You are running a Windows network managed by an Active Directory domain. You know you can stick Linux hosts on the network and make them accessible to Windows hosts, but what you really want is for the Linux boxes to be full members of your Active Directory domain. This allows you to manage them just like any other AD object, have a unified login for all hosts, and manage Linux users from Active Directory. Your DNS house is in order, and you already have a Kerberos Key Distribution Center (KDC).
You need all Samba, Winbind, and the Kerberos client packages installed, and support for Kerberos, LDAP, Active Directory, and Winbind compiled into Samba. Please see Recipe 11.1 to learn exactly what you need.
Also needed are accounts for the Linux users and computers already present in Active Directory.
These are the steps to follow:
Make sure you have a reliable Network Time Protocol (NTP) server available to your LAN, and that all hosts are synchronized.
Delete all .tdb files to get rid of stale data: /etc/samba/secrets.tdb (which may not exist) and in /var/lib/samba. Keep backup copies, though you probably won't need them.
Stop the Samba and Winbind daemons.
Create a Linux group for machine accounts.
Configure /etc/hosts.
Configure /etc/resolv.conf.
Configure Samba.
Configure NSS.
Configure PAM.
Restart all daemons and test.
When the first two steps are accomplished, stop the Samba and Winbind daemons. On Fedora:
# /etc/init.d/smb stop
# /etc/init.d/winbind stopOn Debian, use these commands:
# /etc/init.d/samba stop
# /etc/init.d/winbind stopThen, create a Linux group to hold Machine Trust Accounts:
# groupadd machinesNext, add important hosts to /etc/hosts as a fallback:
## /etc/hosts 192.168.1.25 samba1.bluedomain.com samba1 192.168.1.20 windows1.bluedomain.com windows1
Also, make sure that /etc/resolv.conf contains your DNS server:
nameserver 192.168.1.21
Now, test connecting to the KDC. It should report no errors:
# kinit fredfoober@BLUEDOMAIN.COM
Password for fredfoober@BLUEDOMAIN.COM:Edit /etc/samba/smb.conf to authenticate against Active Directory, using your own domain name, NetBIOS name, server string, and Kerberos realm. This is a complete example file:
[global] workgroup = bluedomain netbios name = samba1 realm = BLUEDOMAIN.COM server string = Samba server one security = ADS encrypt passwords = yes idmap uid = 10000-20000 idmap gid = 10000-20000 winbind use default domain = yes winbind enum users = Yes winbind enum groups = Yes winbind separator = + log file = /var/log/samba/log log level = 2 max log size = 50 hosts allow = 192.168.1. [homes] comment = Home Directories valid users = %S read only = No browseable = No
Now, edit /etc/nsswitch.conf to include these lines:
passwd: files winbind group: files winbind shadow: files
Start up Samba and Winbind. Join the Linux PC to the Active Directory domain, and set up a machine trust account, using the Administrator account on the AD server, or any administrative user:
# net ads join -U Administrator%password
Using short domain name -- BLUEDOMAIN
Joined 'SAMBA1' to realm 'BLUEDOMAIN.COM.'You should now see a new computer account with the NetBIOS name of your Linux machine (samba1) in Active Directory, under Users and Computers in the Computers folder.
Finally, you need to configure Pluggable Authentication Modules (PAM) to allow authentication via Winbind. First, make a backup copy:
# cp /etc/pam.d/login /etc/pam.d/login-oldEdit /etc/pam.d/login to include the Winbind modules, and the pam_mkhomedir.so module
auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_env.so auth sufficient pam_winbind.so auth required pam_unix.so nullok use_first_pass account requisite pam_time.so account sufficient pam_winbind.so account required pam_unix.so session required pam_unix.so session optional pam_lastlog.so session optional pam_motd.so session optional pam_mail.so standard noenv session required pam_mkhomedir.so skel=/etc/skel umask=0027
Your existing /etc/pam.d/login may look a lot different than this; see the Discussion for more information and more sample configurations.
Now, it's time to test everything. Reboot your Linux box, and try to log in to the domain. If that works, you're all finished.
This may seem like a lot of steps, but don't be fooled—it really is complex because by design, Windows hinders interoperability. Fortunately, heroic Linux coders like the Samba team make interoperability and mixed networks possible.
The pam_mkhomedir.so directive creates home directories for users on the fly, at their first login.
In a more complex network, you may specify a particular Kerberos realm to join:
# kinit fredfoober@BLUEDOMAIN.COM
# net ads join "Computers\TechDept\Workstations" \
-U Administrator%passwordBecause user accounts are managed on the Active Directory server, and are made available to Linux via Winbind and PAM, you do not need to create duplicate user accounts on the Linux PC. However, you may still have local accounts on the Linux machine; these are invisible to Active Directory, and allow administrative users to freely access the server either locally, or remotely via SSH. And, you must have at least a local root account—don't depend on a remote login server for everything, or you could get locked out.
A lot of documentation tells you to edit /etc/krb5.conf to point to your KDC server. This isn't necessary if Active Directory and your Microsoft DNS server are correctly configured because AD automatically creates SRV records in the DNS zone kerberos._tcp.REALM.NAME for each KDC in the realm. Both the MITand Heimdal Kerberos automatically look for these SRV records so they can find all available KDCs. And /etc/krb5.conf only lets you specify a single KDC, rather than allowing automatic selection of the first available KDC. If you are not using Microsoft DNS, you'll have to enter these DNS records manually.
If for whatever reason Kerberos cannot find the KDC via DNS, this simple example /etc/krb5.conf works for most setups, using your own domain names, of course:
[libdefaults]
default_realm = BLUEDOMAIN.COM
[realms] BLUEDOMAIN.COM = {
kdc = windows1.bluedomain.com
}
[domain_realms]
.carla.com = BLUEDOMAIN.COMOnce you have your Samba setup debugged and working, simply replicate it for any Linux host that needs to be an Active Directory member.