Join Debian 8 to Active Directory

Join Debian 8 to Active Directory

Join Debian 8 to Active DirectoryPre-requisites

  1. Debian 8 installed
  2. Internet is accessible from the machine to install the required packages
  3. Domain is accessible from the machine

Install Required Packages

Now we will install required packages

aptitude install krb5-user libpam-krb5

Configuration

It’s time to start the configuration for the Kerberos configuration file

vim /etc/krb5.conf

Change the content of the file as follows

[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = DOMAIN.COM
dns_lookup_kdc = true
[realms]

EXAMPLE.COM = {
kdc = kerberos.domain.com
admin_server = kerberos.domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM

Install winbind and samba package

Now install the winbind and samba packages with aptitude

aptitude -y install winbind libpam-winbind libnss-winbind krb5-config

Configure Samba

vim /etc/samba/smb.conf

Add the following lines in the samba conf files under global heading

workgroup = DOMAIN
realm = DOMAIN.COM
security = ads
idmap config * : range = 16777216-33554431
template homedir = /home/DOMAIN/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = true

Find the other entry with workgroup in the file and remove it or comment it.

You might also like: How to install bucardo for postgres replication

Join the Domain

Now we can join the debian machine to the domain. We will use the net command to join the machine to the domain.

net ads join DOMAIN.COM -U adminuser

We can test the join with the following command

net ads testjoin

It will prompt back with (Join is OK) it means it was successful.

Restart and enable the services

systemctl restart smbd && systemctl enable smb
systemctl restart winbind && systemctl enable winbind

Configure PAM

Now we will configure pam, edit the following files and add the following in the files

vim /etc/pam.d/common-account

account sufficient      pam_winbind.so
account required        pam_unix.so

Now we will edit common auth file and add these lines

vim /etc/pam.d/common-auth

auth sufficient pam_winbind.so
auth required   pam_deny.so

Now we will edit common session file and add the following lines

vim /etc/pam.d/common-session

session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

Home Directories

This is optional step if you want to create home directories of Active Directory users
For this you need to create a directory for example /home/domainname then it will create users home directories like /home/domainname/user.

mkdir /home/DOMAIN

Configure nssswitch

In last we will configure nssswitch, edit the /etc/nsswitch.conf ans update the lines as shown below

vim /etc/nsswitch.conf

passwd:compat winbind
group:compat winbind
shadow:compat winbind

Configure SSH

Now we will configure ssh to allow Active Directory users and groups who can login into the machine

We need to created the allow file manually

mkdir -p /etc/sshd

vim /etc/sshd/sshd.allow

Add the Active Directory Group in the sshd.allow file to whom you want to allow to login

Now Edit the /etc/pam.d/sshd and add the following after this line (# PAM configuration for the Secure Shell service)

vim /etc/pam.d/sshd

# PAM configuration for the Secure Shell service
auth required pam_listfile.so item=group sense=allow file=/etc/sshd/sshd.allow onerr=succeed

Switch users

Now you can try to switch AD users in debian machine

su aduser

You should login here with AD user

SSH

You can also SSH into debian with AD user normally

ssh aduser@debianmachine

Hurray!! You are logged in with Active Directory user

Read Also: Active Directory authentication with centos

 

Leave a Reply

Your email address will not be published.


*