Forrás

Debian join windows domain

Published on December 23, 2010 09:10 Tags: Active Directory, Debian Squeeze AD, join windows Domain, Linux Windows Domain, Windows.

1. Introduction

I recently was assigned the task of joining a Debian server to a Windows Server 2003 Active Directory domain. Though most of the documentation I read for doing this was rather straightforward, 100% of that documentation turned out to be only 75% useful. While all were easy to follow, at the end of the day I found myself piecing together bits of information from all different sources. Only after deciphering cryptic log messages, consulting my colleagues, and experimenting did I finally have this working. Here I try to provide a complete walkthrough of this joining procedure, paying close attention to the often overlooked details I encountered in my trials.

I use:
Debian squeeze
samba 2:3.2.5-4l
winbind 2:3.2.5-4l
krb5-config 1.22
krb5-user 1.6.dfsg.4
 
192.168.11.100 – is my Windows AD Server (Windows Server 2003)
192.168.11.200 – Debian server
REDIRECTOR.NAME – is my domain

2. Install Software

 

1

 aptitude install libkrb53 krb5-config krb5-user samba winbind ntpdate ntp

 

3. Stop the Services

 

1
2
3

/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/ntp stop

 

4. Configure Kerberos

Active Directory uses the Kerberos protocol for service requests. To configure your server as a Kerberos client, you will need to modify /etc/krb5.conf.

The first thing you will need to configure is the Kerberos realm of your domain.

Working example config:

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

[libdefaults]
    default_realm = REDIRECTOR.NAME
 
# The following krb5.conf variables are only for MIT Kerberos.
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
 
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
 
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
 
# The following libdefaults parameters are only for Heimdal Kerberos.
    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true
    dns_lookup_realm = false
    dns_lookup_kdc = false
 
[realms]
    REDIRECTOR.NAME = {
        kdc = 192.168.11.100:88
        admin_server = 192.168.11.100
    }
 
[domain_realm]
    .redirector.name = REDIRECTOR.NAME
    redirector.name = REDIRECTOR.NAME
 
[login]
    krb4_convert = true
    krb4_get_tickets = false

 

5. Configure NTP

The Kerberos protocol relies heavily on timestamps. If the clock on the Debian server is out of sync with the primary domain controller, things will break. Windows Server 2003 by default broadcasts its time via the Network Time Protocol (NTP). To synchronize your clock with the primary domain controller, try the following:

 

1

ntpdate 192.168.11.100

 

If you receive an “the NTP socket is in use, exiting” error, you need to stop the NTP daemon (/etc/init.d/ntp stop) and try again. If ntpdate still fails, chances are that either the Windows Time Service is not running or one or more firewalls between the workstation and the domain controller are blocking port 123/UDP. Start the service and/or create exceptions for this port and try again.

When successful, ntpdate synchronizes your clock enough to start the NTP daemon, which handles all further synchronization. To point this daemon at the Windows domain controller, locate the first uncommented line in /etc/ntp.conf beginning with server and make the following change:

 

1
2

# Our primary DC
server 192.168.11.100

 

With this setting in place, restart the NTP daemon:

 

1

/etc/init.d/ntp start

 

To confirm that your workstation is contacting the primary domain controller for time updates, run ntpq -p. If everything is configured correctly, you should see your primary domain controller’s IP address or DNS name at the top of the list.

6. Configure DNS resolution

Add your ActiveDirectory IP-Address to /etc/resolv.conf

 

1

nameserver 192.168.11.100

 

7. Configure Winbind

The Winbind service is the engine of this operation. It handles all communication with the Active Directory domain controller and manages the Windows-to-Unix translations that must occur.

You configure this service in /etc/samba/smb.conf. The following lines should be added to its global section:

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

# Global parameters
[global]
    workgroup = REDIRECTOR
    realm = REDIRECTOR.NAME
    server string = %h server (Samba %v)
    load printers = no
    security = ads
    local master = no
    domain master = no
    preferred master = no
    wins server = 192.168.11.100
    dns proxy = no
    winbind uid = 10000-20000
    winbind gid = 10000-20000
    winbind use default domain = yes
    interfaces = eth0 lo
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    panic action = /usr/share/samba/panic-action %d
    invalid users = root
    template homedir = /home/%D/%U
    template shell = /bin/bash
    winbind offline logon = yes
    winbind refresh tickets = yes

 

The winbind use default domain option modifies the representation of Windows usernames. By default, Windows users must login by prefixing their username with workgroup followed by a ‘\\’ (DOMAINNAME\\username). As a convenience for users, you can set winbind use default domain to yes so that they no longer need to include this prefix. Just be wary of conflicts with existing local accounts.

8. Configure Nsswitch

Your system uses /etc/nsswitch.conf to determine where it should look to resolve various types of lookups. To resolve users and groups from Active Directory, add a reference to the Winbind name service module in the passwd and group lines. Below is the relevant portion of /etc/nsswitch.conf no more, no less:

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
 
passwd:         compat winbind
group:          compat winbind
shadow:         compat
 
hosts:          files dns wins
networks:       files
 
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
 
netgroup:       nis

 

To activate these changes run the following command:

 

1

ldconfig

 

9. Join the Domain

With Kerberos and Winbind configured, you’re now ready to join your Debian workstation to the Windows Active Directory domain.

With these housekeeping items taken care of, try joining the domain:

 

1

net ads join -U Administrator

 

Optional replace Administrator with another user that has privileges to add computers to the domain.

If all goes well, you should receive a short message stating that you have successfully joined the domain.

10. Edit PAM settings

 

1
2
3
4

vim /etc/pam.d/common-account
# should contain the following lines:
account sufficient pam_winbind.so
account required pam_unix.so

 

 

1
2
3
4

vim /etc/pam.d/common-auth
# should contain the following lines:
auth    sufficient      pam_unix.so
auth    required        pam_winbind.so  use_first_pass

 

 

1
2
3

vim /etc/pam.d/common-password
# should be similar to the one shown below:
password   required   pam_unix.so nullok obscure min=4 max=50 md5

 

 

1
2
3

vim /etc/pam.d/common-session
# file contains the following line:
session     required    pam_mkhomedir.so umask=0022 skel=/etc/skel

 

11. Restart these services in order

 

1
2
3
4
5

/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
/etc/init.d/ssh restart

 

12. Verify
At this point, you should be able to resolve users and groups from the Windows Active Directory domain using getent passwd and getent group. If these commands don’t display your Windows accounts, try to resolve them using wbinfo -u and wbinfo -g.

Useful information about your status:

 

1

net ads status

 

Now you should be able to ssh to your server with a user from active directory ssh redirector.name\\username@192.168.11.200

If you want to leave Domain, use:

 

1

net ads leave -U Administrator