Join Debian 8 to Active Directory
Pre-requisites
- Debian 8 installed
- Internet is accessible from the machine to install the required packages
- Domain is accessible from the machine
Install Required Packages
Now we will install required packages
aptitude install krb5-user libpam-krb5
Configuration
It’s time to start the configuration for the Kerberos configuration file
vim /etc/krb5.conf
Change the content of the file as follows
[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = DOMAIN.COM
dns_lookup_kdc = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.domain.com
admin_server = kerberos.domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COMInstall winbind and samba package
Now install the winbind and samba packages with aptitude
aptitude -y install winbind libpam-winbind libnss-winbind krb5-config
Configure Samba
vim /etc/samba/smb.conf
Add the following lines in the samba conf files under global heading
workgroup = DOMAIN
realm = DOMAIN.COM
security = ads
idmap config * : range = 16777216-33554431
template homedir = /home/DOMAIN/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = true
Find the other entry with workgroup in the file and remove it or comment it.
You might also like: How to install bucardo for postgres replication
Join the Domain
Now we can join the debian machine to the domain. We will use the net command to join the machine to the domain.
net ads join DOMAIN.COM -U adminuser
We can test the join with the following command
net ads testjoin
It will prompt back with (Join is OK) it means it was successful.
Restart and enable the services
systemctl restart smbd && systemctl enable smb
systemctl restart winbind && systemctl enable winbind
Configure PAM
Now we will configure pam, edit the following files and add the following in the files
vim /etc/pam.d/common-account
account sufficient pam_winbind.so
account required pam_unix.so
Now we will edit common auth file and add these lines
vim /etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth required pam_deny.so
Now we will edit common session file and add the following lines
vim /etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Home Directories
This is optional step if you want to create home directories of Active Directory users
For this you need to create a directory for example /home/domainname then it will create users home directories like /home/domainname/user.
mkdir /home/DOMAIN
Configure nssswitch
In last we will configure nssswitch, edit the /etc/nsswitch.conf ans update the lines as shown below
vim /etc/nsswitch.conf
passwd:compat winbind
group:compat winbind
shadow:compat winbind
Configure SSH
Now we will configure ssh to allow Active Directory users and groups who can login into the machine
We need to created the allow file manually
mkdir -p /etc/sshd
vim /etc/sshd/sshd.allow
Add the Active Directory Group in the sshd.allow file to whom you want to allow to login
Now Edit the /etc/pam.d/sshd and add the following after this line (# PAM configuration for the Secure Shell service)
vim /etc/pam.d/sshd
# PAM configuration for the Secure Shell service
auth required pam_listfile.so item=group sense=allow file=/etc/sshd/sshd.allow onerr=succeed
Switch users
Now you can try to switch AD users in debian machine
su aduser
You should login here with AD user
SSH
You can also SSH into debian with AD user normally
ssh aduser@debianmachine
Hurray!! You are logged in with Active Directory user
Read Also: Active Directory authentication with centos
Leave a Reply