February 10

Linux: Connecting a Linux server to Active Directory. All of the needed steps.

Setting up an Ubuntu Server 16.04 linux server to be a part of an Active Directory domain has never been a small task.
The following are the steps involved. I hope you are as successful as I have been.
Keep in mind that most kinit errors are do to the linux server not properly identifying the Active directory server by name.

The following assumes you have an understanding of Linux and Microsoft Active Directory:

1. On your Ubuntu/Debian server.
sudo apt-get -y install ntp nano ntpdate winbind samba libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user

During the software package install a new page will open and ask you the domain name, write it (Use all Caps):
YOURDOMAIN.LOCAL

2. Configure the date to have the same that your domain controller.
Edit the file ntp.conf and provide the name or the IP of your domain controller. Comment out unneeded servers:
sudo cp /etc/ntp.conf /etc/ntp.oldconf
sudo nano /etc/ntp.conf

pool DC1.YOURDOMAIN.LOCAL

3. Restart the NTP service:
sudo service ntp restart

4. Configure the Kerberos
sudo cp /etc/krb5.conf /etc/krb5.oldconf
sudo truncate -s0 /etc/krb5.conf
sudo nano /etc/krb5.conf

Use the configuration below. Change the names where appropriate:

[libdefaults]
ticket_lifetime = 24000
default_realm = YOURDOMAIN.LOCAL
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt__enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes

[realms]
YOURDOMAIN.LOCAL = {
kdc = DC1.YOURDOMAIN.LOCAL
kdc = DC2.YOURDOMAIN.LOCAL
default_domain = DC1.YOURDOMAIN.LOCAL
}

[domain_realm]
.YOURDOMAIN.LOCAL= DC1.YOURDOMAIN.LOCAL
YOURDOMAIN.LOCAL = DC1.YOURDOMAIN.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

Save the file.

5. Modify your /etc/hosts file to reflect the pc names associated with the IP.
It should look something like this:

127.0.0.1 SERVER1.YOURDOMAIN.LOCAL SERVER1
127.0.1.1 SERVER1.YOURDOMAIN.LOCAL SERVER1
172.22.11.251 DC1.YOURDOMAIN.LOCAL YOURDOMAIN.LOCAL

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

6. Modify your networkinterface to make it aware of your dns server
sudo vi /etc/network/interfaces

# change name server to AD’s one
dns-nameservers 192.168.1.10

sudo ifdown eth0 && ifup eth0 (If this does not work for you simply reboot)

7. Create an Active Directory token on the Linux server using a Domain Administrator account.
sudo kinit AdminName

8. Check to see if a token is created:
sudo klist

You will hopefully see something like this:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting Expires Service principal
02/10/2017 08:57:59 02/10/2017 15:37:52 krbtgt/[email protected]

9. Configure Samba
sudo cp /etc/samba/smb.conf /etc/samba/smb.oldconf
sudo nano /etc/samba/smb.conf

Use the configuration below. Change the names where appropriate:

workgroup = YOURDOMAIN
security = ADS
realm = YOURDOMAIN.LOCAL
encrypt passwords = yes

idmap config *:backend = rid
idmap config *:range = 5000-100000

winbind allow trusted domains = no
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes

template shell = /bin/bash

Save the configuration.

10. Modify the file nsswitch.conf to indicate that we will use groups and users of the Active Directory (winbind):
sudo cp /etc/nsswitch.conf /etc/nsswitch.oldconf
sudo nano /etc/nsswitch.conf

Use the configuration below. Change the names where appropriate:

Add winbind to the appropriate options. It should look something like this:
passwd: compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files

hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
Save the file.
11. Join the Linux server to Active Directory:
sudo net ads join -U AdminName

You can ignore the error concerning the DNS. The object in the Active Directory:

You should see something like this:

Unknown parameter encountered: “winbind allow trusted domains”
Ignoring unknown parameter “winbind allow trusted domains”
Unknown parameter encountered: “winbind allow trusted domains”
Ignoring unknown parameter “winbind allow trusted domains”
Enter AdminName’s password:
Using short domain name — YOURDOMAIN
Joined ‘SERVER1’ to dns domain ‘yourdomain.local’

12. Check Active Directory Users and Computers to verify that your Linux server shows up in the Computers OU.

13. Setup local PAM authorization options:
sudo pam-auth-update

[*] Unix authentication
[*] Winbind NT/Active Directory authentication
[*] Register user sessions in the systemd control group hierarchy
[*] Create home directory on login
[*] GNOME Keyring Daemon – Login keyring management

Be sure that the line Winbind NT/Active Directory authentication is selected. You can have directorys automatically created on logon.
14. Restart services to apply all changes:
sudo service smbd restart
sudo service nmbd restart
sudo service winbind restart

You can use the following commands to check that the Active Directory synchronization has working fine:
wbinfo -u
wbinfo -g
wbinfo -i AdminUser
getent passwd
getent group

15. If you want your user to have sudo rights add them as follows:
sudo adduser AdminUser sudo

You can test this from another linux computer by doing the following:
ssh [email protected]

Notes taken from:
F Appointaire, Server-World.info, and T Conrad


Copyright 2021. All rights reserved.

Posted February 10, 2017 by Timothy Conrad in category "Linux", "Windows Server

About the Author

If I were to describe myself with one word it would be, creative. I am interested in almost everything which keeps me rather busy. Here you will find some of my technical musings. Securely email me using - PGP: 4CB8 91EB 0C0A A530 3BE9 6D76 B076 96F1 6135 0A1B