Joining a Domain


  • Verify if the pre-requisites are already installed, if not, install them.
$ sudo apt-get install samba smbclient winbind krb5-user krb5-config libnss-winbind libpam-winbind

Initial Checks

  • Verify if the DNS list on the client is configured properly
$ sudo mcedit /etc/resolv.conf

        nameserver      # Primary DNServer IP, Active Directory     
        nameserver      # Secondary DNServer IP, Active Directory           
        search domainName
  • Verify the Hosts file
$ sudo mcedit /etc/hosts           localhost        LinuxClient.domainName          LinuxClient         primaryDC.domainName            primaryDC         secondaryDC.domainName      secondaryDC
  • Edit the Kerberos Client config file
$ sudo mcedit /etc/krb5.conf

            default_realm = DOMAINNAME
            clockskew = 300

            DOMAINNAME = {
                kdc =
                kdc =
                default_domain = domainName
                admin_server =
                admin_server =

            domainName = {
                kdc =
                kdc =
                default_domain = domainName
                admin_server =
                admin_server =

        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON

        .domainName = domainName
        domainName = domainName

        pam = {
            ticket_lifetime = 1d
            renew_lifetime = 1d
            forwardable = true
            proxiable = false
            retain_after_close = false
            minimum_uid = 0
            try_first_pass = true
  • Now we can generate the Kerberos tickets (Use the Kerberos REALM)
$ sudo kinit Administrator@DOMAINNAME
  • Edit the Samba Config file
$ sudo mcedit  /etc/samba/smb.conf

        security = ADS
        netbios name = LinuxClient
        realm = DOMAINNAME
        password server = primaryDC.domainname
        workgroup = WORKGROUPNAME (Domain Short Name)
        log level = 1
        syslog = 0
        idmap uid = 10000-29999
        idmap gid = 10000-29999
        winbind separator = +
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        domain master = no
        server string = Linux Active Directory Client
        encrypt passwords = yes
        idmap cache time = 30
        idmap negative cache time = 12
        winbind cache time = 30
  • Join the Client to the Domain
$ sudo net ads join -S primaryDC.domainName -U Administrator
  • Now we should edit the nsswitch.conf file to enable AD users and passwords.
$ sudo mcedit /etc/nsswitch.conf

    passwd:     files winbind
    group:      files winbind
    shadow:     files winbind
    hosts:      files dns winbind
    networks:   files
    protocols:  db files
    services:   db files
    ethers:     db files
    rpc:        db files
    netgroup:   nis
    sudoers:    files
  • To setup Domain User access to the system we must properly setup PAM files:
$ sudo mcedit /etc/pam.d/common-session

session required skel=/etc/skel/ umask=0022
session sufficient
session required try_first_pass

$ sudo mcedit /etc/pam.d/common-password

password sufficient
password required nullok obscure min=4 max=8 md5 try_first_pass

$ sudo mcedit /etc/pam.d/common-auth

auth sufficient
auth required nullok_secure try_first_pass

$ sudo mcedit /etc/pam.d/common-account

account sufficient
account required try_first_pass
  • Finally, modify the sudoers file, but do so carefully or you could lock yourself out of the system.
$ sudo mcedit /etc/sudoers

# This file MUST be edited with the 'visudo' command as root.                                                                    
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
# See the man page for details on how to write a sudoers file.
Defaults        env_reset
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d


%DOMAINNAME+linuxSeg ALL=(ALL) /sbin/iptables -L -n,/usr/bin/less/var/log/*,/usr/sbin/aideinit,/usr/bin/tshark*

Finally, you can reboot and test out the SSH or local Domain User login.