This article assumes that the Active Directory Domain is already fully functional. This is some background information for reference before we get started:
Domain Name: syraxius.ath.cx
Domain Controller Name: dc01.syraxius.ath.cx
Domain Controller IP: 192.168.1.2/24
We'll have to first synchronize our clocks with the Kerberos server. Like most authentication schemes, this is crucial. In this case, we'll make use of the already-installed NTP daemon which can function as both an NTP server and client. We'll modify the configuration file by typing:
nano /etc/ntp.conf
Scroll down to any of the servers section, and add your DC into the list:
server 192.168.1.2
Now, do a restart of the NTP server:
/etc/init.d/ntp restart
You should be able to see your DC listed when you type:
ntpq -p
We'll have to find some way to allow our Debian system to authenticate with an Active Directory server. This is accomplished through the Kerberos protocol. We'll install Kerberos through:
apt-get install krb5-config krb5-users
When prompted for the Kerberos server and the Administrative server for the realm, we'll use the FQDN of our Domain Controller, which is dc01.syraxius.ath.cx.
The settings are stored in the file called /etc/krb5 just in case things doesn't work out. The information you entered is under the "[realms]" section. The default realm can also be changed in the "[libdefaults]" section.
To test if our Kerberos implementation works, use the command:
kinit Administrator
kinit is a binary found in krb5-user package. This requests a logon for the user "Administrator". If no error messages occur, use the following command to check for a ticket:
klist
Now if everything's fine, you can move on. At this point we'll install Samba and Winbind:
apt-get install samba winbind
winbind is a component of samba which allows UNIX systems to be full members of an Active Directory domain. Winbind shares the configuration file of samba, which is /etc/samba/smb.conf.
After installing, we'll modify the /etc/samba/smb.conf file. The first thing we'll look out for is the workgroup. The workgroup is the Netbios name of the domain. So if I'm using syraxius.ath.cx for the domain, we'll type:
workgroup = SYRAXIUS
At this point we'll need to add a line to specify the realm. This is required when we attempt to join the domain. To do this, we'll simply type:
realm = SYRAXIUS.ATH.CX
Scroll down to the Authentication section and you'll find the line "# security = user". Add a new line to use ADS (Active Directory Service) like this:
security = ads
Directly below the domain master parameter is the UID mapping parameters. Simply uncomment them:
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
We'll also have to allow winbind to enumerate the users and groups. Uncomment the below lines:
winbind enum groups = yes
winbind enum users = yes
You can also allow usershares by uncommenting the usershare section below. Usershares allow non-root users to create share definitions. We'll ignore this one for now.
Save the file and attempt to join the domain using the command:
net ads join -U Administrator
Restart winbind and samba and you should be able to use winbind to list the users and groups using:
wbinfo -u
wbinfo -g
You are still not able to do anything other than list users. If you want to log into the system with the accounts, you'll need to modify the /etc/nsswitch.conf file to look outside of the local databases. To do this, modify the file as shown:
passwd: files winbind
group: files winbind
shadow: files winbind
Next, we'll have to modify the AAA settings of the system to use winbind as well. The files to modify are:
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-session
For account, we'll add the line above the current rule:
account sufficient pam_winbind.so
Do the same for auth and session, changing the "account" keyword to "auth" and "session" accordingly. At this point you should be able to log into the system by using the domain\username convention. For example, to log into the Administrator account, simply use syraxius\Administrator as the username.
Notice that you're dumped to the root folder of the system once you're logged on. We'll now work on creating the user home folders. First, we'll modify the /etc/samba/smb.conf and add the following line below "template shell":
template homedir = /home/%D/%U
%D is substituted with the domain name (SYRAXIUS) and %U will become the user's name. However, the configuration isn't complete yet as you'll need the folder to exist first. This can be done automatically using pam_mkhomedir.so. We'll modify /etc/pam.d/common-session and add the following lines above all rules:
session required pam_mkhomedir.so skel=/etc/skel umask=022
Now you're done! But if of course, there is still some stuff that we can do. If you do not want to use the domain\name notation when logging in, simply add this line in /etc/samba/smb.conf below the "winbind enum" parameters:
winbind use default domain = yes
Now you have a domain-joined Linux computer!