Joining a Domain

Dependencies

  • Verify if the pre-requisites are already installed, if not, install them.
$ sudo apt-get install samba smbclient winbind krb5-user krb5-config libnss-winbind libpam-winbind

Initial Checks

  • Verify if the DNS list on the client is configured properly
$ sudo mcedit /etc/resolv.conf

        nameserver 192.168.0.1      # Primary DNServer IP, Active Directory     
        nameserver 192.168.1.1      # Secondary DNServer IP, Active Directory           
        search domainName
  • Verify the Hosts file
$ sudo mcedit /etc/hosts

        127.0.0.1           localhost
        192.168.0.50        LinuxClient.domainName          LinuxClient
        192.168.0.1         primaryDC.domainName            primaryDC
        192.168.1.1         secondaryDC.domainName      secondaryDC
  • Edit the Kerberos Client config file
$ sudo mcedit /etc/krb5.conf

    [libdefaults]
            default_realm = DOMAINNAME
            clockskew = 300

    [realms]
            DOMAINNAME = {
                kdc = 192.168.0.1
                kdc = 192.168.1.1
                default_domain = domainName
                admin_server = 192.168.0.1
                admin_server = 192.168.1.1
            }

            domainName = {
                kdc = 192.168.0.1
                kdc = 192.168.1.1
                default_domain = domainName
                admin_server = 192.168.0.1
                admin_server = 192.168.1.1
            }

    [logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON

    [domain_realm]
        .domainName = domainName
        domainName = domainName

    [appdefaults]
        pam = {
            ticket_lifetime = 1d
            renew_lifetime = 1d
            forwardable = true
            proxiable = false
            retain_after_close = false
            minimum_uid = 0
            try_first_pass = true
        }
  • Now we can generate the Kerberos tickets (Use the Kerberos REALM)
$ sudo kinit Administrator@DOMAINNAME
  • Edit the Samba Config file
$ sudo mcedit  /etc/samba/smb.conf

    [global]
        security = ADS
        netbios name = LinuxClient
        realm = DOMAINNAME
        password server = primaryDC.domainname
        workgroup = WORKGROUPNAME (Domain Short Name)
        log level = 1
        syslog = 0
        idmap uid = 10000-29999
        idmap gid = 10000-29999
        winbind separator = +
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        domain master = no
        server string = Linux Active Directory Client
        encrypt passwords = yes
        idmap cache time = 30
        idmap negative cache time = 12
        winbind cache time = 30
  • Join the Client to the Domain
$ sudo net ads join -S primaryDC.domainName -U Administrator
  • Now we should edit the nsswitch.conf file to enable AD users and passwords.
$ sudo mcedit /etc/nsswitch.conf

    passwd:     files winbind
    group:      files winbind
    shadow:     files winbind
    hosts:      files dns winbind
    networks:   files
    protocols:  db files
    services:   db files
    ethers:     db files
    rpc:        db files
    netgroup:   nis
    sudoers:    files
  • To setup Domain User access to the system we must properly setup PAM files:
$ sudo mcedit /etc/pam.d/common-session

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session sufficient pam_winbind.so
session required pam_unix.so try_first_pass

$ sudo mcedit /etc/pam.d/common-password

password sufficient pam_winbind.so
password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass

$ sudo mcedit /etc/pam.d/common-auth

auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure try_first_pass

$ sudo mcedit /etc/pam.d/common-account

account sufficient pam_winbind.so
account required pam_unix.so try_first_pass
  • Finally, modify the sudoers file, but do so carefully or you could lock yourself out of the system.
$ sudo mcedit /etc/sudoers


# This file MUST be edited with the 'visudo' command as root.                                                                    
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

%DOMAINNAME+linuxAdmin ALL=(ALL) ALL

%DOMAINNAME+linuxSeg ALL=(ALL) /sbin/iptables -L -n,/usr/bin/less/var/log/*,/usr/sbin/aideinit,/usr/bin/tshark*

Finally, you can reboot and test out the SSH or local Domain User login.

Source