Information is everywhere...
Debian Samba filesharing with Microsoft Active Directory authentication
On Tuesday, Oct 07, 2008
I was trying to get my Debian Linux machines authenticating to a Microsoft Active Directory. There are a few howtos on this subject, but I had to merge them together to get it to work in a nice way on my Debian machine.
Therefor I wrote this little howto, so it should be easier for Debian users to get their Linux box authenticated on a Windows Active Directory.
There are some steps you've to follow to get it to work. There are some variables in this text, where you have use your own names or IP's.
Well, let's start!
Step 1
Install the needed packages by running the following command
:~# apt-get install krb5-config krb5-user krb5-doc winbind samba rdate
Step 2
Edit /etc/hosts so it looks like this:
127.0.0.1 hostname.DOMAIN.LOCAL localhost hostname
Step 3
edit /etc/krb5.conf so it looks like this:
[logging]
default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
clock_skew = 300
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.LOCAL = {
kdc = hostname-of-your-domaincontroller.DOMAIN.LOCAL
admin_server = hostname-of-your-domaincontroller.DOMAIN.LOCAL
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.kerberos.server = DOMAIN.LOCAL
.DOMAIN.LOCAL = DOMAIN.LOCAL
Step 4
Test connection to Active Directory by entering the following commands:
:~# kinit Administrator@domain.LOCAL
Step 5
check if the request for the Active Directory ticket was successful using the kinit command
:~# klist
The result of this command should be something like this:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DOMAIN.LOCAL
Valid starting Expires Service principal
09/10/08 12:07:01 09/10/08 22:05:53 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
renew until 09/11/08 12:07:01
Step 6
Configure Samba by opening /etc/samba/smb.conf. Edit the config file so it looks like this:
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
load printers = no
preferred master = no
local master = no
server string = fileserver
password server = ip-of-your-domaincontroller
encrypt passwords = yes
security = ADS
netbios name = hostname-of-your-linux-fileserver
client signing = Yes
dns proxy = No
wins server = ip-of-your-domaincontroller
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
Step 7
Restart samba by entering the following command
:~# /etc/init.d/samba restart
Now you're ready to join the Active Directory
Step 8
Join the local domain / Active Directory by entering the following command:
:~# net ads join -U administrator
You will be asked to enter the AD Administrator password. When the commandline doesn't return a value, you're now connected to the Active Directory.
Step 9
Get the list of domainusers:
:~# wbinfo -u
Step 10
Get the list of domaingroups:
:~# wbinfo -g
Step 11
Check your Samba configuration:
:~# testparm -v
Step 12
Edit /etc/nsswitch.conf by making it look like this:
passwd: compat winbind
shadow: compat winbind
group: compat winbind
Step 13
Create home directory for each domain in /home
:~# mkdir /home/DOMAIN
And you're DONE. Your Linux box should now be working fine, using your Windows Domaincontroller for authentication!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Extra configuration/feature
It's possible to change your Active Directory password using passwd. This can be helpful for people who like using the terminal. Also, Linux applications that use passwd to change passwords are going to be able to change your the AD password.
This feature can be enabled by editing /etc/pam.d/passwd and /etc/pam.d/passwd. Make sure the files looks like this:
## /etc/pam.d/passwd
password sufficient pam_winbind.so
password required pam_unix.so
## /etc/pam.d/passwd
password sufficient pam_winbind.so
password required pam_unix.so
auth include system-auth
account include system-auth
password include system-auth
Do you have a question, a problem or a feature? Don't hesitate to drop me a line or post a
comment.
I was trying to get my Debian Linux machines authenticating to a Microsoft Active Directory. There are a few howtos on this subject, but I had to merge them together to get it to work in a nice way on my Debian machine.
Therefor I wrote this little howto, so it should be easier for Debian users to get their Linux box authenticated on a Windows Active Directory.
There are some steps you've to follow to get it to work. There are some variables in this text, where you have use your own names or IP's.
Well, let's start!
Step 1
Install the needed packages by running the following command
:~# apt-get install krb5-config krb5-user krb5-doc winbind samba rdate
Step 2
Edit /etc/hosts so it looks like this:
127.0.0.1 hostname.DOMAIN.LOCAL localhost hostname
Step 3
edit /etc/krb5.conf so it looks like this:
[logging]
default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
clock_skew = 300
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.LOCAL = {
kdc = hostname-of-your-domaincontroller.DOMAIN.LOCAL
admin_server = hostname-of-your-domaincontroller.DOMAIN.LOCAL
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.kerberos.server = DOMAIN.LOCAL
.DOMAIN.LOCAL = DOMAIN.LOCAL
Step 4
Test connection to Active Directory by entering the following commands:
:~# kinit Administrator@domain.LOCAL
Step 5
check if the request for the Active Directory ticket was successful using the kinit command
:~# klist
The result of this command should be something like this:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DOMAIN.LOCAL
Valid starting Expires Service principal
09/10/08 12:07:01 09/10/08 22:05:53 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
renew until 09/11/08 12:07:01
Step 6
Configure Samba by opening /etc/samba/smb.conf. Edit the config file so it looks like this:
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
load printers = no
preferred master = no
local master = no
server string = fileserver
password server = ip-of-your-domaincontroller
encrypt passwords = yes
security = ADS
netbios name = hostname-of-your-linux-fileserver
client signing = Yes
dns proxy = No
wins server = ip-of-your-domaincontroller
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
Step 7
Restart samba by entering the following command
:~# /etc/init.d/samba restart
Now you're ready to join the Active Directory
Step 8
Join the local domain / Active Directory by entering the following command:
:~# net ads join -U administrator
You will be asked to enter the AD Administrator password. When the commandline doesn't return a value, you're now connected to the Active Directory.
Step 9
Get the list of domainusers:
:~# wbinfo -u
Step 10
Get the list of domaingroups:
:~# wbinfo -g
Step 11
Check your Samba configuration:
:~# testparm -v
Step 12
Edit /etc/nsswitch.conf by making it look like this:
passwd: compat winbind
shadow: compat winbind
group: compat winbind
Step 13
Create home directory for each domain in /home
:~# mkdir /home/DOMAIN
And you're DONE. Your Linux box should now be working fine, using your Windows Domaincontroller for authentication!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Extra configuration/feature
It's possible to change your Active Directory password using passwd. This can be helpful for people who like using the terminal. Also, Linux applications that use passwd to change passwords are going to be able to change your the AD password.
This feature can be enabled by editing /etc/pam.d/passwd and /etc/pam.d/passwd. Make sure the files looks like this:
## /etc/pam.d/passwd
password sufficient pam_winbind.so
password required pam_unix.so
## /etc/pam.d/passwd
password sufficient pam_winbind.so
password required pam_unix.so
auth include system-auth
account include system-auth
password include system-auth
Do you have a question, a problem or a feature? Don't hesitate to drop me a line or post a
comment.
(comments are reviewed before being published)