password required pam_unix.so nullok obscure min=4 max=50 md5

1
2
3
vim /etc/pam.d/common-session
# file contains the following line:
session     required    pam_mkhomedir.so umask=0022 skel=/etc/skel

vim /etc/pam.d/common-session # file contains the following line: session required pam_mkhomedir.so umask=0022 skel=/etc/skel

11. Restart these services in order

1
2
3
4
5
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
/etc/init.d/ssh restart

/etc/init.d/samba stop /etc/init.d/winbind stop /etc/init.d/samba start /etc/init.d/winbind start /etc/init.d/ssh restart

12. Verify
At this point, you should be able to resolve users and groups from the Windows Active Directory domain using getent passwd and getent group. If these commands don’t display your Windows accounts, try to resolve them using wbinfo -u and wbinfo -g.

Useful information about your status:

1
net ads status

net ads status

Now you should be able to ssh to your server with a user from active directory ssh redirector.name\\username@192.168.11.200

If you want to leave Domain, use:

1
net ads leave -U Administrator

net ads leave -U Administrator

Filed Under: Debian, Linux, Windows Tagged With: Active Directory, Debian Squeeze AD, join windows Domain, Linux Windows Domain, Windows

Categories

Archives

Tags

apache2 Apple arduino ARM Automation backup bash Cisco Cluster Corosync Database Debian Debian squeeze DIY DNS Fedora FTP Fun Icinga Ipv6 KVM Linux LVM MAC OS X Monitoring MySQL Nagios Nginx openSUSE OpenVPN PHP Proxy Python python3 qemu RAID rsync Samba security ssh Ubuntu virtualization Windows Windows 7 Wordpress

Comments

  1. jeff says

    November 24, 2018 at 22:06

    followed the instructions above for a raspberry pi 3 b+ (Raspbian GNU/Linux 9 \n \l) and i was able to acquire a kerberos ticket using kinit for a domain account on my pi. but i am not able to logon to my pi with my domain account.
    logged on with my local pi user account, command ” net ads status ” fails with … “kerberos_kinit_password root @MYDOMAIN.COM: client not found in kerberos database”.
    did i miss a step? or is there additional steps for Raspbian?

    thanks

  2. Igor Drobot says

    November 5, 2017 at 14:07

    Great question, unfortunately I don’t know any GUI for this purpose.

  3. TryingToLeaveWindows says

    November 4, 2017 at 23:30

    Why isnt there a gui for all this?

  4. mehdi says

    October 11, 2015 at 12:44

    hello
    I done whole of actions but receive this message :
    Failed to join domain: failed to lookup DC info for domain ‘MSC-INTERNET.LOCAL’ over rpc: Logon failure

  5. Joe says

    June 5, 2015 at 19:38

    Thank you for posting this!

    I have been given this task as well; only on the current platforms at my university (Windows Server 2012 and Debian 8 if all goes well).

    I’m expecting a journey, but your blog post looks like it will be very useful!

    -Joe

  6. Francesco says

    September 28, 2014 at 23:21

    Hi

    I can’t access with domain’s users, auth.log messages are:

    Sep 28 23:09:44 cittudia gdm3][3177]: pam_winbind(gdm3:auth): getting password (0x00000010)
    Sep 28 23:09:44 cittudia gdm3][3177]: pam_winbind(gdm3:auth): pam_get_item returned a password
    Sep 28 23:09:44 cittudia gdm3][3177]: pam_winbind(gdm3:auth): user ‘pipp0’ granted access
    Sep 28 23:09:44 cittudia gdm3][3177]: gkr-pam: error looking up user information
    Sep 28 23:15:37 cittudia gdm3][3179]: pam_unix(gdm3:auth): check pass; user unknown
    Sep 28 23:15:37 cittudia gdm3][3179]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
    Sep 28 23:15:37 cittudia gdm3][3179]: pam_winbind(gdm3:auth): getting password (0x00000010)
    Sep 28 23:15:37 cittudia gdm3][3179]: pam_winbind(gdm3:auth): pam_get_item returned a password
    Sep 28 23:15:37 cittudia gdm3][3179]: pam_winbind(gdm3:auth): user ‘AMUTADORI\pipp0’ granted access
    Sep 28 23:15:37 cittudia gdm3][3179]: gkr-pam: error looking up user information
    Sep 28 23:15:51 cittudia gdm3][3181]: pam_winbind(gdm3:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND
    Sep 28 23:15:51 cittudia gdm3][3181]: pam_limits(gdm3:session): invalid line ‘*-nofile 16384’ – skipped
    Sep 28 23:15:52 cittudia polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.25, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale it_IT.UTF-8) (disconnected from bus)
    Sep 28 23:16:07 cittudia polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.62 [/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale it_IT.UTF-8)
    Sep 28 23:16:32 cittudia su[3428]: pam_winbind(su:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND
    Sep 28 23:16:32 cittudia su[3428]: Successful su for root by francesco
    Sep 28 23:16:32 cittudia su[3428]: + /dev/pts/0 francesco:root

    How I can fix it??

    Thanks

    Francesco

  7. Sérgio S says

    September 11, 2012 at 13:27

    Great job. Only guide I found that had all the necessary steps in one place.

  8. Yudi says

    May 30, 2012 at 07:07

    thank you very much, I’ve succeeded, you really helped me

  9. Yudi says

    May 30, 2012 at 05:46

    i’m can’t login to ssh with Active Directory users, whats wrong?

  10. Required says

    April 19, 2012 at 12:52

    I had the same issue as Lucho.

    The problem in my case was that I had uncommented the default lines with the ; character.

    /var/log/auth.log showed that -for some reason- it doesn’t interprete that character as a proper ‘ uncomment’, so instead use the # character.

  11. zeldor says

    January 17, 2012 at 16:16

    Lucho please check your PAM-settings.

  12. Lucho says

    January 17, 2012 at 13:51

    Excellent! i’ve succesfully joined my debian to a W2k3 domain and register in its dns. The only detail im trying to work is i cannot login as local root anymore.

  13. Stephen says

    September 7, 2011 at 10:59

    This is fantastic, going to stick it in the wiki at work!

  14. zeldor says

    June 30, 2011 at 13:18

    Thank you Charles!

  15. Charles M says

    June 30, 2011 at 12:57

    Hi.

    This is a great guide!

Trackbacks

  1. add debian 6.0.0 on windows 2008 domain says:
    November 26, 2012 at 08:47

    […] […]

  2. Kerberos Authentication on Debian Linux | Crusader Two One says:
    October 19, 2012 at 01:48

    […] First I found this article: Debian join windows domain […]

  3. problem when we add debian 6.0 to my domain (windows server 2008) | eeYogo @ yo' service says:
    June 19, 2012 at 16:41

    […] debian 6.0 ,i need to add it to my domain (windows machine) i used this link to do that http://zeldor.biz/2010/12/debian-join-windows-domain/ but when i tried to synchronize my clock with the primary domain controller, i got this […]

  4. Debian Squeeze, Active Directory & Samba at internal monoblog says:
    August 4, 2011 at 13:45

    […] experience with Winbind has not been favourable. Despite documentation and plenty of blogs with well written examples of how to do it I could not get it to work for me. Most of what is written is from […]

  5. w2k pdc to centos migration says:
    April 11, 2011 at 15:23

    […] statements order in those files is of major importance. Here is the link, let us know how it went. http://zeldor.biz/2010/12/debian-joi…ain/#more-1240 I have to apologize to be soooo late to post this. I have been involved to build a Postgres server […]

Leave a Reply

Your email address will not be published. Required fields are marked *