2.2.2. Joining a Linux server to a Domain (Samba and MS Compatible)

  • Verify if the pre-requisites are already installed, if not, install them.

$ sudo apt-get install samba smbclient winbind krb5-user krb5-config libnss-winbind libpam-winbind
  • Verify if the DNS list on the client is configured properly

$ sudo mcedit /etc/resolv.conf

        nameserver              # Primary DNServer IP, Active Directory

        nameserver              # Secondary DNServer IP, Active Directory

        search domainName
  • Verify the Hosts file

$ sudo mcedit /etc/hosts                   localhost                LinuxClient.domainName                  LinuxClient                 primaryDC.domainName                    primaryDC                 secondaryDC.domainName          secondaryDC
  • Edit the Kerberos Client config file

$ sudo mcedit /etc/krb5.conf

                default_realm = DOMAINNAME
                clockskew = 300

                DOMAINNAME = {
                    kdc =
                    kdc =
                    default_domain = domainName
                    admin_server =
                    admin_server =

                domainName = {
                    kdc =
                    kdc =
                    default_domain = domainName
                    admin_server =
                    admin_server =

            kdc = FILE:/var/log/krb5/krb5kdc.log
            admin_server = FILE:/var/log/krb5/kadmind.log
            default = SYSLOG:NOTICE:DAEMON

            .domainName = domainName
            domainName = domainName

            pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 0
                try_first_pass = true
  • Now we can generate the Kerberos tickets (Use the Kerberos REALM)

$ sudo kinit Administrator@DOMAINNAME
  • Edit the Samba Config file

$ sudo mcedit  /etc/samba/smb.conf

                security = ADS
                netbios name = LinuxClient
                realm = DOMAINNAME
                password server = primaryDC.domainname
                workgroup = WORKGROUPNAME (Domain Short Name)
                log level = 1
                syslog = 0
                idmap uid = 10000-29999
                idmap gid = 10000-29999
                winbind separator = +
                winbind enum users = yes
                winbind enum groups = yes
                template homedir = /home/%D/%U
                template shell = /bin/bash
                client use spnego = yes
                domain master = no
                server string = Linux Active Directory Client
                encrypt passwords = yes
                idmap cache time = 30
                idmap negative cache time = 12
                winbind cache time = 30
  • Join the Client to the Domain

$ sudo net ads join -S primaryDC.domainName -U Administrator


At this point there are two common errors:

  • There’s a difference between the Linux Client’s time stamp and the Domain Controller time stamp (This should always be corrected if true).

  • There’s already a DNS Entry with the same name, in which case we have to delete the old entry to automatically re-generate it when joining the Domain.

  • Now we should edit the nsswitch.conf file to enable AD users and passwords.

$ sudo mcedit /etc/nsswitch.conf

                passwd:             files winbind
                group:                      files winbind
                shadow:             files winbind
                hosts:                      files dns winbind
                networks:           files
                protocols:          db files
                services:           db files
                ethers:                     db files
                rpc:                        db files
                netgroup:           nis
                sudoers:            files
  • To setup Domain User access to the system we must properly setup PAM files:

$ sudo mcedit /etc/pam.d/common-session

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session sufficient pam_winbind.so
session required pam_unix.so try_first_pass

$ sudo mcedit /etc/pam.d/common-password

password sufficient pam_winbind.so
password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass

$ sudo mcedit /etc/pam.d/common-auth

auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure try_first_pass

$ sudo mcedit /etc/pam.d/common-account

account sufficient pam_winbind.so
account required pam_unix.so try_first_pass
  • Finally, modify the sudoers file, but do so carefully or you could lock yourself out of the system.

$ sudo mcedit /etc/sudoers

# This file MUST be edited with the 'visudo' command as root.
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
# See the man page for details on how to write a sudoers file.
Defaults        env_reset
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d


%DOMAINNAME+linuxSeg ALL=(ALL) /sbin/iptables -L -n,/usr/bin/less/var/log/*,/usr/sbin/aideinit,/usr/bin/tshark*

Finally, you can reboot and test out the SSH or local Domain User login.