1. Introduction
I recently was assigned the task of joining a Debian server to a Windows Server 2003 Active Directory domain. Though most of the documentation I read for doing this was rather straightforward, 100% of that documentation turned out to be only 75% useful. While all were easy to follow, at the end of the day I found myself piecing together bits of information from all different sources. Only after deciphering cryptic log messages, consulting my colleagues, and experimenting did I finally have this working. Here I try to provide a complete walkthrough of this joining procedure, paying close attention to the often overlooked details I encountered in my trials.
I use:
Debian squeeze
samba 2:3.2.5-4l
winbind 2:3.2.5-4l
krb5-config 1.22
krb5-user 1.6.dfsg.4
192.168.11.100 – is my Windows AD Server (Windows Server 2003)
192.168.11.200 – Debian server
REDIRECTOR.NAME – is my domain
2. Install Software
1 | aptitude install libkrb53 krb5-config krb5-user samba winbind ntpdate ntp |
3. Stop the Services
1 2 3 | /etc/init.d/samba stop /etc/init.d/winbind stop /etc/init.d/ntp stop |
4. Configure Kerberos
Active Directory uses the Kerberos protocol for service requests. To configure your server as a Kerberos client, you will need to modify /etc/krb5.conf.
The first thing you will need to configure is the Kerberos realm of your domain.
Working example config:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | [libdefaults] default_realm = REDIRECTOR.NAME # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true dns_lookup_realm = false dns_lookup_kdc = false [realms] REDIRECTOR.NAME = { kdc = 192.168.11.100:88 admin_server = 192.168.11.100 } [domain_realm] .redirector.name = REDIRECTOR.NAME redirector.name = REDIRECTOR.NAME [login] krb4_convert = true krb4_get_tickets = false |
5. Configure NTP
The Kerberos protocol relies heavily on timestamps. If the clock on the Debian server is out of sync with the primary domain controller, things will break. Windows Server 2003 by default broadcasts its time via the Network Time Protocol (NTP). To synchronize your clock with the primary domain controller, try the following:
1 | ntpdate 192.168.11.100 |
If you receive an “the NTP socket is in use, exiting” error, you need to stop the NTP daemon (/etc/init.d/ntp stop) and try again. If ntpdate still fails, chances are that either the Windows Time Service is not running or one or more firewalls between the workstation and the domain controller are blocking port 123/UDP. Start the service and/or create exceptions for this port and try again.
When successful, ntpdate synchronizes your clock enough to start the NTP daemon, which handles all further synchronization. To point this daemon at the Windows domain controller, locate the first uncommented line in /etc/ntp.conf beginning with server and make the following change:
1 2 | # Our primary DC
server 192.168.11.100 |
With this setting in place, restart the NTP daemon:
1 | /etc/init.d/ntp start |
To confirm that your workstation is contacting the primary domain controller for time updates, run ntpq -p. If everything is configured correctly, you should see your primary domain controller’s IP address or DNS name at the top of the list.
6. Configure DNS resolution
Add your ActiveDirectory IP-Address to /etc/resolv.conf
1 | nameserver 192.168.11.100 |
7. Configure Winbind
The Winbind service is the engine of this operation. It handles all communication with the Active Directory domain controller and manages the Windows-to-Unix translations that must occur.
You configure this service in /etc/samba/smb.conf. The following lines should be added to its global section:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | # Global parameters [global] workgroup = REDIRECTOR realm = REDIRECTOR.NAME server string = %h server (Samba %v) load printers = no security = ads local master = no domain master = no preferred master = no wins server = 192.168.11.100 dns proxy = no winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes interfaces = eth0 lo syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 panic action = /usr/share/samba/panic-action %d invalid users = root template homedir = /home/%D/%U template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes |
The winbind use default domain option modifies the representation of Windows usernames. By default, Windows users must login by prefixing their username with workgroup followed by a ‘\\’ (DOMAINNAME\\username). As a convenience for users, you can set winbind use default domain to yes so that they no longer need to include this prefix. Just be wary of conflicts with existing local accounts.
8. Configure Nsswitch
Your system uses /etc/nsswitch.conf to determine where it should look to resolve various types of lookups. To resolve users and groups from Active Directory, add a reference to the Winbind name service module in the passwd and group lines. Below is the relevant portion of /etc/nsswitch.conf no more, no less:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat hosts: files dns wins networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis |
To activate these changes run the following command:
1 | ldconfig |
9. Join the Domain
With Kerberos and Winbind configured, you’re now ready to join your Debian workstation to the Windows Active Directory domain.
With these housekeeping items taken care of, try joining the domain:
1 | net ads join -U Administrator |
Optional replace Administrator with another user that has privileges to add computers to the domain.
If all goes well, you should receive a short message stating that you have successfully joined the domain.
10. Edit PAM settings
1 2 3 4 | vim /etc/pam.d/common-account # should contain the following lines: account sufficient pam_winbind.so account required pam_unix.so |
1 2 3 4 | vim /etc/pam.d/common-auth # should contain the following lines: auth sufficient pam_unix.so auth required pam_winbind.so use_first_pass |
1 2 3 | vim /etc/pam.d/common-password # should be similar to the one shown below: password required pam_unix.so nullok obscure min=4 max=50 md5 |
1 2 3 | vim /etc/pam.d/common-session # file contains the following line: session required pam_mkhomedir.so umask=0022 skel=/etc/skel |
11. Restart these services in order
1 2 3 4 5 | /etc/init.d/samba stop /etc/init.d/winbind stop /etc/init.d/samba start /etc/init.d/winbind start /etc/init.d/ssh restart |
12. Verify
At this point, you should be able to resolve users and groups from the Windows Active Directory domain using getent passwd and getent group. If these commands don’t display your Windows accounts, try to resolve them using wbinfo -u and wbinfo -g.
Useful information about your status:
1 | net ads status |
Now you should be able to ssh to your server with a user from active directory ssh redirector.name\\username@192.168.11.200
If you want to leave Domain, use:
1 | net ads leave -U Administrator |
followed the instructions above for a raspberry pi 3 b+ (Raspbian GNU/Linux 9 \n \l) and i was able to acquire a kerberos ticket using kinit for a domain account on my pi. but i am not able to logon to my pi with my domain account.
logged on with my local pi user account, command ” net ads status ” fails with … “kerberos_kinit_password root @MYDOMAIN.COM: client not found in kerberos database”.
did i miss a step? or is there additional steps for Raspbian?
thanks
Great question, unfortunately I don’t know any GUI for this purpose.
Why isnt there a gui for all this?
hello
I done whole of actions but receive this message :
Failed to join domain: failed to lookup DC info for domain ‘MSC-INTERNET.LOCAL’ over rpc: Logon failure
Thank you for posting this!
I have been given this task as well; only on the current platforms at my university (Windows Server 2012 and Debian 8 if all goes well).
I’m expecting a journey, but your blog post looks like it will be very useful!
-Joe
Hi
I can’t access with domain’s users, auth.log messages are:
Sep 28 23:09:44 cittudia gdm3][3177]: pam_winbind(gdm3:auth): getting password (0x00000010)
Sep 28 23:09:44 cittudia gdm3][3177]: pam_winbind(gdm3:auth): pam_get_item returned a password
Sep 28 23:09:44 cittudia gdm3][3177]: pam_winbind(gdm3:auth): user ‘pipp0’ granted access
Sep 28 23:09:44 cittudia gdm3][3177]: gkr-pam: error looking up user information
Sep 28 23:15:37 cittudia gdm3][3179]: pam_unix(gdm3:auth): check pass; user unknown
Sep 28 23:15:37 cittudia gdm3][3179]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Sep 28 23:15:37 cittudia gdm3][3179]: pam_winbind(gdm3:auth): getting password (0x00000010)
Sep 28 23:15:37 cittudia gdm3][3179]: pam_winbind(gdm3:auth): pam_get_item returned a password
Sep 28 23:15:37 cittudia gdm3][3179]: pam_winbind(gdm3:auth): user ‘AMUTADORI\pipp0’ granted access
Sep 28 23:15:37 cittudia gdm3][3179]: gkr-pam: error looking up user information
Sep 28 23:15:51 cittudia gdm3][3181]: pam_winbind(gdm3:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND
Sep 28 23:15:51 cittudia gdm3][3181]: pam_limits(gdm3:session): invalid line ‘*-nofile 16384’ – skipped
Sep 28 23:15:52 cittudia polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.25, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale it_IT.UTF-8) (disconnected from bus)
Sep 28 23:16:07 cittudia polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.62 [/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale it_IT.UTF-8)
Sep 28 23:16:32 cittudia su[3428]: pam_winbind(su:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND
Sep 28 23:16:32 cittudia su[3428]: Successful su for root by francesco
Sep 28 23:16:32 cittudia su[3428]: + /dev/pts/0 francesco:root
How I can fix it??
Thanks
Francesco
Great job. Only guide I found that had all the necessary steps in one place.
thank you very much, I’ve succeeded, you really helped me
i’m can’t login to ssh with Active Directory users, whats wrong?
I had the same issue as Lucho.
The problem in my case was that I had uncommented the default lines with the ; character.
/var/log/auth.log showed that -for some reason- it doesn’t interprete that character as a proper ‘ uncomment’, so instead use the # character.
Lucho please check your PAM-settings.
Excellent! i’ve succesfully joined my debian to a W2k3 domain and register in its dns. The only detail im trying to work is i cannot login as local root anymore.
This is fantastic, going to stick it in the wiki at work!
Thank you Charles!
Hi.
This is a great guide!