Joining a Domain
On this page
Dependencies
- Verify if the pre-requisites are already installed, if not, install them.
$ sudo apt-get install samba smbclient winbind krb5-user krb5-config libnss-winbind libpam-winbind
Initial Checks
- Verify if the DNS list on the client is configured properly
$ sudo mcedit /etc/resolv.conf
nameserver 192.168.0.1 # Primary DNServer IP, Active Directory
nameserver 192.168.1.1 # Secondary DNServer IP, Active Directory
search domainName
- Verify the Hosts file
$ sudo mcedit /etc/hosts
127.0.0.1 localhost
192.168.0.50 LinuxClient.domainName LinuxClient
192.168.0.1 primaryDC.domainName primaryDC
192.168.1.1 secondaryDC.domainName secondaryDC
- Edit the Kerberos Client config file
$ sudo mcedit /etc/krb5.conf
[libdefaults]
default_realm = DOMAINNAME
clockskew = 300
[realms]
DOMAINNAME = {
kdc = 192.168.0.1
kdc = 192.168.1.1
default_domain = domainName
admin_server = 192.168.0.1
admin_server = 192.168.1.1
}
domainName = {
kdc = 192.168.0.1
kdc = 192.168.1.1
default_domain = domainName
admin_server = 192.168.0.1
admin_server = 192.168.1.1
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.domainName = domainName
domainName = domainName
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
}
- Now we can generate the Kerberos tickets (Use the Kerberos REALM)
$ sudo kinit Administrator@DOMAINNAME
- Edit the Samba Config file
$ sudo mcedit /etc/samba/smb.conf
[global]
security = ADS
netbios name = LinuxClient
realm = DOMAINNAME
password server = primaryDC.domainname
workgroup = WORKGROUPNAME (Domain Short Name)
log level = 1
syslog = 0
idmap uid = 10000-29999
idmap gid = 10000-29999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
server string = Linux Active Directory Client
encrypt passwords = yes
idmap cache time = 30
idmap negative cache time = 12
winbind cache time = 30
- Join the Client to the Domain
$ sudo net ads join -S primaryDC.domainName -U Administrator
At this point there are two common errors:
- There’s a difference between the Linux Client’s time stamp and the Domain Controller time stamp (This should always be corrected if true).
- There’s already a DNS Entry with the same name, in which case we have to delete the old entry to automatically re-generate it when joining the Domain.
- Now we should edit the nsswitch.conf file to enable AD users and passwords.
$ sudo mcedit /etc/nsswitch.conf
passwd: files winbind
group: files winbind
shadow: files winbind
hosts: files dns winbind
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files
- To setup Domain User access to the system we must properly setup PAM files:
$ sudo mcedit /etc/pam.d/common-session
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session sufficient pam_winbind.so
session required pam_unix.so try_first_pass
$ sudo mcedit /etc/pam.d/common-password
password sufficient pam_winbind.so
password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass
$ sudo mcedit /etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure try_first_pass
$ sudo mcedit /etc/pam.d/common-account
account sufficient pam_winbind.so
account required pam_unix.so try_first_pass
- Finally, modify the sudoers file, but do so carefully or you could lock yourself out of the system.
$ sudo mcedit /etc/sudoers
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
%DOMAINNAME+linuxAdmin ALL=(ALL) ALL
%DOMAINNAME+linuxSeg ALL=(ALL) /sbin/iptables -L -n,/usr/bin/less/var/log/*,/usr/sbin/aideinit,/usr/bin/tshark*
Finally, you can reboot and test out the SSH or local Domain User login.